The ongoing Russia’s war in Ukraine has disrupted the vast cybercriminal threat landscape in Russia due to mobilization of some threat actors and a wave of IT “brain drain,” according to a new report from Recorded Future’s Insikt Group.

“The so-called “brotherhood” of Russian-speaking threat actors located in the Commonwealth of Independent States (CIS) has been damaged as a result of political disagreements among threat actors in the context of the war. This damage has established a new norm of internal instability, as evidenced by a continued wave of insider leaks,” the report says. “Additionally, as Russia experiences a “brain drain” of IT professionals, these now-fracturing organized cybercriminal cartels will likely become more geographically decentralized, in turn making their relationships more diffuse.”

The cybersecurity firm notes that the economic consequences of the war in Ukraine will likely lead to a rise in the value of payment card fraud on the dark web, despite an overall decrease in carding volume last year. Mobilization and emigration of cyber-criminals has also led to decreased activity on Russian-language dark web and special-access forums in 2022.

“From February 24, 2022, to February 10, 2023, we identified approximately 155 million references to new and updated listings on the dark web shops Russian Market, Genesis Store, and 2easy Shop. We noticed 2 major spikes in activity on these shops: in August 2022 and in January 2023. While we have not identified any direct links, we believe it is possible that threat actors based in Russia were liquidating their supply of infostealer logs in these months — ahead of rumors that Russia would enact partial mobilization in order to conscript personnel for its war against Ukraine,” according to the report.

“Anecdotally, we have observed significant decreases in the number of new threads and posts — as well as the total number of all Insikt Group threat leads — related to content on Russian-language dark web forums since September 2022. We believe that the partial mobilization orders issued by Russia may have conscripted several threat actors. We also believe it is possible that Russian-speaking threat actors have been part of the “brain drain” of Russian IT and cybersecurity professionals to Georgia, Estonia, Finland, and Kazakhstan. We believe that this could explain the decrease in activity on Russian-language sources, beginning in September 2022.”

The report warns that Russian authorities might soon absolve pro-Russia cybercriminals from their crimes, because they apparently operate in the interests of the Russian state. Russian intelligence services often recruit cybercriminals into public service or collaborate with cybercriminal gangs in their attacks, and the new proposal is a policy pivot intended to further provide plausible deniability to the Russian state in its offensive cyber operations, Recorded Future said.