In the wake of Russia’s invasion of Ukraine in 2022, several Western law enforcement agencies imposed tighter sanctions on Russian ransomware platforms. In response, two major ransomware syndicates, LockBit and Conti, rebranded their activities to avoid sanctions and strengthen their anonymity. LockBit claimed that it had no intention to purposely attack Western countries, while Conti restructured into three smaller groups named Black Basta, BlackByte, and Karakut.
TRM Labs, a blockchain intelligence company, conducted an analysis which revealed that the sanctions had little impact on darknet markets (DNMs). Criminals fled to Russian-related platforms to evade Western law enforcement, resulting in significant growth in the usage of Russian-speaking DNMs. By the end of the year, they had amassed over $130 million in sales.
The rebranding and other significant activities showed notable changes in the cybercrime space and darknet markets after Russia invaded Ukraine. The sanctions imposed by the U.S. Office of Foreign Assets Control (OFAC) on the popular darknet platform Hydra took a toll on ransomware projects, but the criminals were able to find ways to evade law enforcement and continue to make profits. TRM Labs’ analysis demonstrated that the sanctions had little effect on the darknet markets, and that criminals were still able to find ways to make money despite the restrictions.
