A Split in the Russian-Speaking Underground: Carders and Cybercriminals' Attitudes to Russia's War on Ukraine

[Good Carder]

Russia's war against Ukraine, which began in February 2022, not only changed the geopolitical landscape of Eastern Europe but also profoundly impacted the Russian-speaking cybercriminal community — the so-called "underground." Carders (those involved in markets trading stolen credit card data, dumps, and other financial instruments) traditionally constituted a significant portion of this community. Until 2022, Russian-language forums brought together people from Russia, Ukraine, Belarus, and other former Soviet countries, where nationality played a secondary role to shared business interests.

The conflict has led to a deep rift: some members of the community openly or covertly support Russia, others support Ukraine, and the majority strive to remain neutral to avoid losing partners and revenue. This rift has manifested itself in bans on political discussions, internal conflicts, the emergence of new niche platforms, and changes in business practices. Based on reports from cybersecurity companies (Trend Micro, Recorded Future, ReliaQuest, Binary Defense, and others) for 2022–2025, we examine how the war has affected the attitudes of carders and the entire Russian-speaking underground.

Historical context: a unified Russian-speaking community before the war​

Until 2022, the Russian-language cybercriminal underground represented one of the most organized and extensive ecosystems in the world. Large forums such as XSS, Exploit, 2crd, WWH-Club, Verified, and others served as platforms for trading credit card dumps, CVVs, fullz victim data, account access, and cash-out services.

Participants from Russia and Ukraine often collaborated: Ukrainian hackers extracted data, while Russian hackers provided infrastructure and cash-out channels. The unspoken rule "not to work for RU/UA/CIS" (not to scam our own) maintained trust. Politics was rarely discussed: forum moderators had previously banned nationalist or political topics to avoid conflicts and the attention of law enforcement.

The Beginning of the War: Initial Reactions and the High-Profile Conti Case​

Russia's full-scale invasion of Ukraine on February 24, 2022, came as a shock to the community. Many cybercriminal groups and individual actors publicly stated their position.

The most famous case was the ransomware group Conti (one of the largest in the world at the time, closely associated with access trading carding). On February 25, 2022, Conti published a statement pledging its full support for the Russian government: "We are using all our resources to attack Russia's enemies." This sparked a furor within the group.

In response, a Ukrainian researcher (according to some sources, a former member of the group) leaked over 60,000 internal Conti messages. Leak revealed the group's structure, names, methods, and financial flows. Conti attempted to retreat, declaring "neutrality," but the damage was done: the group partially disbanded, and many members left for other projects (for example, Black Basta).

This incident became a symbol of the schism: the war had even permeated the closed chats of criminal groups.

Bans on politics: an attempt to preserve community​

To avoid such conflicts, most major Russian-language forums quickly introduced or strengthened strict bans on discussing war, politics, and national issues. For example:

• On XSS (the largest forum with tens of thousands of users), moderators banned any talk of war: "We support peace and focus on business."
• Similar rules were introduced on Exploit, Verified, Korovka, and other platforms. Threads mentioning "SVO," "Ukraine," and "Russia" in a political context were deleted, and their authors were banned.

According to reports from 2023 to 2025, these measures helped preserve the core platforms but did not resolve tensions. Discussions continued in private chats and Telegram channels, and trust between Russian and Ukrainian participants plummeted.

Pro-Russian stance: dominant neutrality with a patriotic slant​

In the dominant forums (where the majority of admins and active users are from Russia), a pro-Russian or neutral-patriotic sentiment prevails. Public statements of support are rare after the Conti incident, but indirect signs are noticeable:

• Some groups (such as individual ransomware actors) continued to avoid attacks on Russian targets and sometimes expressed loyalty to the Russian authorities.
• In 2024–2025, Russian authorities strengthened “controlled impunity”: arrests for attacks on Russia, but tolerance for external fraud.

Most carders remain publicly apolitical: war is perceived as a risk to business (sanctions, payment problems, increased attention from intelligence agencies).

Pro-Ukrainian Position: Niche Platforms and Hacktivism​

Ukrainian participants (and those who support them) found themselves in the minority on major forums. Many left or were forced out. In response, specialized pro-Ukrainian platforms emerged.

The most striking example is the DUMPS forum, launched in 2022. This is an openly anti-Russian and anti-Belarusian platform where:

• They trade dumps and accesses exclusively with a focus on Russian and Belarusian targets.
• Users from Russia and Belarus are banned.
• They support Ukrainian hacktivism and even charitable initiatives for the Ukrainian Armed Forces.
• They actively participate in “patriotic” fraud against Russians.

Similar niche communities have emerged on Telegram and other platforms. Ukrainian scam centers and call centers have significantly increased their targeting of Russians, breaking the old rule of "not targeting your own."

The Impact of War on Business and the Ecosystem​

The war radically changed the operating environment:

1. Sanctions and Payments — Western sanctions have complicated cashing out through international systems. Demand for cryptocurrency, anonymous exchanges, and Chinese/Asian channels has increased.
2. Migration: Some Ukrainian actors have emigrated to Europe or other regions. Russian actors have increased their use of VPNs and anti-detection tools.
3. Growing domestic fraud: Ukrainian groups are actively targeting Russians through phishing and scams, which has led to retaliatory measures.

Analysts estimate that there has been no serious "cleavage" (split) at the ecosystem level — business has adapted, but the community has become more fragmented.

Current status as of 2026​

By early 2026, the situation had stabilized in a "cold schism" format. The main Russian-language forums continue to operate with strict prohibitions on politics. Public statements about the war are almost nonexistent.

Pro-Ukrainian niche platforms exist, but remain marginal compared to major Russian ones. Trust between participants from different countries has not been restored: deals are more closely scrutinized, and fear of treachery and betrayal is growing.

Conclusion​

Russia's war against Ukraine has become a catalyst for irreversible changes in the Russian-speaking cybercriminal underground. What was once a relatively monolithic community is now divided along national and political lines. Most carders have chosen a pragmatic neutrality, but tensions persist. This rift not only reflects geopolitical realities but also demonstrates how external conflicts can destroy even criminal ecosystems built on trust and shared interests.

In the long term, this could lead to further fragmentation, the growth of regional platforms, and increased pressure from law enforcement agencies in both countries.