{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T08:20:29Z","timestamp":1763972429824,"version":"3.45.0"},"reference-count":105,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T00:00:00Z","timestamp":1763942400000},"content-version":"vor","delay-in-days":327,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"Abstract<\/jats:title>\n Cybercrime frequently crosses national borders, as perpetrators and victims are often located in different countries. This paper asks: what role do states play in shaping cybercriminal activity? Drawing on an original dataset of 4194 double extortion ransomware victims collected from dark web sources, I identify cybercriminal activity aligned with Russian state interests. I find Russia-based groups increased attacks before Western elections, and companies that withdrew from Russia after the invasion\u2014an action widely perceived as a condemnation of Russia\u2014faced an increased risk of attack. I also analysed over 60 000 leaked messages from a major cybercriminal group, which reveals information sharing and cooperation with the Kremlin. Based on these analyses, I argue that the Kremlin maintains an informal cooperative relationship with ransomware groups operating from its territory, advancing a more nuanced theoretical understanding of how states can leverage cybercriminals for geopolitical ends.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf037","type":"journal-article","created":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T08:18:36Z","timestamp":1763972316000},"source":"Crossref","is-referenced-by-count":0,"title":["Informal allies: State\u2013cybercriminal alignment in the ransomware ecosystem"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0321-3111","authenticated-orcid":false,"given":"Karen","family":"Nershi","sequence":"first","affiliation":[{"name":"Threat Intelligence Program, Middlebury Institute of International Studies , Monterey, CA 94102 ,","place":["United States"]}]}],"member":"286","published-online":{"date-parts":[[2025,11,24]]},"reference":[{"key":"2025112403183371900_bib1","article-title":"Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape","author":"Google","year":"2023"},{"key":"2025112403183371900_bib2","article-title":"A cybersecure digital transformation in a complex threat environment\u2014brochure","author":"European Commission","year":"2019"},{"key":"2025112403183371900_bib3","doi-asserted-by":"publisher","DOI":"10.1093\/oso\/9780197579275.001.0001","volume-title":"Semi-State Actors in Cybersecurity","author":"Egloff","year":"2022"},{"key":"2025112403183371900_bib4","doi-asserted-by":"publisher","DOI":"10.37514\/RNT-J.1996.3.6.21","article-title":"A declaration of the independence of cyberspace","author":"Barlow","year":"1996"},{"key":"2025112403183371900_bib5","volume-title":"Crypto Anarchy and Virtual Communities","author":"May","year":"1994"},{"key":"2025112403183371900_bib6","doi-asserted-by":"publisher","first-page":"991","DOI":"10.1017\/S0020818320000624","article-title":"Digital authoritarianism and the future of human rights","volume":"75","author":"Dragu","year":"2021","journal-title":"Int Organ"},{"key":"2025112403183371900_bib7","first-page":"90","article-title":"Accountability and principal-agent theory","volume-title":"The Oxford Handbook of Public Accountability","author":"Gailmard","year":"2014"},{"key":"2025112403183371900_bib8","doi-asserted-by":"crossref","DOI":"10.17104\/9783406700477","volume-title":"Mafia Life: Love, Death, and Money at the Heart of Organized Crime","author":"Varese","year":"2018"},{"key":"2025112403183371900_bib9","doi-asserted-by":"publisher","first-page":"395","DOI":"10.1016\/j.orbis.2016.05.009","article-title":"Can states calculate the risks of using cyber proxies?","volume":"60","author":"Borghard","year":"2016","journal-title":"Orbis"},{"key":"2025112403183371900_bib10","first-page":"163","article-title":"Analysis of the 2007 cyber attacks against Estonia from the information warfare perspective","volume-title":"Proceedings of the 7th European Conference on Information Warfare","author":"Ottis","year":"2008"},{"key":"2025112403183371900_bib11","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1177\/20438869221149042","article-title":"Ransomware and Costa Rica\u2019s national emergency: a defense framework and teaching case","volume":"14","author":"Datta","year":"2024","journal-title":"J Inf Techn Teach Cases"},{"key":"2025112403183371900_bib12","doi-asserted-by":"publisher","first-page":"311","DOI":"10.1177\/07388942211051264","article-title":"Accountability and cyber conflict: examining institutional constraints on the use of cyber proxies","volume":"39","author":"Akoto","year":"2022","journal-title":"Conflict Manag Peace Sci"},{"key":"2025112403183371900_bib13","doi-asserted-by":"publisher","first-page":"tyac007","DOI":"10.1093\/cybsec\/tyac007","article-title":"The illogic of plausible deniability: why proxy conflict in cyberspace may no longer pay","volume":"8","author":"Canfil","year":"2022","journal-title":"J Cybersecur"},{"key":"2025112403183371900_bib14","doi-asserted-by":"publisher","DOI":"10.1017\/9781316422724","volume-title":"Cyber Mercenaries","author":"Maurer","year":"2018"},{"key":"2025112403183371900_bib15","article-title":"The colonial pipeline incident shows the need for broader thinking about cyber resilience","author":"Borghard","year":"2021"},{"key":"2025112403183371900_bib16","article-title":"The pros and cons of mandating reporting from ransomware victims","author":"Jun","year":"2021","journal-title":"Lawfare"},{"key":"2025112403183371900_bib17","doi-asserted-by":"publisher","first-page":"tyab002","DOI":"10.1093\/cybsec\/tyab002","article-title":"Attribution and knowledge creation assemblages in cybersecurity politics","volume":"7","author":"Egloff","year":"2021","journal-title":"J Cybersecur"},{"key":"2025112403183371900_bib18","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1177\/0022002717737138","article-title":"Invisible digital front: can cyber attacks shape battlefield events?","volume":"63","author":"Kostyuk","year":"2019","journal-title":"J Conflict Resolut"},{"key":"2025112403183371900_bib19","doi-asserted-by":"publisher","first-page":"365","DOI":"10.1080\/09636412.2013.816122","article-title":"Stuxnet and the limits of cyber warfare","volume":"22","author":"Lindsay","year":"2013","journal-title":"Secur Stud"},{"key":"2025112403183371900_bib20","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1080\/01402390.2011.608939","article-title":"Cyber war will not take place","volume":"35","author":"Rid","year":"2012","journal-title":"J Strateg Stud"},{"key":"2025112403183371900_bib21","doi-asserted-by":"publisher","first-page":"316","DOI":"10.1080\/09636412.2015.1038188","article-title":"Weaving tangled webs: offense, defense, and deception in cyberspace","volume":"24","author":"Gartzke","year":"2015","journal-title":"Secur Stud"},{"key":"2025112403183371900_bib22","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1162\/ISEC_a_00136","article-title":"The myth of cyberwar: bringing war in cyberspace back down to Earth","volume":"38","author":"Gartzke","year":"2013","journal-title":"Int Secur"},{"key":"2025112403183371900_bib23","article-title":"Cyber war as an intelligence contest","author":"Rovner","year":"2019"},{"key":"2025112403183371900_bib24","volume-title":"Deter, Disrupt, or Deceive: Assessing Cyber Conflict as an Intelligence Contest","author":"Zegart","year":"2023"},{"key":"2025112403183371900_bib25","article-title":"The Untold Story of NotPetya, the Most Devastating Cyberattack in History","author":"Greenberg","year":"2018"},{"key":"2025112403183371900_bib26","article-title":"A year of Russian hybrid warfare in Ukraine","author":"Microsoft Threat Intelligence","year":"2023"},{"key":"2025112403183371900_bib27","article-title":"New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland","author":"Microsoft Threat Intelligence","year":"2022"},{"key":"2025112403183371900_bib28","article-title":"Preparing for a Russian cyber offensive against Ukraine this winter","author":"Watts","year":"2022"},{"key":"2025112403183371900_bib29","article-title":"Microsoft warns of Russian cyberattacks throughout the winter","author":"Gatlan","year":"2022"},{"key":"2025112403183371900_bib30","doi-asserted-by":"publisher","first-page":"383","DOI":"10.1093\/jcsl\/krw015","article-title":"\u2018Proxies\u2019 and Cyberspace","volume":"21","author":"Maurer","year":"2016","journal-title":"J Confl Secur Law"},{"key":"2025112403183371900_bib31","first-page":"231","article-title":"Cybersecurity and the age of privateering","volume-title":"Understanding Cyberconflict: Fourteen Analogies","author":"Egloff","year":"2017"},{"key":"2025112403183371900_bib32","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1080\/10584609.2021.1994065","article-title":"In-house vs. outsourced trolls: How digital mercenaries shape state influence strategies","volume":"39","author":"DiResta","year":"2022","journal-title":"Polit Commun"},{"key":"2025112403183371900_bib33","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1080\/1060586X.2019.1591142","article-title":"Russia\u2019s use of semi-state security forces: the case of the Wagner Group","volume":"35","author":"Marten","year":"2019","journal-title":"Post Soviet Aff"},{"key":"2025112403183371900_bib34","article-title":"Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine","author":"Villadsen","year":": , 2022"},{"key":"2025112403183371900_bib35","first-page":"113","article-title":"Ukraine: a cyber safe haven?","volume-title":"Cyber War in Perspective: Russian Aggression against Ukraine Tallinn: NATO Cooperative Cyber Defence Centre of Excellence","author":"Kostyuk","year":"2015"},{"key":"2025112403183371900_bib36","article-title":"Try This One Weird trick Russian Hackers Hate","author":"Krebs","year":"2021"},{"key":"2025112403183371900_bib37","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1353\/wp.2007.0024","article-title":"Transnational rebels: neighboring states as sanctuary for rebel groups","volume":"59","author":"Salehyan","year":"2007","journal-title":"World Polit"},{"key":"2025112403183371900_bib38","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1017\/S0022381607080048","article-title":"No shelter here: rebel sanctuaries and international conflict","volume":"70","author":"Salehyan","year":"2008","journal-title":"J Polit"},{"key":"2025112403183371900_bib39","article-title":"Ransomware gang arrested in Ukraine","author":"Interpol","year":"2021"},{"key":"2025112403183371900_bib40","article-title":"Police arrest suspected members of prolific DoppelPaymer ransomware gang","author":"Page","year":"2023"},{"key":"2025112403183371900_bib41","article-title":"Egregor ransomware operators arrested in Ukraine","author":"Cimpanu","year":"2021"},{"key":"2025112403183371900_bib42","article-title":"Ransomware gang behind attacks on 50 companies arrested in Ukraine","author":"Cimpanu","year":": , 2022"},{"key":"2025112403183371900_bib43","article-title":"Arrested Clop gang members laundered over $500M in ransomware payments","author":"Cimpanu","year":"2021"},{"key":"2025112403183371900_bib44","article-title":"Europol detains suspects behind LockerGoga, MegaCortex, and Dharma ransomware attacks","author":"Cimpanu","year":"2021"},{"key":"2025112403183371900_bib45","article-title":"LockBit affiliates arrested in Ukraine, Poland","author":"Antoniuk","year":"2024"},{"key":"2025112403183371900_bib46","article-title":"White House says Biden warned Putin on ransomware attacks","author":"Doherty","year":"2021"},{"key":"2025112403183371900_bib47","article-title":"Ransomware: Russia told to tackle cyber criminals operating from within its borders","author":"Palmer","year":"2021"},{"key":"2025112403183371900_bib48","article-title":"Why the Russian Government turns a blind eye to cybercriminals","author":"Maurer","year":"2018"},{"key":"2025112403183371900_bib49","article-title":"Ukraine\u2019s security service detains member of Russian \u2018Cyber Army\u2019","author":"Antoniuk","year":"2024"},{"key":"2025112403183371900_bib50","article-title":"Detained Russian student allegedly helped Ukrainian hackers with cyberattacks","author":"Antoniuk","year":"2024"},{"key":"2025112403183371900_bib51","article-title":"Russian cyberattacks are on the rise, threatening upcoming elections","author":"Associated Press","year":"2024"},{"key":"2025112403183371900_bib52","article-title":"Chinese government recruiting criminal hackers to attack Western targets, U.S. and allies say","author":"Geller","year":"2021"},{"key":"2025112403183371900_bib53","article-title":"Spies for hire: China\u2019s new breed of hackers blends espionage and entrepreneurship","author":"Mozur","year":"2021"},{"key":"2025112403183371900_bib54","article-title":"U.S. indicts Iranian hackers for attacks on critical infrastructure","author":"Miller","year":"2022"},{"key":"2025112403183371900_bib55","article-title":"UK national security committee warns country \u2018must be prepared\u2019 for election interference","author":"Martin","year":"2024"},{"key":"2025112403183371900_bib56","article-title":"An update on foreign threats to the 2024 elections","author":"Easterly","year":"2024"},{"key":"2025112403183371900_bib57","article-title":"Feds deliver stark warnings to state election officials ahead of November","author":"Vasilogambros","year":"2024"},{"key":"2025112403183371900_bib58","article-title":"Experts, NSA cyber director say ransomware could threaten campaigns in 2022","author":"Riley","year":"2022"},{"key":"2025112403183371900_bib59","article-title":"Analyzing the threat of ransomware attacks against US elections","author":"Liska","year":"2020"},{"key":"2025112403183371900_bib60","article-title":"Hackers hit web hosting provider linked to Oregon elections","author":"Selesky","year":"2022"},{"key":"2025112403183371900_bib61","article-title":"Ransomware hits election infrastructure in Georgia county","author":"Fung","year":": , 2020"},{"key":"2025112403183371900_bib62","article-title":"Ransomware attacks take on new urgency ahead of vote","author":"Perlroth","year":"2022"},{"key":"2025112403183371900_bib63","article-title":"Louisiana government computers knocked out after ransomware attack","author":"Bing","year":"2019"},{"key":"2025112403183371900_bib64","article-title":"No data lost, no ransom paid in Louisiana cyber attack; Ardoin says no impact on state elections","author":"Ballard","year":"2019"},{"key":"2025112403183371900_bib65","article-title":"Hacks on Louisiana Parishes Hint at Nightmare Election Scenario","author":"Mehrotra","year":"2020"},{"key":"2025112403183371900_bib66","article-title":"How the Russians hacked the DNC and passed its emails to WikiLeaks","author":"Nakashima","year":"2018"},{"key":"2025112403183371900_bib67","article-title":"US calls out Russia for Macron campaign hack, even as France stays silent","author":"Cerulus","year":"2020"},{"key":"2025112403183371900_bib68","article-title":"How Russia weaponized social media, got caught and escaped consequences","author":"Kelly","year":"2019"},{"key":"2025112403183371900_bib69","article-title":"Russia Secretly Gave $300 Million to Political Parties and Officials Worldwide, U.S. Says","author":"Wong","year":"2022"},{"key":"2025112403183371900_bib70","article-title":"Police search European Parliament over possible Russian interference, prosecutors say","author":"Petrequin","year":"2024"},{"key":"2025112403183371900_bib71","article-title":"How cyber attacks work","author":"National Cyber Security Centre","year":"2015"},{"key":"2025112403183371900_bib72","article-title":"Russia Sought to Use Social Media to Influence E.U. Vote, Report Finds","author":"Satariano","year":"2019"},{"key":"2025112403183371900_bib73","article-title":"Yale CELI List of Companies Leaving and Staying in Russia","author":"Yale Chief Executive Leadership Institute","year":"2024"},{"key":"2025112403183371900_bib74","article-title":"How a Yale professor\u2019s viral list pressured companies to pull out of Russia","author":"Jan","year":"2022"},{"key":"2025112403183371900_bib75","article-title":"McDonald\u2019s, Coca-Cola and Starbucks temporarily stop sales in Russia","author":"Creswell","year":"2022"},{"key":"2025112403183371900_bib76","doi-asserted-by":"publisher","first-page":"1151","DOI":"10.1093\/isq\/sqab039","article-title":"Deterrence in the cyber realm: public versus private cyber capacity","volume":"65","author":"Kostyuk","year":"2021","journal-title":"Int Stud Quart"},{"key":"2025112403183371900_bib77","doi-asserted-by":"publisher","DOI":"10.1093\/acprof:oso\/9780190204792.001.0001","volume-title":"Cyber War Versus Cyber Realities: Cyber Conflict in the International System","author":"Valeriano","year":"2015"},{"key":"2025112403183371900_bib78","doi-asserted-by":"publisher","DOI":"10.1177\/00223433231219441","volume-title":"Introduction: Cyber-Conflict\u2013Moving from Speculation to Investigation","author":"Shandler","year":"2024"},{"key":"2025112403183371900_bib79","article-title":"Cyber Operations Tracker","author":"Council on Foreign Relations","year":"2021"},{"key":"2025112403183371900_bib80","doi-asserted-by":"crossref","DOI":"10.1093\/oso\/9780190618094.001.0001","volume-title":"Cyber Strategy: The Evolving Character of Power and Coercion","author":"Valeriano","year":"2018"},{"key":"2025112403183371900_bib81","article-title":"What is multi-extortion ransomware?","author":"Palo Alto Networks"},{"key":"2025112403183371900_bib82","article-title":"Intelligence Report on Ransomware Gangs on the Darkweb","author":"Dark Tracer Intelligence","year":"2021"},{"key":"2025112403183371900_bib83","article-title":"Enterprises by business size (indicator)","author":"OECD","year":"2023"},{"key":"2025112403183371900_bib84","doi-asserted-by":"publisher","first-page":"171","DOI":"10.5771\/0175-274X-2016-3-171","article-title":"The West is Russia\u2019s main adversary, and the answer is new generation warfare","volume":"34","author":"B\u0113rzi\u0146\u0161","year":"2016","journal-title":"Sicherheit und Frieden (S+ F)\/Security and Peace"},{"key":"2025112403183371900_bib85","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1257\/pol.20180076","article-title":"Who is screened out? Application costs and the targeting of disability programs","volume":"11","author":"Deshpande","year":"2019","journal-title":"Am Econ J Econ Pol"},{"key":"2025112403183371900_bib86","doi-asserted-by":"publisher","first-page":"1405","DOI":"10.1093\/qje\/qjz014","article-title":"The effect of minimum wages on low-wage jobs","volume":"134","author":"Cengiz","year":"2019","journal-title":"Quart J Econ"},{"key":"2025112403183371900_bib87","article-title":"Statistical inference for stacked difference in differences and stacked event studies","author":"Wing","year":"2021"},{"key":"2025112403183371900_bib88","article-title":"Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice","author":"Price","year":"2022"},{"key":"2025112403183371900_bib89","volume-title":"Foundations of the Islamic State: Management, Money, and Terror in Iraq, 2005-2010","author":"Johnston","year":"2016"},{"key":"2025112403183371900_bib90","doi-asserted-by":"publisher","first-page":"755","DOI":"10.1162\/003355300554908","article-title":"An economic analysis of a drug-selling gang\u2019s finances","volume":"115","author":"Levitt","year":"2000","journal-title":"Quart J Econ"},{"key":"2025112403183371900_bib91","doi-asserted-by":"publisher","first-page":"584","DOI":"10.1017\/S0003055418000928","article-title":"Legitimacy in criminal governance: managing a drug empire from behind bars","volume":"113","author":"Lessing","year":"2019","journal-title":"Am Polit Sci Rev"},{"key":"2025112403183371900_bib92","doi-asserted-by":"publisher","first-page":"101582","DOI":"10.1016\/j.is.2020.101582","article-title":"A review of topic modeling methods","volume":"94","author":"Vayansky","year":"2020","journal-title":"Inf Syst"},{"key":"2025112403183371900_bib93","article-title":"A Dual Espionage and Cyber Crime Operation Organization","author":"APT41","year":"2024"},{"key":"2025112403183371900_bib94","article-title":"Alleged Russian Money Launderer Extradited from the Netherlands to U.S","author":"U. S. Department of Justice","year":"2022"},{"key":"2025112403183371900_bib95","article-title":"Russian Hacker Sentenced to Over 7 Years in Prison for Hacking into Three Bay Area Tech Companies","author":"U. S. Department of Justice","year":"2020"},{"key":"2025112403183371900_bib96","article-title":"Russian Malware Developer Arrested and Extradited to the United States","author":"U. S. Department of Justice","year":"2023"},{"key":"2025112403183371900_bib97","article-title":"Russian National Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization","author":"U. S. Department of Justice","year":"2021"},{"key":"2025112403183371900_bib98","article-title":"Russian accused of running Dark Web market nabbed in Thailand","author":"AP","year":"2018"},{"key":"2025112403183371900_bib99","article-title":"\u2018Cozy Bear\u2019 Group Tied to Hacks on Covid Vaccine Research","author":"Gallagher","year":"2020"},{"key":"2025112403183371900_bib100","article-title":"Leaked ransomware docs show conti helping Putin from the Shadows","author":"Burges","year":"2022"},{"key":"2025112403183371900_bib101","article-title":"\u201cHere to stay\u201d\u2013chinese state-affiliated hacking for strategic goals","author":"Hmaidi","year":"2023"},{"key":"2025112403183371900_bib102","first-page":"253","article-title":"Deconstructing the US policy of indicting malicious state cyber actions","volume":"24","author":"Machtiger","year":"2021","journal-title":"NYUJ Legis Pub Pol"},{"key":"2025112403183371900_bib103","volume-title":"The Future of Power","author":"Nye","year":"2011"},{"key":"2025112403183371900_bib104","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1017\/S1537592709090112","article-title":"Liberal internationalism 3.0: America and the dilemmas of liberal world order","volume":"7","author":"Ikenberry","year":"2009","journal-title":"Perspect Polit"},{"key":"2025112403183371900_bib105","article-title":"World Development Indicators 2012: GDP per capita, Atlas method","author":"The World Bank","year":"2021"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf037\/65487415\/tyaf037.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf037\/65487415\/tyaf037.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T08:18:42Z","timestamp":1763972322000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf037\/8340911"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":105,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf037","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf037"}}