Why Russia Imprisoned a Security Officer for Taking Cybercriminal Payoffs
Russia imprisoned an FSB officer for taking bribes from cybercriminals—showing just how much the Kremlin wants to maintain its cybercrime protection racket.
Earlier this year, a Russian court imprisoned a former counterintelligence official, who worked on cyber issues in the Federal Security Service (FSB), for accepting a $1.7 million bribe to shield cybercriminals from prosecution. This article, drawn from a recent analysis I published with the Atlantic Council, looks at what happened — and what it means for those looking to understand Russia’s highly complex, fairly opaque, and ever-evolving cyber ecosystem. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
Rather than serving as demonstration of the Kremlin’s potential newfound desire to crack down on hackers, this rare case shows something different: If you are going to run a protection racket for cybercriminals in Russia, you should keep your promises and watch your back.
What Russia Did
As I wrote recently in an analysis published at the Atlantic Council’s Cyber Statecraft Initiative, where I am a nonresident senior fellow:
In February 2022, the Ministry of Internal Affairs’ (MVD’s) Department K—which focuses on computer crimes—arrested six hackers in Perm, Russia for selling stolen payment card data online. The MVD runs local police forces across Russia, among other functions, and operates separately from the FSB, one of Russia’s largest and most powerful security organs that works on everything from counterterrorism to counterintelligence and border security. It was not long before those MVD investigators learned the arrested hackers had been paying off Grigory Tsaregorodtsev, an FSB officer running a counterintelligence department after he discovered their activities in 2016 and approached them for a bribe.
In late April of this year, a Russian court sentenced Tsaregorodtsev to nine years in prison for taking payments from the hackers, who stole US bank cardholders’ data. The court also ruled that Tsaregorodtsev must pay a fine of 320 million rubles (about $3.5 million) and confiscated his property and forfeited his military rank of major. The court also banned him from serving in government positions for eight years after his release. Ironically, his defense attorneys argued his crime was not accepting bribes, but fraud—after all, he clearly did not deliver on his promise of protection. This defense mattered for how the court determined his criminal liability (e.g., his agreement with the hackers). Presenting such an argument in a court also underscored the normalcy, and, in fact, the permissibility of Russian state security officers taking bribes from cybercriminals, a “tax” of sorts, to turn a blind eye.
It may be tempting, as many in the West often do, to misconstrue this incident as indicative of Moscow’s gradual steps towards cracking down on cybercrime emanating from within its borders. Yet, that misses how Russia’s cyber web works.
Within this ecosystem (and Russian criminal enterprise and state corruption more broadly), there is an unspoken “social contract” between the Kremlin and hackers. It generally has three components: 1) focus mainly on foreign targets, 2) do not undermine the Kremlin’s geopolitical objectives, and 3) be responsive to Russian government requests. For example, following its first court case, the REvil ransomware updated its malware code to avoid Russian-language computers (most Russian malware is engineered in this fashion to avoid damaging domestic systems). Hence, when some part of the Russian state brings the hammer down on a cybercriminal, it has less to do with the criminal activity itself and more to do with the targets, the effects, and the actors’ place in the wider ecosystem.
Why the Arrest?
It still remains murky — as I explain in greater detail in the analysis — because when the Russian government goes after cybercriminals and their handlers in Russia, it’s typically associated with hackers stealing from Russians, targeting Russian systems, or crossing some Kremlin line in their domestic or overseas activities. But the reasons to arrest the cybercriminals are distinct from the reasons to arrest their FSB friend.
This is why it is more useful to concentrate on the protection racket itself. Tsaregorodtsev had expensive cars, real estate, 100 gold bars, and other assets as a result of the hackers’ money. For him, the benefit of the scheme is clear. But when the MVD decided to arrest the six hackers and shut down their major credit card forums, Tsaregorodtsev did not deliver on the protection they had paid for in gold (and much more). In fact, from their view, the protection probably failed the moment the arrests were even made. So, the hackers ratted out Tsaregorodtsev to the MVD and an FSB officer’s activities became part of the investigation. Regardless of how exactly the hackers turned on Tsaregorodtsev, it is plausible that the FSB then had to make a difficult decision: Go to bat for its man against another security agency or let him fall.
While he was an officer in the FSB, Tsaregorodtsev was also only a single person working on cybercrimes in one far-flung Russian city, taking money on the side with seemingly no connection to a higher-level political objective, such as planting malware overseas or spying on valuable foreign targets. He was also seemingly not close to power, unlike Evil Corp head Maksim Yakubets, who is the son-in-law of an influential former FSB official who protected him against prosecution. Here, the FSB fighting for Tsaregorodtsev to walk away (whether he ultimately did or not) could put the FSB’s own protection schemes at risk. If he took money from cybercriminals and did nothing to protect them when arrested, with no consequences, other cybercriminals might hear a different tune from the FSB: We sell you on protection, but if someone else arrests you, good luck. That could disrupt the FSB’s dynamics with cybercriminals, which are complex, evolving, and certainly not top-down.
All told, as I conclude the analysis:
A better interpretation, amid the many unknowns about this still opaque ecosystem, is that Russian state security officers engaging with cybercriminal groups, whether as hired hackers or taking a cut of their earnings, have no guarantees of protection. If caught, their fate may depend on anything from their familial connections to their operational objectives or the luck of the draw on interagency rivalries. Every now and then, those accepting cybercrime bribes might still find themselves in handcuffs.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2024 Global Cyber Strategies LLC.