Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict

There has been substantial commentary on the role of cyberattacks, hacktivists, and the cybercrime underground in the Russia-Ukraine conflict. Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed 'hacktivists' linked to cybercrime groups is misleading. We collected 281K web defacement attacks, 1.7M reflected DDoS attacks, and 441 announcements (with 58K replies) of a volunteer hacking discussion group for two months before and four months after the invasion. To enrich our quantitative analysis, we conducted interviews with website defacers who were active in attacking sites in Russia and Ukraine during the period. Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in so-called cyberwarfare is minor, and they do not resemble the 'hacktivists' imagined in popular criminological accounts. Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within '.ru' and '.ua'. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative. The much-vaunted role of the 'IT Army of Ukraine' co-ordination group is mixed; the targets they promoted were seldom defaced although they were often subjected to DDoS attacks. Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks. Contrary to some expert predictions, the cybercrime underground's involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further.