The Convergence of Cybercrime and Russian Geopolitical Strategy

Argument by Jimmy Bell | April 21, 2025

Cybercrime: the State of Play 

The increasing organization and sophistication of cybercrime in the last decade has yielded colossal financial gains for cybercriminal networks while eroding overall international security. The 2010s saw an explosion in cybercrime, enabled by a confluence of linked factors: the rise of digital crypto-currencies such as bitcoin, the digitization of organizations, the ubiquitous use of internet-connected devices, increasing infrastructure and resilience of the dark web, and cloud connectivity. These interdependent trends continue to embolden both new and existing cybercrime groups to increase attacks, achieving highly favorable success rates with little chance of legal consequences. The current result is that global cybercrime has become a $1.5 trillion industry annually, almost triple the size of the annual illicit global drug trade at $650 billion. 

The top cybercrime groups originate in Russia as measured by the volume of attacks and success rates. Their primary targets are Western governments and businesses, particularly in the United States. Russian President Vladimir Putin has created a domestic political environment that gives flexibility and protection to malicious Russian cyber actors who target the US and its allies. Russia rarely prosecutes cybercriminals who target national adversaries but has no problem arresting cyber-threat actors who target domestic Russian entities. Attacks directed at Western economies support the Kremlin’s strategic goals of weakening global confidence in democracy and Western economic security, especially in the US, illustrating how Russian cybercrime groups are likely a mechanism of Russian geopolitical strategy. 

BlackCat and Scattered Spider 

Starting in November 2021, the Russian cybercrime group BlackCat provided ransomware, a technical weapon used in cyber extortion schemes, to the Western cybercrime group Scattered Spider. Scattered Spider then uses that ransomware to facilitate attacks against US public and private industries. BlackCat is distributing ransomware through a Ransomware-as-a-Service (RaaS) model, providing the technical means to facilitate Scattered Spider’s cyber attacks in exchange for a commission on ransom payouts enabled by cryptocurrency exchanges. This collaboration has elevated Scattered Spider into the top three threat actor groups targeting the US, alongside Chinese and Russian foreign intelligence agencies. BlackCat’s technical expertise, paired with Scattered Spider’s knowledge of Western culture, enables a high volume of successful attacks perpetrated through Scattered Spider’s network. 

Since Scattered Spider is the threat-actor group that penetrates information systems, interacts with victims, and receives payments, BlackCat’s role in the collaborative model is relatively obfuscated by Scattered Spider’s direct perpetration of crimes. However, much of Scattered Spider’s success can be attributed to the technical sophistication of BlackCat’s ransomware. Such a partnership is loosely equivalent to the dynamic of two groups fighting each other with handguns, and a third actor coming in and providing one of the groups with air support. BlackCat is providing metaphorical air support – a highly asymmetric offensive capability over defenders.  

Scattered Spider uses social engineering tactics to penetrate information systems, co-opt them, and extort organizations for financial gain. The group comprises native English-speaking individuals who leverage their Western cultural knowledge to craft convincing text messages, emails, and phone calls, diminishing US organization’s threat perception. The collaborative RaaS model, which plays to each group’s strengths, amplifies the volume, sophistication, and damage of cyberattacks on US entities, undermining public confidence in institutions, government, and industry – a significant component of Russia’s overall geopolitical objective. While Scattered Spider is financially motivated, BlackCat’s relatively small commission compared to market rates in successful ransomware events might indicate that financial motivation is less important, potentially illustrating a degree of political motivation behind BlackCat’s operations.

BlackCat’s RasS Affiliate Model: Potential Futures 

Scattered Spider is a subgroup within a larger cybercrime collective called The Com, also made up of Western nationals, thus offering BlackCat an extensive network of potential ransomware affiliates. The sophistication of BlackCat’s ransomware and Scattered Spider’s cultural knowledge of Western societies enables the two groups to leverage each other’s strengths, creating an advantageous partnership. Moreover, BlackCat’s commission is generally 10% of the ransomware payment, cheaper than market rates for other RaaS groups, which hover around 30%.

Scattered Spider and The Com are composed of Western nationals from the US, UK, and Canada, giving them the cultural and language expertise that BlackCat lacks. BlackCat’s technical sophistication allows the ransomware payload to effectively freeze information systems once penetrated, yielding a high success rate in each attack and providing financial gain to both parties through the RaaS affiliate model. There are approximately 1,000 operatives in Scattered Spider and an unknown number of operatives in The Com, though the latter is considered larger, more decentralized, and consisting of multiple affiliates. As of November 2024, only two Scattered Spider operatives have been apprehended by Western law enforcement, despite the group claiming hundreds of millions of dollars in ransom payments. 

BlackCat’s Possible Connection to the Kremlin 

Russia’s historical use of cybercriminal proxy groups suggests an informal or covert connection between the Kremlin and BlackCat, though no direct evidence supports this claim. BlackCat operators include many developers and money launderers who originated from the Darkside ransomware group that conducted the 2021 Colonial Pipeline attack. While no evidence indicates a formal connection between these operatives and the Russian government, the pipeline attack is closely aligned with Russian geopolitical goals. Russia has aided and shielded prolific cybercriminal groups in the past; Evil Corp, another Russian cybercrime group responsible for stealing over $100 million from compromised Western bank accounts, directly assists Russia’s Federal Security Service (FSB) by using Evil Corp’s ransomware infrastructure to steal confidential data. 

Russian authorities arrested a small number of operatives from another ransomware group called REvil, which collaborated with The Com, in 2021. The arrests only occurred after President Biden pressured President Putin to “take action” against Russian-based cyber criminals targeting the US economy. Such calls have been echoed regarding BlackCat, but Russian law enforcement has not made any arrests.

Though rare, Russia does prosecute some cyber criminals. Experts have speculated that particular political conditions are necessary for mobilizing the political will to hold these actors accountable. Attacking Russian or allied entities tied to Russia’s interests emboldens law enforcement response. Moreover, the Russian economic mafia-state endemic to the oligarchy applies to cyber criminals. Refusing to cooperate with the government in offering the group’s network, skills, and resources to the Kremlin could result in legal repercussions or other coercive measures. 

BlackCat’s Strategic Alignment with the Kremlin 

The 2021 Russian National Security Strategy document asserts that Russia’s “independent foreign policy” implementation amplifies opposition from the United States and its allies. In response to this opposition, Russia will continue its attempts to weaken support for democracy through operations and policies aimed at undermining confidence in Western economic security. Russian state-sponsored cyber threat actors targeted the 2020 and 2024 U.S. presidential elections through influence operations preying on American concerns about economic security and the questionable capacity of the government to meet their economic needs. Moreover, the US public is increasingly aware of heightened digital economic threats and critical infrastructure threats.  A 2022 poll revealed that 77% of Americans are worried about ransomware, intellectual property theft, and attacks on critical infrastructure. In the same year, the annual cost of cybercrime targeting US companies reached $220 billion, while the 2024 annual cost is estimated to have reached $452 billion. Furthermore, Russia’s involvement in the BRICS coalition and its advocacy for an alternate form of currency and economic system to combat the strength of the US and its allies illustrates Russia’s interest in undermining Western economic systems, especially US economic might. Russian-based cybercriminal networks likely represent another tool for supporting the Kremlin’s overall geopolitical strategy of undermining trust and stability in the US political and economic model.

Possible Russian Reactions to US Policies Targeting BlackCat

The Putin regime might respond favorably to diplomatic pressure to crack down on BlackCat, as they did when Russian authorities arrested REvil operatives in 2021 after President Biden exerted diplomatic pressure. Though Russia is unlikely to crack down on RaaS domestic criminal groups comprehensively, diplomatic pressure might compel the Putin regime to rein in BlackCat’s reckless behavior. A potential pitfall of this measure is if the Kremlin performatively arrests BlackCat operatives while doing minimal to no damage to the group’s overall operational capability. 

Russia would likely see diminished geopolitical utility in RaaS cybercrime groups if US entities are discouraged from paying ransoms in return for data deletion. Research shows that paying a ransom may not stop cybercrime groups from publishing stolen data or re-extorting the same entity in the future. Russian RaaS groups will likely lose affiliate partners should the culture and protocol around ransomware payments shift in the US. However, reorienting the culture around ransomware payments presents a significant challenge to US industry and law enforcement because of disparate laws around payment, cost-benefit calculus, and asymmetric vulnerability to threat actors. As the digitization of societies becomes more entrenched, ransomware extortion schemes and cyberattacks in general will remain one of the top risk vectors for government, industry, and society.