by Constantine von Hoffman

Sketchy Report on Russian Hacking Lacks Facts

Apr 26, 20124 mins

A recent report values Russia's cybercrime market at a whopping $2.3 billion. Unfortunately the questionable report doesn't provide information on the data its authors used to come to this conclusion.

Russia’s cybercrime market is now valued at $2.3 billion, nearly double last year’s total of $1.2 billion, according to a new report by Russian security firm Group-IB. This is a fascinating claim. It’s fascinating because the report gives no information on the data that the statement is based on.

The report includes a very nice chart (right) that supposedly shows “quantitative assessments of the Russian cybercrime market.” At the bottom of charts like this one there is usually a sentence or two about the sources of the included data. Notice anything missing?

The report says the following about the sources of the data:

This report contains the results of the study of the state of the Russian cybercrime market in 2011. It examines the main risks associated with various types of hacker activities, analyzes the main trends in the development of the Russian cybercrime market, estimates the shares and the financial performance of the Russian segment of the global cybercrime market, and forecasts market trends for this year.

It also explains why all hackers who speak Russian should not be considered Russian hackers.

In the United States and Europe, Russian traditionally refers to not only Russian citizens, but all citizens and immigrants from the countries of the former Soviet Union, sharing a common history and language. This distinctiveness is reflected in the way Western specialists interpret the term Russian hackers when referring to cybercriminals from the Baltics, Ukraine, or Central Asia.

This distinction is relevant because the authors want to be clear they are only assessing Russian cybercrimes committed by Russian citizens.This brings us to another fascinating fact about the report: It doesn’t say how the security firm was able to determine whether or not a crime was committed by a resident of Mother Russia.

Group-IB’s Alex Kuzmin sent me the following respond when I asked about the source and nature of the data: “The quantitative part you are inquiring about comes from our investigation results and the data obtained from the Russian [law enforcement agencies].”

Believe it or not, that response is much more informative than what he had to say about determining the location of all these criminals. Let’s not even bring up the issue of the questionable reliability of Russian police data.

I read a lot of reports from a lot of security companies. Most are very solid in their research. Some are even interesting. But few are as “interesting” as this Group-IB report.

After this was published I recieved the following from Mr. Kuzmin on Friday afternoon. Draw your own conclusions.

To put it more clearly: the numbers figuring in the report are based on the data received from the Russian Interior Ministry experts.

Thus, the turnover of the worldwide cybercriminal market is estimated by an MVD’s expert, Mr.Zolotnitskiy ( as 200 Billion rubles which is about $6.8 Bln USD. The Russian part of the cybercriminal pie is being approximated by MVD as 60Bln RUR, which accounts to around $2Bln USD. 

Group-IB’s numbers are slightly higher than the ones of the Russian LEA due to the fact that the LEA solely rely on the information reported by the victims – implicitly not all of of them showed up or filed up official reports – and is thus based on the officially registered losses. Group-IB, on the other hand, often obtains access to cybercriminal gangs’ black accounting data which allows Group-IB analytics to base their estimates on the cybercriminals’ gains and not solely on victims’ losses. 

Also, as this has been another major confusion so far: In Russian there’s a distinction between Russkiy and Rossiyskiy, which is hard to translate into English. The first one – Russkiy – can be translated as “Russian speaking”. The second one – Rossiyskiy – originates from the geographical designation currently known as Russian Federation. Hence, the Russian-speaking cybercriminal part accounts for $4.5 Bln while the Russian(solely cybercriminals based in Russia) – $2.3 Bln.