On 23 October 2025, Recorded Future assessed that Russia has shifted from a largely permissive “safe haven” model for cybercriminals to a managed cybercrime ecosystem. This evolution reflects a strategy of controlled impunity, where Kremlin authorities selectively tolerate, leverage, or regulate cybercriminal actors based on intelligence value, geopolitical utility, and risk of international pressure. State-linked or state-aligned operators remain insulated, while lower-tier enablers, money-laundering intermediaries, and infrastructure providers have faced increased arrests, disruption, and publicity-driven crackdowns. The report notes growing mistrust inside the criminal underground, leading to closed recruitment, collateral requirements, affiliate vetting, and frequent rebranding. Ransomware activity remains steady, with hundreds of new variants emerging as operators fragment and adapt to law-enforcement pressure. Western counter-ransomware operations, sanctions, payment restrictions, and coordinated takedowns continue to raise operational risk and cost for Russia-based cybercriminal groups.
Analysis: Russia’s cyber ecosystem is entering a state-directed equilibrium where criminal capability remains accessible to the government while the Kremlin applies selective enforcement to maintain plausible deniability and political signaling. This model resembles a regulated illicit market as opposed to a laissez-faire sanctuary. Expect continued fragmentation, OPSEC tightening, and increased friction in monetization pipelines, but not any meaningful reduction in Russian-nexus cyber operations. Western pressure is reshaping incentives without removing cybercrime’s value as an instrument of state power. Network defenders should prioritize disruption of enabling services and financial channels, not anticipate Russian law enforcement to meaningfully degrade core ransomware operators.
The Security Brief 