Arrest and Sentencing Disparities Across Russian-Speaking Threat Actors

July 13, 2026

By Oleg Lypko, Cyber Threat Intelligence Analyst

The dominant story about post-Soviet cybercrime is one of impunity, and it is believed from both directions: by Western observers who watch spectacular indictments produce no arrests, and by the cybercriminals themselves, who assume that staying home and sparing local victims is enough to remain untouchable. The data behind this research does not abolish that myth so much as it narrows it. Impunity remains real for parts of Russia’s cybercriminal ecosystem, but it is neither uniform nor guaranteed: it is politically granted, conditionally maintained, and always revocable. Where it gives way to punishment, that punishment is far from marginal; it is simply sorted less by the formal severity of the crime than by the localization of the victims and the political value of pursuing it.

Three cases from the past 18 months show how widely the fate of a named operator can diverge. On the Russian side, management rather than punishment: in December 2024, a Kaliningrad court convicted Mikhail Matveev, the ransomware affiliate sanctioned by the US Treasury and placed under a ten-million-dollar FBI reward, and sentenced him to one year and six months of restriction of freedom: criminality acknowledged, the operator kept inside Russian jurisdiction, the punishment barely felt. Oleg Nefedov, alleged founder of Black Basta and publicly named after the leak of the group’s internal chats, drew an Interpol Red Notice and an EU Most Wanted entry, yet seemingly remains free in Russia. The Ukrainian side now points the other way: in July 2025, the Security Service of Ukraine and French police jointly arrested the man behind “Toha,” longtime administrator of the XSS forum, an operator whose identity had likely been within reach for years and whose arrest owed less to a breakthrough in attribution than to a shift in Ukrainian priorities after 2022. The practical fate of an identified Russian-speaking operator depends far less on the formal gravity of his crime than on which state ends up holding him, and on what that state has decided to do with people like him.

To move past anecdotes, this research triangulates three independent datasets: domestic cyber convictions in Russia and Ukraine (2014–2025), 387 Western indictments and sanctions (2000–2026), and publicized arrests on post-Soviet soil over the same period, covering some 700 individuals across 300 recorded cases. Each is partial: convictions exclude the cybercrime prosecuted as ordinary fraud, the Western record reflects only what is made public and leans American, and the arrest set captures only cases that reached the press. None can be added to another, so the method is triangulation rather than aggregation: what converges across the three is probably real, what diverges is itself a result. The patterns below are the main findings; the full report sets out the analysis, the case typology, and the sources behind each.

Key Findings About Russian-Speaking Threat Actors’ Legal Consequences

  • Impunity is a myth, but so is uniform punishment. Since 2014, courts in Russia and Ukraine have handed down at least 3,225 convictions under the cyber-specific articles of their penal codes (2,490 in Russia and 735 in Ukraine), a conservative floor that excludes cases prosecuted as ordinary fraud, while convictions have risen in both countries.
  • The West names many and catches few, and whom it catches splits sharply by nationality. Between 2000 and 2026, only 83 of 266 indicted or sanctioned Russians were caught, leaving 69% fugitive, while 34 of 49 indicted Ukrainians (69%) were arrested. Operators from other post-Soviet states, present in far smaller numbers, fall overwhelmingly on the arrested side: Estonians (15 of 15), Belarusians (3 of 3), and Lithuanians (3 of 3) in every recorded case, Kazakhstanis (7 of 8) and Latvians (6 of 7) nearly as often, with only Moldova (6 of 11) and Georgia (2 of 4) appearing more evenly split.
  • Western arrests almost never happen at home. Across the former Soviet space, 79% of arrests took place outside the suspect’s own country: capture depends on movement, not on the crime. Of 83 Russians arrested, only 11 were caught inside Russia, and even those were mostly jailed for separate domestic matters (bulletproof hosting, treason, unrelated fraud) rather than the Western case. Ukrainians follow the same logic (only 7 of 36 taken on home soil), as do Kazakhstanis (0 of 8), Moldovans (1 of 6) and Latvians (2 of 6); the one exception is Estonia, which arrests its own nationals at home (12 of 15).
  • Sanctions have become a central weapon against cybercriminals from the former Soviet space, targeting a different layer than indictments. Financial sanctions rose from 14% of Western actions before 2022 to 43% after, rivalling fresh indictments by 2025. They appear to be an efficient lever against those who never leave the sanctuary, striking infrastructure and the state (bulletproof hosting is sanctioned 85% of the time, state operations 60%), while indictments are kept for the hands-on operators, who are almost never sanctioned.
  • What the West prosecutes has changed, because cybercrime itself has changed. In the 2000s cases involving former USSR citizens were mostly payment-card fraud: carders and the money-mule networks that cashed out stolen funds. In the 2020s they are mostly ransomware, the services that support it such as bulletproof hosting, crypto laundering, and state or state-linked hackers. The Western caseload tracks that shift directly: ransomware cases rose from zero to 56, while money-mule cases fell from 34 to none.
  • Russia and Ukraine are no longer policing the same underground. Their cooperation with the West diverges sharply: Ukraine works openly and increasingly with Western agencies (19 of 36 joint operations came after 2022), while almost all of Russia’s apparent cooperation (18 of 27 cases) was packed into early 2022 as diplomatic leverage on the eve of the invasion, with suspects tried at home under Russian charges. The publicized-arrest record, weaker but pointing the same way, shows the contrast in victim geography: Russian arrests skew toward domestic victims, those elsewhere in the post-Soviet space toward international ones.
  • For Russia this is continuity, not rupture; the real break is Ukrainian. Moscow has arrested its cybercriminals selectively and on its own schedule for over a decade, from Carberp (2012) to the Lurk sweep (2016) to the REvil raids (January 2022), protecting, tolerating, or sacrificing operators as leverage when it suits. Ukraine’s turn is something else: a deliberate reorientation since 2022, driven as much by its own assertion of a separate trajectory and identity, distinct from the post-Soviet inheritance it shares with Russia, as by the wartime necessity of cooperating closely with its Western backers, and one that has made foreign-facing cybercrime a liability for the state rather than an asset to manage.
Flare CTA Block Preview

Research Report

Crime & Punishment in the Russian-Speaking Underground

Who actually gets caught, who stays untouchable, and why? This report triangulates 700+ individuals across domestic convictions, Western indictments, and publicized arrests to map the real enforcement landscape behind post-Soviet cybercrime — and what it means for the threat actors targeting your organization.

Full case typology, sentencing analysis, and named operator breakdowns across 300 recorded cases
Analysis of how Russia and Ukraine now police cybercrime as two diverging systems — and what that means for the threat landscape
Read the Full Report →

Rising Domestic Convictions in Russia and Ukraine

The clearest sign that impunity is not the whole story comes from the domestic courts themselves. Since 2014, Russian courts have handed down 2,490 convictions under the strict-cyber articles of the Criminal Code and Ukrainian courts 735 under their equivalents, with both trajectories rising over the period, and the Ukrainian increase sustained through full-scale war and territorial loss. These counts are a conservative floor: a considerable share of cybercrime is prosecuted as ordinary aggravated fraud and cannot be isolated, and part of the rise is mechanical, the predictable result of more activity moving online. They are best read as an indicator of direction, real and worth taking seriously, but neither proof that impunity has ended nor that a reckoning has begun. The two rises do not mean the same thing: Ukraine’s, sustained through war and a contracting population, reads less as more crime than as a deliberate turn toward enforcement, where Russia’s continues a long-standing pattern.

Adjusted for population, the point sharpens. Ukraine’s convictions keep climbing even as the war drives a steep population loss, so the curve rises against its own denominator. An enforcement effort that merely tracked activity would fall with the population; this one does the opposite, which is what marks it as a choice rather than a by-product.

Western Targeting and the Nationality Gap in Arrests

Across 387 Western indictments and sanctions, fewer than half of those named were ever arrested, and that average hides a sharp divide. Roughly seven in ten Russians remain fugitive, while Ukrainians show almost the inverse, and the smaller national cohorts (Estonians, Latvians, Lithuanians, Belarusians) are arrested in nearly every recorded case. Across the post-Soviet space, nationality predicts the enforcement outcome more reliably than the nature of the offense. The instrument has shifted too: financial sanctions rose from 14% of Western actions before 2022 to 43% after, overtaking fresh indictments by 2025, and they fall on a different layer than indictments do. The full report breaks down which roles get sanctioned and which get charged, and why the two tools rarely touch the same person.

Arrests Depend on Movement, Not Residence

Where arrests happen tells the same story from another angle: 79% took place outside the suspect’s own country. The United States alone accounts for about a fifth of all captures, most of them not suspects living on American soil but operators detained in transit, having left a safe jurisdiction for one cooperating with Washington. The asymmetry is partly constitutional, since Russia, Ukraine and Moldova prohibit the extradition of their own nationals while the EU Baltic states can surrender theirs through European mechanisms. The result is that the geography of capture is not a map of where these operators live, but a map of where they made the mistake of going.

Victim Geography: Two Distinct Enforcement Patterns

Seen from post-Soviet soil rather than from Western warrants, the picture inverts, and victim geography delivers the sharpest contrast in the entire dataset. In Russia, roughly seventy percent of publicized arrests involve domestic victims: an operator is far more likely to be picked up at home for harming Russians than for anything done abroad. In Ukraine and across the rest of the post-Soviet space the proportion is almost exactly reversed, with around 80% of arrests concerning international victims. The two distributions are close to mirror images. It stops short of proof, given the limits of an open-source record, but it is the strongest single piece of evidence that what looks like a single Russian-speaking underground is in fact being policed as two distinct populations. The report develops what actually drives Russian arrests, sorting them into a small set of enforcement functions illustrated by named cases, which is where the difference between punishment and management becomes concrete.

Sentencing: Russian Medians, American Ceilings

Among the cases that reach sentencing, the familiar assumptions reverse. Measured at the median, Russia is the harsher jurisdiction, around 6.8 years against roughly 4 in the United States. Yet the longest American sentence, 27 years for the carder Roman Seleznev after extradition, reaches a ceiling no ordinary Russian cybercrime case approaches. Russia modulates where American sentencing stays closer to a binary of prison or nothing, and its heaviest sentences are reserved not for financial cybercrime but for offenses the state reads as attacks on itself or on domestic order. The report sets out which cases land where, and why some operators wanted abroad are tried at home on narrow charges that carry almost no weight.

Diverging State Logics in Russia and Ukraine

What ties these patterns together is not a shared system but a split inside one. For Russia, none of this is a recent turn: from Carberp to Lurk to the REvil arrests of January 2022, Moscow has arrested its cybercriminals selectively and on its own schedule for more than a decade, treating them as assets to protect, tolerate, or sacrifice as its interests move. The norm that long organized the ecosystem, the prohibition on targeting the CIS encoded in keyboard-layout checks and forum bans, was real enough to be obeyed, as the Conti leaks show, but it always belonged to the state rather than to the criminals who observed it. Ukraine inherited the same arrangement and has been leaving it. Since 2014 and more decisively since 2022, Kyiv has treated the prosecution of internationally wanted operators as part of a wider reorientation, one that is driven as much by Ukraine’s own assertion of a separate trajectory and identity, distinct from the post-Soviet inheritance it shares with Russia, as by the wartime necessity of close cooperation with its principal backers. What was once tolerable foreign-facing criminality has become a liability for the state that hosts it. The two states are no longer doing the same thing: Russia still sorts its cybercriminals by the location of their victims and their usefulness to the state, while Ukraine increasingly prosecutes them for who the West says they are. What that growing gap means for a once-shared underground is the subject of the full report.

Flare CTA Block Preview

Research Report

Crime & Punishment in the Russian-Speaking Underground

Who actually gets caught, who stays untouchable, and why? This report triangulates 700+ individuals across domestic convictions, Western indictments, and publicized arrests to map the real enforcement landscape behind post-Soviet cybercrime — and what it means for the threat actors targeting your organization.

Full case typology, sentencing analysis, and named operator breakdowns across 300 recorded cases
Analysis of how Russia and Ukraine now police cybercrime as two diverging systems — and what that means for the threat landscape
Read the Full Report →
Share article

Related Content

View All
07.09.2026

The Tudou Succession: How Three Platforms Carved Up a $12 Billion Guarantee Marketplace

07.08.2026

Monitoring Cyberattacks Directly Linked to the US-Israel-Iran Military Conflict

07.07.2026

Mycelium Framework: First Ever Witnessed AI-as-a-Service Botnet