Take the Bribe but Watch Your Back: Why Russia Imprisoned a Security Officer for Taking Cybercriminal Payoffs
Russia imprisoned a security service officer for taking bribes from cybercriminals—showing not a willingness to crack down on cybercrime, but instead just how much the Kremlin wants to maintain its cybercrime protection racket.
Take the Bribe but Watch Your Back: Why Russia Imprisoned a Security Officer for Taking Cybercriminal Payoffs
Earlier this year, a Russian court imprisoned a former counterintelligence official, who worked on cyber issues in the Federal Security Service (FSB), for accepting a $1.7 million bribe to shield cybercriminals from prosecution. But rather than serving as demonstration of the Kremlin’s potential newfound desire to crack down on hackers, this rare case shows something different: If you are going to run a protection racket for cybercriminals in Russia, you should keep your promises and watch your back.
In February 2022, the Ministry of Internal Affairs’ (MVD’s) Department K—which focuses on computer crimes—arrested six hackers in Perm, Russia for selling stolen payment card data online. The MVD runs local police forces across Russia, among other functions, and operates separately from the FSB, one of Russia’s largest and most powerful security organs that works on everything from counterterrorism to counterintelligence and border security. It was not long before those MVD investigators learned the arrested hackers had been paying off Grigory Tsaregorodtsev, an FSB officer running a counterintelligence department after he discovered their activities in 2016 and approached them for a bribe.
In late April of this year, a Russian court sentenced Tsaregorodtsev to nine years in prison for taking payments from the hackers, who stole US bank cardholders’ data. The court also ruled that Tsaregorodtsev must pay a fine of 320 million rubles (about $3.5 million) and confiscated his property and forfeited his military rank of major. The court also banned him from serving in government positions for eight years after his release. Ironically, his defense attorneys argued his crime was not accepting bribes, but fraud—after all, he clearly did not deliver on his promise of protection. This defense mattered for how the court determined his criminal liability (e.g., his agreement with the hackers). Presenting such an argument in a court also underscored the normalcy, and, in fact, the permissibility of Russian state security officers taking bribes from cybercriminals, a “tax” of sorts, to turn a blind eye.
Viewed against Russia’s arrests of other criminal hackers, such as the reported “shutdown” of ransomware group “REvil” in January 2022 (which was wildly overhyped in Western media), this incident could be misconstrued as Moscow’s gradual steps towards cracking down on cybercrime emanating from within its borders. Yet, this misses some crucial details about Russia’s cyber ecosystem and how state officials work with hackers. It would be wrong to extrapolate from this case that the Russian state possesses a new desire to seriously crack down on cybercrime and a willingness to prosecute, rather than co-opt or tax, cybercriminals that come onto its radar. Instead of focusing on the fact that a state officer took bribes, the wider takeaway from this case should be centered on the protection racket itself and Moscow’s interest in upholding the krysha, or roof, for criminal hackers.
Russia’s cybercriminal ecosystem exploded in the 1990s due to a lack of laws and enforcement, limited economic opportunities, and “highly educated and technologically empowered segments of [the] population with the capability to conduct sophisticated criminal operations.” Cybercriminals evolved from software piracy to bank hacking and credential theft, and today, they comprise a key element of what makes Russia a global cyber power. Criminal hackers bring money into Russia—by one count, seventy-four percent of global ransomware revenue in 2021 went to Russia-linked hackers—and also provide the state a rich pool of talent for under-the-table, plausibly deniable, or clearly state-condoned-if-not-coordinated cyber operations against foreign targets. For instance, in the late 2000s, the FSB reportedly contacted an individual tied to a patriotic hacker website in an attempt to establish a cooperative relationship; in 2017, the US Justice Department charged two FSB officers for paying criminal hackers to break into Yahoo and millions of email accounts. More recently, examples range from the leader of the criminal group Evil Corp working for the FSB and pursuing a Russian government security clearance to the FSB and Russia’s Foreign Intelligence Service (SVR) working with a ransomware group to reportedly target US government-affiliated organizations. While it is easy to imagine top-down orchestration, this discounts the often entrepreneurial, bottom-up, and patronage-seeking motives of the cybercriminal ecosystem in Russia.
When some part of the Russian state brings the hammer down on a cybercriminal, it has less to do with the criminal activity itself and more to do with the targets, the effects, and the actors’ place in the wider ecosystem.”
Within this ecosystem (and Russian criminal enterprise and state corruption more broadly), there is an unspoken “social contract” between the Kremlin and hackers. It generally has three components: 1) focus mainly on foreign targets, 2) do not undermine the Kremlin’s geopolitical objectives, and 3) be responsive to Russian government requests. For example, following its first court case, the REvil ransomware updated its malware code to avoid Russian-language computers (most Russian malware is engineered in this fashion to avoid damaging domestic systems). Hence, when some part of the Russian state brings the hammer down on a cybercriminal, it has less to do with the criminal activity itself and more to do with the targets, the effects, and the actors’ place in the wider ecosystem.
This is what makes the sentencing of the FSB’s Tsaregorodtsev so curious. In most of the (rare) publicly reported instances of Russian authorities arresting cybercriminals, the hackers involved had either stolen from or targeted Russian citizens. In this case, however, the six hackers arrested in Perm in 2022 were running the large credit card shops Trump’s Dumps, Sky-Fraud, and Ferum Shop, which sold data stolen from US residents.
Stas Alforov, a cybersecurity and fraud expert, noted the strangeness of the MVD going after criminals that were selling foreigners’ data: “It’s not in their business to be taking down Russian [credit] card shops. Unless those shops were somehow selling data on Russian cardholders, which they weren’t.” Later on, the Record reported that “among the customers were primarily Russian citizens seeking to conceal purchases from financial regulators.” Generally, though, the initial arrests do not appear to have been caused by Russians scamming other Russians or cybercriminals defrauding Russian banks.
It is very difficult to know what exactly happened in this case. Perhaps the US government negotiated with Moscow to take down the group—the US government contacted Russian law enforcement about the card scheme and may have done the same for a case against the Russian administrator of the UniCC card forum, who was also wanted by the Federal Bureau of Investigation.
Perhaps instead the MVD was driven to act because Russians were hiding purchases and evading financial regulators. Or maybe the Kremlin wanted to handcuff small-time criminals to promote the propaganda line that it opposes criminal hacking. Yet, these all would go further to explain the hackers’ arrest and sentencing than it does to explain that of a corrupt FSB officer.
In any case, Tsaregorodtsev’s downfall was not a forgone conclusion, as Russian authorities have previously arrested cybercriminals while protecting their FSB handlers. In 2022, the Russian government imprisoned twenty-one hackers in the group Lurk after one of the hackers published materials online—which quickly vanished—showing that the FSB had recruited the hackers to break into the systems of the US Democratic Party. The cybercriminals went down, but the FSB officers supposedly involved did not go down with them, at least publicly; authorities made zero mention of the FSB or investigating the allegations. Going back to the Kremlin’s “social contract” with hackers, there was plenty of reason for this outcome: the cybercriminals were focused on foreign targets; an operation of that kind (targeting the US Democratic Party) would have received higher-up approval (Putin himself authorized the 2016 US influence operations); and the Kremlin would not have wanted to lend credence to the criminal’s allegations by unveiling a FSB-hacker relationship.
This is why it is more useful to concentrate on the protection racket itself. Tsaregorodtsev had expensive cars, real estate, 100 gold bars, and other assets as a result of the hackers’ money. For him, the benefit of the scheme is clear. But when the MVD decided to arrest the six hackers and shut down their major credit card forums, Tsaregorodtsev did not deliver on the protection they had paid for in gold (and much more). In fact, from their view, the protection probably failed the moment the arrests were even made. So, the hackers ratted out Tsaregorodtsev to the MVD and an FSB officer’s activities became part of the investigation. Regardless of how exactly the hackers turned on Tsaregorodtsev, it is plausible that the FSB then had to make a difficult decision: Go to bat for its man against another security agency or let him fall.
While he was an officer in the FSB, Tsaregorodtsev was also only a single person working on cybercrimes in one far-flung Russian city, taking money on the side with seemingly no connection to a higher-level political objective, such as planting malware overseas or spying on valuable foreign targets. He was also seemingly not close to power, unlike Evil Corp head Maksim Yakubets, who is the son-in-law of an influential former FSB official who protected him against prosecution. Here, the FSB fighting for Tsaregorodtsev to walk away (whether he ultimately did or not) could put the FSB’s own protection schemes at risk. If he took money from cybercriminals and did nothing to protect them when arrested, with no consequences, other cybercriminals might hear a different tune from the FSB: We sell you on protection, but if someone else arrests you, good luck. That could disrupt the FSB’s dynamics with cybercriminals, which are complex, evolving, and certainly not top-down.
Moscow’s arrests of hackers are few and far between—and the list of public examples gets even shorter when a state security officer goes down with the cybercriminals and, rather than getting released after a performative detention, is sentenced to prison. But taking this as a sign of some higher Kremlin interest in cracking down on criminal hacking or state corruption would be a mistake.
A better interpretation, amid the many unknowns about this still opaque ecosystem, is that Russian state security officers engaging with cybercriminal groups, whether as hired hackers or taking a cut of their earnings, have no guarantees of protection. If caught, their fate may depend on anything from their familial connections to their operational objectives or the luck of the draw on interagency rivalries. Every now and then, those accepting cybercrime bribes might still find themselves in handcuffs.
Justin Sherman is the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm, and a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.