Where The Web Thugs Are: Inside Russia's Cyber Underworld

The Russian hacking community is as ambigious as the country itself: admired and feared, all at once. A reformed hacker takes us into the bowels of the criminal Deep Web.

Russian gamers at a Kaspersky-sponsored event
Russian gamers at a Kaspersky-sponsored event
Mehdi Atmani

MOSCOW — Whether an organized crime expert or a solitary con man, an intelligence services agent or the Kremlin's cyber soldier, Russian hackers are often at the heart of Internet fantasies. An ambiguous and protean figure, the hacker has as many faces as Russia itself. The country, from which many of these nefarious crimes originate and where Edward Snowden remains in asylum, is both a nation of cyber censors and IT experts. Welcome to Russia's Internet underworld.

The 28-year-old hacker I'm interviewing establishes the rules of the game. He won't give his name — only his pseudonym, "X311" — and won't answer all of my questions. "If I reveal too much, it could go badly for me," he says. A strong code of silence prevails in the Russian hacking world. It took me recommendations from about 10 mutual acquaintances for "X311" to finally agree to speak to me.

After a long and perilous hunt, his conditions are finally mine. Our interview takes place online, in the middle of the night in Moscow, and on an Internet Relay Chat — one of many online communications protocols. Our exchanges are protected by the cryptography protocol Off-the-Record Messaging (OTR). This is the essential prerequisite to our conversation, and the token of his trust.

"X311" writes in unusual but decent French. The hacker found refuge in France when his "personal situation became way too dangerous" for him to stay one more week in Russia, he says. He agrees to unveil some aspects of his country's cybernetic underworld, only because he's now joined "the white side of the force." In the hacker community, people are clearly divided in five different color groups.

The deep web's golden era

First off, there are the "black hats" — hackers driven by profit and the desire to wrong the market's actors. These are criminals who are either isolated or organized in mafia. On the opposite end are the "white hats," the cyberspace avengers who track down pirates and those threatening their interests — "the grey hats." Then come the "blue hats," who specialize in Windows hacking, and the "red hats," experts in the UNIX operating system.

None of them ever says what color group they identify with. "A real hacker never discloses he's one," X311 says. Our man did, out of choice and necessity.

The Moscovite was a 15-year-old high school student when he first entered the "black hat" Russian underworld. He studied programming in Moscow and developed secured software during his spare time. "Back then, you had to find mentors to learn and practice," he says. X311 found these code masters — with questionable ethics — on IRC chats. These are all solitary and experienced souls, navigating the deep web.

Up to 90% of online content slips through the pages of classic search engines. This is what we call "the deep web," the submerged part of the digital iceberg where the "black hats" hide and thrive. These hackers buy, sell and trade sensitive data — debit cards, confidential information, hacking programs. They do so via the Tor network (an acronym for The Onion Router), which provides them with secured protection of information.

Quickly, X311 built a solid reputation, earning respect among other hackers. "I was young, experienced, I was a good worker," he says via chat. Trading data and sensitive information with another "black hat" just for the love of risk, he quickly became an expert in "cracking" and "phreaking." These practices consist of breaking into security safeguards to hack debit cards, or phones.

"Back then, it was heaven," the hacker says. "There wasn't as much security on debit cards or on logins." He could easily hack into news websites or user accounts of large hosting service providers. Apart from the "American and European banks," things were easy for young hackers like him.

"When I saw a growing interest for the competition of this data, I started selling it," he acknowledges. But he won't say for how much. "A hacker has power through the data he owns, not for the money he earns."

So, how do they work?

The notion of Russian hackers is that they are unattainable — feared, admired and hunted. An immersion into the deep web dispels these clichés. Let's start by talking about how young these hackers are. Hackers younger than 25 gravitate to Saint Petersburg and its universities.

The area is the most dense "black hat" community in the country. "They tend to be pushed toward the city because of a shortage of legal job opportunities," says Sergueyv Vishnyakov, a 24-year-old information security researcher at a Russian bank. He is an expert of the "black hats." He is featured as an "hacktivist" on a website that hosts the largest database of IT flaws and weaknesses to date.

A Kaspersky training course — Photo: Questar

In Moscow, these cowboys of the web are lured by money. The majority of them earn more than 17,000 rubles a month — about $550. "The best hackers earn 10 times more," adds Vishnyakov, "but they only represent about 1% of the Russian "black hats." And the game is definitely worth it: Russian laws aren't deterrent enough to scare these hackers.

To find out how they operate, we head to the Moscow area headquarters of security company Kaspersky. The firm competes with U.S. companies such as Symantec and McAfee fighting cyber crime. Inside the headquarters, elite teams relentlessly battle new IT attacks. More than 315,000 are registered every day, coming from and targeting Russia.

Russia has the dubious distinction of ranking No. 3 globally in generating cyber attacks, after China and Brazil. Aleks Goltsev, a 37-year-old Ukrainian, heads the company's security unit, and with the help of international police forces, he investigates the Russian "black hat" underworld and tracks down its members.

Each country, he says, has its own specialty. "The Chinese hack online gaming platforms," he says. Brazilians take care of online banking websites," Goltsev explains. The Russians, on the other hand, are the pioneers. They develop most of the hacking technologies then sell to other countries," he adds.

Cybercrime in Russia is built around small groups, themselves made up of about 10 hackers whose tasks are clearly defined. Two developers design the spy software, and then try to sell it on IRC forums. The market runs on two economic models. "They either sell the entire program for $10,000, or rent it weekly," Goltsev says. Some clients are Russian, but most of them are foreign — Chinese and Thai.

Russia's ambivalent stance

With the conflict in eastern Ukraine, Goltsev has become even busier. Russia and Ukraine are engaged in an intense data cyber war. The security expert is convinced that denial-of-service (DOS) attacks, which aim at taking down Internet servers, come from "Russian and Ukrainian patriots."

They could also originate from the Russian government. Back in 2007 and 2008, Estonia and Georgia, then in conflict with the Kremlin, were given the same treatment from Moscow as Ukraine is today.

This is what makes Moscow so ambiguous about cyber defense and security matters. The country, known for training the best IT experts, granted asylum to Edward Snowden, a former computer engineer who disclosed revelations about the U.S. spying program. At the same time, Russia stands among the most Internet-censoring countries around the world.

The Kremlin recruits its Internet soldiers in the Siberian city of Novosibirsk. Not far from there, authorities established a scientific city named the "Silicon Taiga" in 1957.

Russia has an impressive and feared cyber army. The GRU, the Main Intelligence Directorate, is the largest supplier of cybersoldiers. Highly trained, they develop new protection systems and manage Russia's listening stations across the globe. At the government level are the Russian Federation Federal Security Service (FSB) and its 76,000 contributors. The organization, the main successor of the KGB, has an entire center devoted to fighting cyber crimes. There is also a special unit in charge of protecting the government's Internet.

The NSA has nothing on the FSB. The Russian service created one of the most powerful systems in communications interception, the one used during the Sochi Olympic Games in February. Russia can also count on its Foreign Intelligence Service (SVR), a 15,000-person organization that is particularly active in economic, industrial and technological spying.

Back in the Moscow night, behind the screen of our encrypted chat, X311 declines to elaborate on what led him to flee Russia for France. "At some point, you need to think about settling down," he says. "I was going on a bad path."

He won't say if he was arrested. "Sorry, but I won’t answer any question. What do you think?" The 28-year-old Russian now works for a French IT security company. Maybe a former victim of his hacking? He replies with a smiley emoticom and suddenly leaves the chat.

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!

Iran-Saudi Arabia Rivalry May Be Set To Ease, Or Get Much Worse

The Saudis may be awaiting the outcome of Iran's nuclear talks with the West, to see whether Tehran will moderate its regional policies, or lash out like never before.

Military parade in Tehran, Iran, on Oct. 3


LONDON — The Iranian Foreign Ministry spokesman Saeed Khatibzadeh said earlier this month that Iranian and Saudi negotiators had so far had four rounds of "continuous" talks, though both sides had agreed to keep them private. The talks are to ease fraught relations between Iran's radical Shia regime and the Saudi kingdom, a key Western ally in the Middle East.

Iran's Foreign Minister Hossein Amirabdollahian has said that the talks were going in the right direction, while an Iranian trade official was recently hopeful these might even allow trade opportunities for Iranian businessmen in Saudi Arabia. As the broadcaster France 24 observed separately, it will take more than positive signals to heal a five-year-rift and decades of mutual suspicions.

Agence France-Presse news agency, meanwhile, has cited an unnamed French diplomat as saying that Saudi Arabia wants to end its costly discord with Tehran. The sides may already have agreed to reopen consular offices. For Saudi Arabia, the costs include its war on Iran-backed Houthis rebels fighting an UN-recognized government in next-door Yemen.

The role of the nuclear pact

Bilateral relations were severed in January 2016, after regime militiamen stormed the Saudi embassy in Tehran. Amirabdollahian was then the deputy foreign minister for Arab affairs. In 2019, he told the website Iranian Diplomacy that Saudi Arabia had taken measures vis-a-vis Iran's nuclear pact with the world powers.

It's unlikely Ali Khamenei will tolerate the Saudi kingdom's rising power in the region.

He said "the Saudis' insane conduct toward [the pact] led them to conclude that they must prevent [its implementation] in a peaceful environment ... I think the Saudis are quite deluded, and their delusion consists in thinking that Trump is an opportunity for them to place themselves on the path of conflict with the Islamic Republic while relying on Trump." He meant the administration led by the U.S. President Donald J.Trump, which was hostile to Iran's regime. This, he said, "is not how we view Saudi Arabia. I think Yemen should have been a big lesson for the Saudis."

The minister was effectively admitting the Houthis were the Islamic Republic's tool for getting back at Saudi Arabia.

Yet in the past two years, both sides have taken steps to improve relations, without firm results as yet. Nor is the situation likely to change this time.

Photo of Iranian Supreme Leader Ali Khamenei in 2020

Iranian Supreme Leader Ali Khamenei in 2020

Riyadh's warming relations with Israel

Iran's former ambassador in Lebanon, Ahmad Dastmalchian, told the ILNA news agency in Tehran that Saudi Arabia is doing Israel's bidding in the region, and has "entrusted its national security, and life and death to Tel Aviv." Riyadh, he said, had been financing a good many "security and political projects in the region," or acting as a "logistical supplier."

The United States, said Dastmalchian, has "in turn tried to provide intelligence and security backing, while Israel has simply followed its own interests in all this."

Furthermore, it seems unlikely Iran's Supreme Leader Ali Khamenei will tolerate, even in this weak period of his leadership, the kingdom's rising power in the region and beyond, and especially its financial clout. He is usually disparaging when he speaks of Riyadh's princely rulers. In 2017, he compared them to "dairy cows," saying, "the idiots think that by giving money and aid, they can attract the goodwill of Islam's enemies."

Iranian regime officials are hopeful of moving toward better diplomatic ties and a reopening of embassies. Yet the balance of power between the sides began to change in Riyadh's favor years ago. For the kingdom's power has shifted from relying mostly on arms, to economic and political clout. The countries might have had peaceful relations before in considerably quieter, and more equitable, conditions than today's acute clash of interests.

If nuclear talks break down, Iran's regime may become more aggressive.

Beyond this, the Abraham Accord or reconciliation of Arab states and Israel has been possible thanks to the green light that the Saudis gave their regional partners, and it is a considerable political and ideological defeat for the Islamic Republic.

Assuming all Houthis follow Tehran's instructions — and they may not — improved ties may curb attacks on Saudi interests and aid its economy. Tehran will also benefit from no longer having to support them. Unlike Iran's regime, the Saudis are not pressed for cash or resources and could even offer the Houthis a better deal. Presently, they may consider it more convenient to keep the softer approach toward Tehran.

For if nuclear talks with the West break down, Iran's regime may become more aggressive, and as experience has shown, tensions often prompt a renewal of missile or drone attacks on the Saudis, on tankers and on foreign shipping. Riyadh must have a way of keeping the Tehran regime quiet, in a distinctly unquiet time.

Keep up with the world. Break out of the bubble.
Sign up to our expressly international daily newsletter!