Russian cybercriminals are almost untouchable. For years, hackers based in the country have launched devastating ransomware attacks against hospitals, critical infrastructure and businesses, causing billions in losses. But they are beyond the reach of Western authorities and largely ignored by Russian authorities. When police take criminals’ servers and websites offline, they are often hacked again within weeks.
Now researchers are increasingly adding a new dimension to their disruption playbook: messing with the minds of cybercriminals. To put it bluntly, they are trolling hackers.
In recent months, Western law enforcement officials have turned to psychological measures as an additional way to curb Russian hackers and get to the heart of the broader cybercrime ecosystem. These nascent psychological operations include efforts to erode the limited trust that criminals have in each other, driving subtle wedges between hackers’ fragile egos, and sending criminals personalized messages that show they are being watched.
“We’ll never get to the core of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, then that’s a good thing,” says Don Smith, vice president of threat research at security company Secureworks. “All these little things, which in themselves may not be a fatal blow, add friction,” he says. “You can look for cracks, amplify them and create more discord and mistrust to stop what the bad guys are doing.”
Take Operation Cronos as an example. In February, a global law enforcement operation, led by the UK’s National Crime Agency (NCA), infiltrated the LockBit ransomware group, which authorities say has extorted more than $500 million from victims, and disconnected its systems. NCA investigators redesigned the LockBit leak website, where it posted its victims’ stolen data, and used the site to publish LockBit’s internal workings.
To demonstrate the control and data they had, law enforcement released images of LockBit’s management system and internal conversations. The researchers also released the usernames and login details of 194 LockBit “affiliate” members. This was expanded in May to include members’ last names.
The police operation also prompted “LockBitSupp”, the mastermind behind the group, to come forward and say they had been “involved” with authorities. Russian national Dmitry Yuryevich Khoroshev was charged with running LockBit in May, after a multi-day countdown clock was posted on LockBit’s seized website and bold graphics naming him as the group’s organizer.
“LockBit prided itself on its brand and its anonymity, valuing these things above anything else,” says Paul Foster, director of threat leadership at the NCA. “Our operation has shattered that anonymity and completely undermined the brand, driving cybercriminals away from using its services.” The NCA says it carefully considered the operation, and its efforts to rebuild the LockBit site led to the group being widely mocked online and its brand being “toxic” to cybercriminals who had worked with it.
“We recognized that a technical disruption in isolation would not necessarily destroy LockBit, therefore our additional infiltration and control, along with arrests and sanctions in partnership with our international partners, has enhanced our impact on LockBit and created a platform for further actions. police in the future,” says Foster.