Russian cybercriminals are virtually untouchable. For years, hackers based in the country have launched devastating ransomware attacks hospitals, critical infrastructureAnd companies, causing billions in losses. But they are beyond the reach of Western law enforcement and largely ignored by Russian authorities. When the police take the criminals' servers and websites offline, they are often back hacking within weeks.
Now researchers are increasingly adding a new dimension to their disruption playbook: messing with the minds of cybercriminals. To put it bluntly, they are trolling the hackers.
In recent months, Western law enforcement officials have turned to psychological measures as an additional way to slow down Russian hackers and penetrate the core of the vast cybercrime ecosystem. These emerging psyops include attempts to erode the limited trust criminals have in each other, driving subtle wedges between fragile hacker egos and sending personalized messages to offenders that indicate they are being watched.
“We'll never get to the core of these organized crime groups, but if we can minimize the impact they have by reducing their scalability, then that's a good thing,” said Don Smith, vice president of threat research at security firm Secureworks . “All these little things, which in themselves may not be a killing blow, all create friction,” he says. “You can look for cracks, widen them and create even more discord and distrust so that it slows down what the bad guys are doing.”
Take Operation Cronos. In February, a global law enforcement operation, led by the UK's National Crime Agency (NCA), infiltrated the LockBit ransomware group, which authorities say extorted more than $500 million from victims and took its systems offline. NCA investigators redesigned LockBit's leak website, where it published its victims' stolen data, and used the site to LockBits inner workings.
To demonstrate the control and data they had, law enforcement officials published images of LockBit's administration system and internal conversations. Researchers also have the usernames and login details of 194 LockBit “affiliate” members. This was expanded in May to mention the surnames of the members.
The police operation also teased the revelation of 'LockBitSupp', the mastermind behind the group, saying they were 'involved' in law enforcement. Russian citizen Dmitry Yuryevich Khoroshev was accused of running LockBit in May, after a multi-day countdown clock was published on the seized LockBit website and bold images naming him as the group's organizer.
“LockBit took pride in its brand and anonymity and valued these things above all else,” said Paul Foster, Director of Threat Leadership at the NCA. “Our operation has broken that anonymity and completely undermined the brand, deterring cybercriminals from using their services. .” The NCA said it had carefully considered the operation, with efforts to rebuild LockBit's site leading to the group being widely mocked online and the brand becoming “toxic” to cybercriminals who had worked with it.
“We recognized that a technical disruption in itself would not necessarily destroy LockBit. Therefore, our additional infiltration and surveillance, in addition to arrests and sanctions in collaboration with our international partners, has increased our impact on LockBit and created a platform for more law enforcement actions in the future,” said Foster.