Russia finally bites the cybercrooks it raised, arresting suspected Meduza infostealer devs

Russia’s Interior Ministry says police have arrested three suspects it believes helped build and spread the Meduza infostealer.

A statement issued by spokesperson Irina Volk via the Ministry’s Telegram channel on Thursday included video footage of all three arrests of men described as “young IT specialists” who are alleged to have helped create, distribute, and deploy the malware.

Multiple armed officers carried out the arrests, all of which involved breaking down the doors of the alleged cybercriminals’ residences using tools such as crowbars and sledgehammers.

The three suspects, who were not named, were said to have begun work on Meduza around two years ago, which aligns with reports from Western security shops like Splunk, which first identified it in 2023.

All three were arrested in Moscow and the wider Moscow region by the Rosgvardiya (National Guard), which also seized their devices, bank cards, and other miscellaneous items believed to hold evidential value, Volk stated.

“As a result of operational and investigative actions, it was established that the detainees also developed and distributed another type of malicious software,” she added (machine translated from Russian). 

“It is designed to neutralize computer information protection tools and create botnets – networks of infected computers that are used for large-scale cyberattacks.”

The Ministry didn’t go into much detail about the reasons why the trio was only arrested now, but its statement mentioned an attack on an organization in Russia’s Astrakhan region (which borders Kazakhstan) as being relevant to the case.

Officially, cybercrime is not legal in Russia, although many of the commercially successful groups and individuals reside there. The general rule is that local police won’t bother you unless you start targeting Russians.

“Technically cybercrime is illegal in Russia, but there is a longstanding understanding that as long as hackers do not target entities in Russia or the Commonwealth of Independent States, they can get away with it,” Stephen Robinson, senior threat intelligence analyst at WithSecure, told The Register last year after Russia arrested Mikhail Matveev.

A recent report from Recorded Future also concluded that cybercrime in Russia is changing, with the state’s relationship with cybercriminals evolving since 2023 “from passive tolerance to active management.”

The researchers said they suspect cybercrime groups are paying the state for protection, as well as being under the thumb to support the Kremlin in its own missions, either through carrying out attacks or handing over data.

“This reciprocal arrangement creates a conditional ‘safe haven’ that tightens or loosens depending on political cost, external pressure, and the threat actor’s ongoing usefulness,” the report stated. 

“If the threat actor becomes too significant or does not provide enough support, security services will leverage their legitimate powers to target or harass the victim with their legitimate policing powers. Such episodic enforcement is best read as governance of the market, not its eradication.”

The researchers also said there is an important distinction to be made between types of cybercrime and how permissive the authorities are toward them. 

Whereas ransomware groups, for example, can lend services ranging from data brokerage to full-scale cyberattacks, operators of money-movement platforms such as Cryptex are not always able to offer the state the same value for their protection.

Taking REvil and Cryptex as examples of these two types of cybercrime groups, both of which have led to arrests within Russia, the resulting punishments have been far greater for those involved in financial operations.

The report says that after the monetization service Cryptex and related platforms were targeted under Operation Endgame, Russian authorities announced the arrest of nearly 100 individuals. By contrast, for cybercrims in REvil operating from Russia, some cases resulted in suspended sentences, signalling a notably softer domestic enforcement outcome.

Recorded Future reported: “In short, the timeline of Russian enforcement following Operation Endgame highlights where Russian threat actors prioritized their resources in response to counter-ransomware efforts. 

“Crackdowns on Cryptex or UAPS and pressure on hosting providers like Aeza demonstrate a willingness to act where domestic optics or Western scrutiny are high, while lenient or performative outcomes (for example, suspended sentences for REvil threat actors) and the continued prominence of Conti and Trickbot alumni reveal where the covenant still holds. This is why documenting both public actions and rumored, unpublicized arrests matters.” ®

READ MORE HERE