Russian cybercriminals are almost untouchable. For years, hackers based in the country have launched devastating ransomware attacks against hospitals, critical infrastructure, and businesses, causing billions in losses. But they’re out of reach of Western law enforcement and largely ignored by the Russian authorities. When police do take the criminals’ servers and websites offline, they’re often back hacking within weeks.
Now investigators are increasingly adding a new dimension to their disruption playbook: messing with cybercriminals’ minds. To put it bluntly, they’re trolling the hackers.
In recent months, Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem. These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched.
“We’re never going to get to the kernel of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, then that’s a good thing,” says Don Smith, vice president of threat research at security firm Secureworks. “All of these little things, which in themselves may not be a killer blow, they all add friction,” he says. “You can look for cracks, amplify them, and create further discord and mistrust so it slows down what the bad guys are doing.”
Take Operation Cronos. In February, a global law enforcement operation, led by the UK’s National Crime Agency (NCA), infiltrated the LockBit ransomware group, which authorities say has extorted more than $500 million from victims, and took its systems offline. Investigators at the NCA redesigned LockBit’s leak website, where it published its victims’ stolen data, and used the site to publish LockBit’s inner workings.
Demonstrating the control and data they had, law enforcement published images of LockBit’s administration system and internal conversations. Investigators also published the usernames and login details of 194 LockBit “affiliate” members. This was expanded in May to include the members’ surnames.
The policing operation also teased the unveiling of “LockBitSupp,” the mastermind behind the group, and said they had been “engaging” with law enforcement. Russian national Dmitry Yuryevich Khoroshev was charged with running LockBit in May, following a multiday countdown clock being published on the seized LockBit website and bold graphics naming him as the group’s organizer.
“LockBit prided itself on its brand and anonymity, valuing these things above anything else,” says Paul Foster, director of threat leadership at the NCA. “Our operation has shattered that anonymity and completely undermined the brand, driving cybercriminals away from using their services.” The NCA says it carefully considered the operation, with its efforts to rebuild LockBit’s site leading to the group being widely mocked online and making its brand “toxic” to cybercriminals who had worked with it.
“We recognized that a technical disruption in isolation wouldn’t necessarily destroy LockBit, therefore our additional infiltration and control, alongside arrests and sanctions in partnership with our international partners, has enhanced our impact on LockBit and created a platform for more law enforcement action in the future,” Foster says.