Russian cybercriminals are almost untouchable. For years, hackers based in the country have launched devastating ransomware attacks against hospitals, critical infrastructure, and businesses, causing billions in losses. But they’re out of reach of Western law enforcement and largely ignored by the Russian authorities. When police do take the criminals’ servers and websites offline, they’re often back hacking within weeks.
Now investigators are increasingly adding a new dimension to their disruption playbook: messing with cybercriminals’ minds. To put it bluntly, they’re trolling the hackers.
In recent months, Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem. These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched.
“We’re never going to get to the kernel of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, then that’s a good thing,” says Don Smith, vice president of threat research at security firm Secureworks. “All of these little things, which in themselves may not be a killer blow, they all add friction,” he says. “You can look for cracks, amplify them, and create further discord and mistrust so it slows down what the bad guys are doing.”
Take Operation Cronos. In February, a global law enforcement operation, led by the UK’s National Crime Agency (NCA), infiltrated the LockBit ransomware group, which authorities say has extorted more than $500 million from victims, and took its systems offline. Investigators at the NCA redesigned LockBit’s leak website, where it published its victims’ stolen data, and used the site to publish LockBit’s inner workings.
Demonstrating the control and data they had, law enforcement published images of LockBit’s administration system and internal conversations. Investigators also published the usernames and login details of 194 LockBit “affiliate” members. This was expanded in May to include the members’ surnames.
The policing operation also teased the unveiling of “LockBitSupp,” the mastermind behind the group, and said they had been “engaging” with law enforcement. Russian national Dmitry Yuryevich Khoroshev was charged with running LockBit in May, following a multiday countdown clock being published on the seized LockBit website and bold graphics naming him as the group’s organizer.
“LockBit prided itself on its brand and anonymity, valuing these things above anything else,” says Paul Foster, director of threat leadership at the NCA. “Our operation has shattered that anonymity and completely undermined the brand, driving cybercriminals away from using their services.” The NCA says it carefully considered the operation, with its efforts to rebuild LockBit’s site leading to the group being widely mocked online and making its brand “toxic” to cybercriminals who had worked with it.
“We recognized that a technical disruption in isolation wouldn’t necessarily destroy LockBit, therefore our additional infiltration and control, alongside arrests and sanctions in partnership with our international partners, has enhanced our impact on LockBit and created a platform for more law enforcement action in the future,” Foster says.
When LockBit members logged in to the group’s administration systems, they received a personalized message saying authorities had gathered their username, cryptocurrency wallet details, internal chats and chats with victims, and IP addresses. As noted by researchers at cybersecurity firm Analyst1, these “psychological tactics” targeted two areas: “brand reputation and interpersonal relationships among actors.”
The efforts go beyond the LockBit takedown. In April, London’s Metropolitan Police disrupted LabHost, a service that allowed scammers to create phishing websites to trick people into handing over their emails and passwords. Around 800 criminal LabHost users were sent personalized video messages by the police detailing “all the data we have about you.” Countries where they targeted victims were included, as well as IP addresses they had used. “We’ve been watching you every time you visited us,” the voiceover in the video says.
“These messages aren’t just for the existing participants in the criminal ecosystem,” says Secureworks’ Smith. “These are messages for people who maybe are on the edge of deciding to participate.” Within the sprawling cybercrime ecosystem, there’s not much trust between thieves who can con each other out of millions of dollars, but reinforcing and amplifying the divisions has the potential to make it harder to organize efficient criminal enterprises.
Understanding how much of an impact psychological operations have is difficult, but researchers say the criminals are always watching. Of 194 LockBit affiliates, only 69 have returned to the platform since the law enforcement action in February, the NCA says. The hackers read the news and cybersecurity research, discussing it on Russian-language cybercrime forums, researchers say. The XSS forum has one thread called “Juicy arrests” that has more than 1,000 posts since 2017, says Victoria Kivilevich, director of threat research at security firm KELA, which monitors the cybercriminal underground.
Opinions on the LockBit takedown were divided among XSS users, Kivilevich says. In one post in February, Kivilevich says, a cybercriminal questioned why the group’s leader had not been named or sanctioned at that point. “They have that much information, they must have at least something about him,” a translated post reads. “Or maybe he works with them.” Another urged people not to make memes or joke about the situation. “You understand that at some point this may affect you too,” they wrote.
Kivilevich points to other instances where cybercriminals on forums have become disillusioned or disgruntled by law enforcement targeting some members. When members of the Conti and Trickbot ransomware groups were sanctioned in February 2023, LockBitSupp asked where the sanctions were for the Trickbot leader “Stern” and other high-profile actor “Baddie.” As a further 11 members of Conti and Trickbot were sanctioned in September 2023, days after WIRED named one of the members, a cybercriminal complained that some of those sanctioned “never have had high profiles.” They went on to say there is a feeling of “injustice”: “What was the point of adding fucking managers who didn’t decide much in the business.”
Andréanne Bergeron, director of research at security firm GoSecure who specializes in criminal behavior and police intervention, says there may be two outcomes from naming some criminals and not others. Those that are named may “feel it is unjust to be punished while others go free” and may end up cooperating or working with law enforcement as a result.
Bergeron also says malicious hackers often “crave recognition” for their actions. “When their colleagues receive all the ‘credit,’ even if it includes being sanctioned, these unnamed individuals may feel compelled to reveal themselves to gain recognition,” Bergeron says. “This desire for recognition can drive them to engage in risky behaviors, potentially exposing themselves to authorities in their pursuit of validation.”
While law enforcement may be using some psychological tactics alongside more traditional technical takedowns and sanctions, there’s also scientific research looking at the ways in which cyber psychology can disrupt criminal hackers. The US Intelligence Community’s research agency, the Intelligence Advanced Research Projects Activity (Iarpa), has started work on a project to create new cybersecurity defenses by exploiting the human weaknesses of attackers.
Psychology can be used as a way to “understand, anticipate, and influence” the behavior of cyberattackers, says Kimberly Ferguson-Walter, the Iarpa program manager leading the project. The research, which is in its early stages, is looking to build tools and methods to capitalize on the human weaknesses of cybercriminals based on established psychology principles. For instance, if an attacker can be made to feel like they are safe when they are compromising a system, they may engage in riskier behavior and expose themselves.
“If you can deter somebody from attacking your network, that’s about as good as it gets,” Ferguson-Walter says. “I think the more scared or uncertain they are about how the defenses work, the better your odds for doing that are.”