Russian cybercrime bust paints ‘striking picture’ of ‘dark-web’ operation, former FBI official says

  • On February 7, the Department of Justice unsealed a sweeping indictment against 36 defendants for their role in the Infraud Organization.
  • The most important message is for the public: companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise.
  • Companies must take action now to be prepared for a variety of cyber threats and data breaches.
Hacking hacker cyber security
Thomas Samson | AFP | Getty Images

On February 7, the Department of Justice unsealed a sweeping indictment against 36 defendants for their role in the "Infraud Organization." The indictment reads at times like a 21st century crime novel, giving the public an insight into the size, sophistication, and discipline of criminal cyber networks operating online (something well known to those who track these organizations).

The indictment also shows how U.S. law enforcement agencies are striking back in concert with partners around the world in an effort to raise the cost of doing business for these types of outfits — and how Russia poses a continuing obstacle to these efforts.

According to the allegations in the indictment, Infraud was launched in 2010 by defendant Svyatoslav Bondarenko of Ukraine and served as a central clearinghouse that allowed members to traffic in stolen identities, financial and banking information, malware, and other online contraband. Over the course of seven years, the indictment alleges, the site grew to more than 10,000 members across the world and caused more than half a billion dollars in losses to consumers, businesses, and financial institutions.

Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat.

"Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat."

Beyond the operation's scale, the striking picture that emerges from the indictment is the degree to which Infraud operated very much like a dark-web cousin of major commercial marketplace sites.

The group's leadership imposed a rigid hierarchy to maintain order on the site, delegated authority to system administrators and other associates who held roles of varying responsibility ranging from "Moderators" to "Super Moderators" to "Administrators." It also relied on a system of strictly enforced rules and user-generated feedback to maintain quality control. Longstanding site members were promoted to "VIP Member" status to honor their contributions and solicited advice on the "In Fraud We Trust" discussion forum.

Given Infraud's worldwide membership, U.S. law enforcement needed to partner with others across the world to effectuate the arrest and to send a meaningful warning to wrongdoers in the future: The unsealing of the indictment followed the arrests of 13 individuals in the United States and six other countries (Australia, the United Kingdom, France, Italy, Kosovo, and Serbia).

In its public statement, the Justice Department offered thanks to a long list of cooperating law enforcement agencies around the world without whom "[t]he international operation to dismantle the Infraud Organization would have been impossible."

Conspicuously absent from the list is Russia, even as the indictment gives indications that the site itself was being hosted in Russia. Among other things, the indictment alleges that in 2011 the site's founder issued a decree that banned the buying and selling of contraband involving Russian victims, a tactic experts noted is used to discourage Russian law enforcement from taking down a Russian-hosted server.

While these types of multi-jurisdiction arrest sweeps are intended to send a message to cyber-criminals, the most important message in the near term is for the public: In today's environment, companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise.

A new report from the White House Council of Economic Advisers estimated that malicious cyber activity cost the U.S. economy as much as $109 billion in 2016 and emphasized that even though "government can help address some elements of cyber protection issues, the most direct actions in cybersecurity are in the hands of the private sector."

Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat. Companies and individuals should invest now in protections against these kinds of threats and begin planning for scenarios in which their systems are breached and their information finds its way to these kinds of dark corners of the internet.

Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice's National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI's evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster's global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute's Cybersecurity & Technology Program and a CNBC contributor.

Newman is a former special assistant to President Barack Obama, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.