In this blog, we will explore the extent to which the legislative and technical evolutions of the RuNet have impacted the Russian-speaking cybercriminal underground. Since I began following this ecosystem, I have frequently encountered forum threads and Telegram channels discussing the increasing surveillance and censorship affecting the Russian Internet, along with the anonymity issues arising from these changes. While this topic clearly concerns threat actors, it has not been immediately evident what real consequences, if any, they have faced or whether it has significantly disrupted their cybercriminal activities. Let’s find out!

Executive Summary:

Sovereign RuNet - Inception and Goals:

• Over the past three decades, the RuNet has transitioned from a rather open and unrestricted digital space to one of the most controlled and surveilled Internet ecosystems globally.

• The announcement of the "Sovereign RuNet" in 2019 was portrayed by some media as a step toward completely disconnecting from the global Internet. However, its current objectives seem to focus on creating an autonomous Russian Internet, enabling targeted and localized restrictions during crises - such as blocking specific websites, disabling messaging platforms, or limiting access to certain online services.

• Although Russian authorities have made significant investments in tools and legislation to enforce their censorship and Internet autonomy policies, the outcomes remain mixed.

• The development of a "Sovereign RuNet" is proving to be a slow and costly process, often hindered by technical and practical challenges. Furthermore, for likely political and technical reasons, Russian authorities refrain from fully utilizing the capabilities of their censorship tools.

Key Actors and Mechanisms:

• Roskomnadzor, the central agency responsible for monitoring and controlling the RuNet, significantly expanded its authority following the 2019 Sovereign Internet Law. It oversees traffic filtering systems such as TSPU and maintains a blacklist of blocked websites, VPNs, and services. The agency has the power to fine, restrict, or suspend ISPs and platforms and coordinates annual tests to evaluate the RuNet's resilience against global disconnection.

• Other entities, including the FSB, the Presidential Administration, and its security service, also play crucial roles.

• Additionally, private businesses linked to the Russian State - such as DCOA, MFI Soft, IKS Holding, RDP.ru, and Rostelecom - are instrumental in the development of the “Sovereign RuNet.”

Surveillance and Censorship Infrastructure (SORM and TSPU):

• SORM (System for Operative Investigative Activities, first version introduced in 1995):

  • Initially designed for analog phone monitoring, SORM has evolved to include real-time internet surveillance, metadata collection, and monitoring encrypted traffic through its later versions (SORM-2 in 2000 and SORM-3 in 2016).

  • Installed across ISP and telecom networks, it enables law enforcement, primarily the FSB, to monitor communications with little judicial oversight.

• TSPU (Technical Means for Countering Threats, deployed after 2019):

  • Introduced with the Sovereign Internet Law, TSPU uses Deep Packet Inspection (DPI) technology to block, filter, or slow down internet traffic.

  • It targets VPNs, obfuscation protocols, and circumvention tools, because some of them are efficient ways to counter this system’s blocking capabilities.

Impact on Threat Actors in Russia:

• Currently, cybercriminal networks operating in Russia experience minimal disruption from the Sovereign RuNet. However, the psychological impact of new censorship and monitoring measures is real, as threat actors worry about their anonymity and the increasing difficulty in connecting to or using tools and websites that might eventually be blocked by Roskomnadzor.

• The fear of being "wiretapped by law enforcement" is exploited by other threat actors who try to sell various anonymity solutions and advices.

• Roskomnadzor has previously added several cybercriminal communities and messaging services, such as Telegram, to its blocklist. Often most of these actions target specific posts or threads on forums and are revoked once the offending content is removed. However, some forums, such as Zelenka (also known as LolzTeam), remain blocked, compelling users to access them via VPNs.

• Although not directly targeting cybercriminal activities, Roskomnadzor has demonstrated its ability to block Telegram and other messaging applications during local training exercises or political crises, such as in Dagestan in 2023 or when the Ukrainian army entered the Kursk region in the summer of 2024.

• Roskomnadzor’s campaign against VPNs that refuse to block access to blacklisted websites has reduced the availability of VPNs in Russia. However, threat actors easily bypass this limitation by creating custom VPNs for personal use or to sell them to other threat actors. They also frequently adopt the same methods and protocols used by freedom advocates to circumvent restrictions.

• Surveillance tools like the FSB’s SORM system facilitate data collection on all RuNet users and are also employed against cybercriminals.

• Bulletproof hosting (BPH) services are among affected cybercriminal operations, as they face direct consequences from stricter regulations and the deployment of new surveillance hardware at the ISP level. Some reputable and well-connected BPH providers claim that they found ways to evade surveillance of their hardware in Russian datacenters, supposedly circumventing legal obligations to gather data on their customers. Other BPH providers claim to have ceased offering servers based in Russia altogether.

RuNet - From freedom to global surveillance and censorship.

In December 2024, regions in southern Russia, including Dagestan, Chechnya, and Ingushetia, were disconnected from the global Internet for 24 hours as part of tests conducted by Roskomnadzor (RKN). These tests, aimed at assessing the functionality of the "sovereign internet" infrastructure, disrupted access to major platforms such as YouTube, Google, WhatsApp, and Telegram, with mainstream VPNs proving largely ineffective against the restrictions[1]. RKN’s press service previously claimed that these exercises are routine, conducted annually, and “have no impact on regular users”[2]. Just a month earlier, in October, a Russian court has sentenced Google to pay a fine of 20 decillions dollars – an amount several thousand time bigger than the entire world economy - for banning in 2020 Russian ultra nationalistic propaganda channels from YouTube[3]. Eventually, in January 2024, probably during an unannounced test that went poorly, the websites using the .RU top-level domain became briefly inaccessible to Internet users both within Russia and abroad[4].

These events are just some of many developments that have affected the Russian Internet over the last 30 years. During this timeframe, Russian authorities have gradually expanded their ability to control the Russian cyberspace by building their leverage over domestic and foreign Internet actors through legislative, administrative, and technical means. Today, the Russian Internet, also called the RuNet for its linguistic, geographical, and cultural particularities, is one of the most controlled and surveilled in the world[5]. In recent years, Russia has intensified efforts to build a sovereign and autonomous RuNet, aiming to insulate its digital infrastructure from external influences and ensure greater State control over information flows.

While repressive trends in Russia may seem expected, the Internet was not always so closely monitored. Several eras of transformation of the RuNet can be schematically identified. The first one started in the 1990s when the Internet began to develop in Russia. Russian authorities, like those in other countries, recognized the potential threats of new communication methods and expanded their monitoring capabilities. Concomitantly, in 1998, began the development of the Russian State Internet Network (RSNet), a special closed and protected network created to allow governmental entities to transfer data, communicate independently and securely[6].

The second stage took place between the beginning of the 21st century and around 2012-2014, when Vladimir Putin officially regained the presidential seat and later invaded Ukraine. For Russia, the period from 2000 to 2014 represented a progressive turning point characterized by the return to an aggressive foreign policy[7], the transformation into an authoritarian illiberal State[8], and subsequently by drastic reduction of freedoms that also impacted the RuNet. While the adoption of restrictive regulation between 2000 and 2011 is rather slow and progressive, the protests at Bolotnaya Square and the rising probability of a confrontation with the West after Russia’s annexation of Crimea, have seemingly encouraged the Russian Government to swiftly create an autonomous, fully controllable and surveilled Russian segment of the Internet – the “Sovereign RuNet”.

Eventually, the third period, that started somewhere between 2011 and 2014, is the era of the materialization of this strategy. It is characterized by an inflation of regulations expanding the State’s ability to monitor, sanction, secure, and control the infrastructures and actors of the RuNet, notably through federal agencies like Roskomnadzor, whose powers are rapidly increasing. The epicenter of this era, which is still ongoing, was probably the passing in May 2019, and then the gradual application, of the Federal Law No. 90-FZ, also known as the “Sovereign Internet Law”. Called the “RuNet law”, or the “CheburNet law” by its opponents, this regulation is an important step in the strategy of creation of an autonomous RuNet, who should be able to function even without access to key services or infrastructures provided by Western companies.

The “Sovereign RuNet” bears strong ideological similarities to the Chinese “Great Firewall,” from which it likely took inspiration. Both systems aim to maintain political control, safeguard national security, and minimize foreign influence, but their timing, purpose, and implementation differ significantly. Launched in 2000, the Great Firewall was proactively designed as a foundational component of China’s Internet infrastructure, embedding control mechanisms like DNS poisoning, IP blocking, and keyword filtering to create a largely self-contained "national Intranet" isolated from the global Internet[9]. In contrast, the Soveriegn RuNet, developed nearly a decade later, is a reactive measure focused on maintaining connectivity to the global Internet under normal conditions, with autonomy prioritized primarily during crisis scenarios[10].

The project of establishing a "Sovereign RuNet" - along with the timing of related laws and their implementation - is closely tied to the rapid development of the Internet worldwide and to the Russian government's geopolitical ambitions and its perception of security threats. The adoption of laws increasing State’s control over the RuNet, such as the Yarovaya laws in 2016, the Sovereign RuNet law in 2019 and Roskomnadzor's annual tests to assess RuNet's resilience[11], reflects a broader strategy. This pattern, seen after the Bolotnaya protests in 2011 and preceding Russia's invasion of Ukraine in 2014 and 2022, suggests an effort by Russian authorities to mitigate potential foreign interference in the RuNet and to curtail external influences on Russian society.

Indeed, the Russian government's efforts to consolidate control over the RuNet's physical infrastructure transpire through decisions to deploy special monitoring hardware at major telecommunication companies, Internet Service Providers (ISPs) and critical nodes, such as Internet Exchange Points (IXPs). Additionally, the launch in 2019 of sovereign national alternatives to the Domain Name System (DNS), and in 2024 of a national Whois and of a “Register of address and number resources of RuNet” (RANR), an alternative to the Regional Internet Registry (RIR) for Europe (RIPE), further illustrate this trend (cmu.gov[.]ru/ru/lookup)[12].

Moreover, Moscow's broader goal of controlling key RuNet stakeholders, including major Russian Internet companies, is reflected by RKN’s decision obliging companies to store critical users’ data on servers physically located in Russia or the introduction of registries for ISPs, hosting services, and popular bloggers.

The announcement in July 2024 that RKN will get the authority to manage communication networks - enabling the removal of prohibited information at the request of the Prosecutor General and their deputies - signals the continuously expanding powers of this agency[13].

The impacts of such decisions are far reaching and go way beyond Russia itself. The geography of this country and of its Internet infrastructure composed of critical fiber-optic communication lines, like the “Transit Europe - Asia” (TEA, TEA2, TEA NEXT) cables, IXPs and datacenters, have made of Russia a communication bridge between Europe and Asia. Russia's network of cables is vital for Internet connectivity in certain regions of Asia and the Caucasus, leading to concerns among some politicians about excessive reliance on this country for digital links. Terrestrial networks running through Russia serve as important conduits for international connectivity to nations like Armenia, Georgia, Uzbekistan, Kazakhstan and Mongolia, which depend heavily on them[14].

As we will discuss it later on, the deployment of censorship and surveillance systems such as the "TSPU" and "SORM" on the infrastructure of Russian ISPs and telecommunication companies, grants to Russian authorities extensive control over their own networks and the capability to gather intelligence on foreign entities relying on Russian cables, datacenters, or hardware and to protect their own network.

For example, in 2022, Russian IT engineer and blogger Pavel Vasiliev noted that neighboring countries may be uneasy about their communications passing through Russia’s surveillance systems like the TSPU, potentially jeopardizing the Internet transit revenues of Russian ISPs[15].

In November 2024, the researcher Jan Kopriva has noticed a strange phenomenon that affected servers in Russia seen by Shodan[16]. In August 2024, his monitoring script detected a significant decline in the number of Russian servers identified by Shodan, affecting various services such as HTTP/S, SSH, and DNS. A detailed analysis revealed that the most substantial decrease occurred on TCP port 7547, associated with the CPE WAN Management Protocol (CWMP or TR-069), used by ISPs for remote management of customer-premises equipment[17]. This decline was particularly notable within IP ranges of AS12389, assigned to Russia's national ISP, Rostelecom. The data suggests that Russian ISPs may have restricted access to this port, possibly as part of broader Internet filtering measures.

The impact of the creation of the “Sovereign RuNet” extends beyond Russia or its “Near-Abroad”. In Latin America, the close partnership between Russia and Nicaragua has raised alarms within the Western intelligence community[18], particularly following the establishment of a Russian espionage center on Mokoron Hill near Managua[19]. The export of Russia's SORM-3 system could not only enable the Nicaraguan government to monitor communications of political opposition but also provide Russia with means to spy on Western embassies[20].

Evidently, the "Sovereign RuNet" has also profoundly influenced the landscape of Internet within Russia, with its effects impacting both common users and threat actors. While the consequences of censorship and restrictions on general Internet use are well-documented, the primary focus here is on how the progressive consolidation of the Sovereign RuNet has impacted cybercriminals operating within Russia. This diverse ecosystem includes actors such as carders, malware developers, drug traffickers, ransomware operators, bulletproof hosting providers, and crypto exchange services, all of whom depend on Internet for communicating, hosting, and conducting their operations, that often target Western countries.

Although the RuNet will probably not be disconnected from the global Internet outside rare and localized cases during periods of crisis, the surveillance and disruption capabilities of Russian authorities are sometimes worrying to varying degrees threat actors dependent on the RuNet.

The Russian cybercriminal landscape is characterized by significant variation in technical expertise, organizational structures, and levels of anonymity. Equally diverse is the extent to which these threat actors are aware of and adapt to the changes that have impacted the RuNet over the past decade.

Before delving into the responses of Russian cybercriminals to the Sovereign RuNet, lets first identify the key stakeholders involved in shaping the RuNet, the tools they have developed, and the capabilities these tools provide.

I) Sovereign RuNet – actors, tools, capabilities and targets.

A) TSPU – the main tool of censorship of Roskomnadzor.

“TSPU”, an abbreviation in Russian for “technical means of countering threats”, is a hardware and software system that was introduced after the adoption of the law on the “Sovereign RuNet" in the fall of 2019. This system uses Deep Packet Inspection (DPI) technology which allows Russian authorities to closely monitor and censor the internet traffic within the RuNet. Primarily managed by the State agency Roskomnadzor, TSPUs are installed on all major Russian ISPs’ infrastructures and allow the authorities to block, filter, or slow down websites and services deemed malicious, like YouTube in 2024. While initially the system relied heavily on foreign components, since 2022 efforts are underway to replace them with domestically produced hardware to ensure autonomous and sufficient supply and avoid sanctions or the presence of backdoors.

Figure 6. An example of assembled equipment for Internet filtering (TSPU)

Illustration: Mikhail Klimarev. Source: The Insider.

Since its introduction, the TSPU system has faced scrutiny regarding its efficiency[21] and the challenges associated with localizing its production. Currently, Roskomnadzor is actively working to limit RuNet users' access to VPN services and obfuscation protocols like Shadowsocks[22], which are effective tools for bypassing surveillance and censorship. To achieve this, Roskomnadzor began leveraging the TSPU's Deep Packet Inspection (DPI) capabilities in 2023 to progressively block widely used VPN protocols, such as OpenVPN and WireGuard. By April 2024, 150 VPN services, including ProtonVPN and NordVPN, ceased functioning in Russia after Roskomnadzor either blocked their entire IP ranges or identified and disrupted their protocols using the TSPU’s DPI system[23]. Additionally, more than 700 websites promoting the use of VPNs have also been blocked.

Figure 7. Exemple of alternative mainstream VPNs currently working in Russia. Source: netwind.io.

Despite these limitations, forbidden social medias such as X/Twitter, Instagram or censored news websites like The Moscow Times or The Insider, continue to be accessed by users in Russia thanks to numerous alternative VPN services[24], custom VPNs or obfuscation protocols such as GoodbyeDPI[25] or VLESS[26] (we are going to talk more about bypass technics later). Roskomnadzor is aware that it cannot presently block all VPNs who refuse to comply with its censorship policy and is trying to limit the reach of uncompliant services by pressuring Apple and Google to remove them from their AppStore and PlayStore. The last big removal of uncomplying VPNs occurred in September 2024, with 98 being removed[27]. In total over 475 “utilities” and “navigation” applications have been removed in Russia on the AppStore[28].

Figure 8. Exemple of VPNs currently banned from the Apple’s Russian AppStore. Source: applecensorship.com.

Overall, currently the censorship in Russia remains rather soft and selective, as the Russian government refrains from using all the capabilities of the TSPU. Nevertheless, when the situation requires it, like during the pogroms in Dagestan in October 2023[29], Roskomnadzor can censor almost all mainstream messaging applications, social networks or websites. Theoretically it could rend useless most VPNs and obfuscation measures by authorizing connection only to whitelisted domains/IPs and tolerate only known packets signatures through the DPI system of the TSPU. In the most extreme case Roskomnadzor could also complete this measure with blacklists of IP address ranges, like in Turkmenistan, where over half of all IPs of the Internet were blocked[30] until July 2024[31]. Total censorship and control would probably not be entirely possible as new workaround could be found, nevertheless they will be out of reach of 99% of RuNet users.

B) SORM - FSB's surveillance tool.

The “System for Operative Investigative Activities” (SORM) is a hardware and software system that began to be deployed in Russia in 1995. It was created to allow Russian law enforcement and security agencies, like the FSB, to wiretap analog telephone communication networks. Since its inception, three versions of the system (SORM-1, SORM-2, and SORM-3) have been developed, each broadening the technical capabilities of surveillance compared to its predecessor. Presently, the system enables the FSB to gather metadata about telephonic and network traffic, such as source and destination IP addresses, timestamps of data transfers, and the volume of the exchanged data. In particular cases, based on specific rules or criteria, SORM can record all traffic directed to or originating from particular IP addresses or meeting other predefined conditions.

Table 6. Source: ITGLOBAL.com. Translated by Cybercrime Diaries.

Main Parameters and Characteristics

Supported Information Selection Parameters:

• Logging of IP addresses;

• Static IP address, subnet of IP addresses, TCP/UDP port;

• Email address, individual user ID in instant messaging services (e.g., ICQ);

• Phone number for outgoing and incoming IP telephony calls;

• Authorization data transmitted via RADIUS, DIAMETER, TACACS+ protocols.

Protocol Processing and Decoding:

• Transport protocols: IPv4, IPv6, GTPv0, GTPv1;

• Application protocols: HTTP 1.0, HTTP 1.1, WAR, FTP;

• Email protocols: POP3, SMTP, ESMTP, IMAP2, IMAP2BIS, IMAP3, IMAP4, IMAP4REV1, DMSP, ETRN, LDAP;

• Instant messaging services: ICQv5, ICQv6, ICQv7;

• Short messages: MMS;

• Multimedia: SIP, RTP/RTCP, H.323.

Connection Interfaces:

• 1000BASE-T, 1000BASE-LR (up to 4 ports) – SORM III Class;

• 10GBASE-SR, 10GBASE-LR (2–4 ports) – SORM IV Class;

• 40GBASE-LR (2 ports), 10GBASE-LR (8 ports) – SORM V Class;

• 10GBASE-SR, 10GBASE-LR (16–100 ports), 40BASE-SR (5–27 ports) – SORM VI Class.

According to the objectives outlined in the Yarovaya laws, Russian authorities aim to use the SORM system to intercept messages sent via applications like WhatsApp, Viber, Facebook Messenger, Telegram, and Skype[41]. Unconfirmed claims suggest that SORM has been installed on servers belonging to messaging services and social networks operating in Russia, potentially enabling the FSB to access private unencrypted messages[42].

It is important to note that similar systems exist in Western democratic countries. However, the differences lie in the legal frameworks governing police surveillance, data retention periods, and judicial oversight. Originally, SORM’s primary goal, similar to systems like the UK’s CDLI[43] and Tempora[44], France’s equivalent systems[45], or the USA’s DCSNet[46], was to aid state security agencies in combating terrorist threats. However, freedom activists argue that SORM’s capabilities are now exploited for political surveillance[47]. Similar criticisms have emerged in Europe and the USA, particularly following Edward Snowden's revelations.

Over the past 20 years, Russian law enforcement, legislators, and Roskomnadzor have adopted a strategy of gradually expanding their surveillance capabilities, tightening compliance controls[48], and increasing fines[49] for non-compliant companies. This process is repeated to progressively broaden the reach of SORM (and TSPU). Businesses often resist these changes due to the high costs of implementing SORM, resulting in delays[50]. A secondary consequence of this strategy is the consolidation of the telecommunications market, as smaller businesses struggle to meet the financial and bureaucratic demands associated with deploying SORM and other systems. Businesses seeking to avoid scrutiny, such as Bulletproof Hosting providers, often adapt by partnering with larger ISPs or choose to not operate physical servers in Russia.

Currently, telecommunications operators, ISPs, hosting providers, and CDNs are required to deploy SORM. For example, in November 2023, a law mandated hosting providers with infrastructure in Russia to install SORM[51]. In April 2024, companies offering CDN services were equated with hosting providers under the same regulations[52].

Large companies and online services operating in Russia must comply with these rules. Reports from sources like “Criminal Russia” in December 2016[53], and later confirmation by Gazeta.ru, claimed that the FSB could intercept messages and calls made through WhatsApp and Viber since November 2016[54], as these services allegedly installed SORM-2 systems in their datacenters. In contrast, Telegram reportedly refused to cooperate with the FSB in 2017[55], leading to fines and blocking attempts by Roskomnadzor in 2018[56]. Telegram eventually resumed operations in Russia, sparking speculation about potential agreements with Russian law enforcement. Today a part of the Russian-speaking cybercriminal community believes that Telegram cooperates with the FSB and does not use this messaging application.

The exact efficacy of SORM is uncertain. While the system theoretically provides the FSB access to significant amounts of user data, it is doubtful that it can effectively decrypt encrypted content or HTTPS traffic as it was claimed in 2019. Interestingly, according to a thesis published by security researcher Jacob Appelbaum in March 2022, the American NSA may have hacked the SORM system to gather intelligence on targets within its reach, illustrating the global interplay of surveillance systems[57].

C) RSNet – a secured autonomous network for governmental entities.

The foundations of what will later become the Russian State Network (RSNet), also known as the “Unified Data Transmission Network” (ESPD), were laid in 1998. Since 2004 this project is managed by the Federal Protective Service (FSO) in accordance with the presidential decree №1013. RSNet is a special and protected network created for the Russian government bodies and State agencies, it represents the next step in the development of the Russian Government Internet Network (RGIN). The RSNet is accessible via domains like “gov.ru” “kremlin.ru” and “government.ru” and its subdomains, which are administrated by the FSO, who grants specific IPs and subdomains to governmental services[67].

II) Sovereign RuNet: limited impact on threat - a degrading environment fueling growing fears.

The announcements of the implementation of new restrictive laws and deployment of the TSPU and SORM systems have attracted the attention of threat actors to a different degree. Overall, these subjects are closely monitored by the Russian speaking community on Russian-language cybercrime forums and Telegram groups, but the lack of a brutal or immediately perceivable impact on the ability to conduct cybercriminal activities has somewhat restricted the group of threat actors that is truly interested in the subject.

Figure 11. Exemple of news about the blocking of foreign hosting and Cloudflare in Russia.

Machine translated. Source : Club2CRD forum.

Most threat actors active on Russian-language communities display one of two attitudes toward the evolution of the RuNet and the capabilities of Russian authorities to track them. Some take a fatalistic approach, assuming that they cannot avoid identification if the authorities truly target them, and therefore make little effort to understand the workings of Russia's surveillance and censorship mechanisms. Others are overly optimistic, asserting that numerous solutions developed in China can effectively bypass DPI-based blocking and rely on the inventiveness of the community to find new bypass methods when and if the need will arise.

Figure 12. The threat actor “Whisper” explains that censorship of platforms like YouTube could negatively impact the computer literacy of the population in Russia, as this video sharing platform hosts educational content.

Machine translated. Source: XSS forum.

A) A minority of Russian-speaking threat actors closely monitor emerging censorship and surveillance technologies in Russia and abroad.

A minority, often composed by technically literate cybercriminals, often involved in the management of networks, DDoS or hosting business, is closely following new legislation and is trying to understand how the surveillance and censorship systems work, both on the technical side and on the political one. For them the goals are to avoid any major threat to their anonymity and to anticipate a potential disruption of their cybercriminal activity that could occur in the future if Russian authorities decide to act more decisively against cybercrime or choose to limit the access to the global Internet.  

Figure 13. A meme shared by one of the XSS members. Machine translated.

The censorship techniques implemented in Turkmenistan and China are being closely observed because they are viewed as potential models for future developments for the RuNet. For example, the threat actor known as "Dread pirate roberts" has shared insights on this subject, obtained from a closed forum.

Figure 14. The threat actor “Dread pirate roberts” shares his findings about the DPI censorship system in Turkmenistan.

Machine translated. Source: XSS forum.

Machine translated quote shared by "Dread pirate roberts" on XSS:

B) Roskmandzor’s censorship and ban of VPNs – presently an easily bypassed problem for threat actors in Russia.

The blocking of numerous VPN services by RKN in 2024 had a significant impact on threat actors in Russia, as VPNs are among the most commonly used anonymization tools by cybercriminals. VPNs are also essential for accessing censored content or websites like X/Twitter and Instagram within the country. Throughout 2023 and 2024, discussions about VPN-related issues and advice on bypassing these restrictions have noticeably increased on major Russian-language cybercrime forums.

Figure 15. Example of threads where a threat actor seeks advise about how to bypass the VPNs blockings.

Machine translated. Source: Exploit forum.

Currently, threat actors have numerous options to bypass RKN’s VPN censorship. Alternative or custom VPNs and obfuscation protocols are widely available, reducing the need for significant innovation in this area. It must also be noted that public TOR nodes are also blocked in Russia, but the network can still be accessed through bridges. Instead, threat actors often adapt tools and protocols originally developed by civil society in China or Russia to suit their purposes. The work of the Russian researcher “ValdikSS”[73], known for creating GoodbyeDPI, is closely followed by the Russian cybercriminal community. Active on platforms like Habr and NTC forum, ValdikSS is regarded as a valuable technical resource for information on bypassing DPI systems.

The most common bypass solutions mentioned by Russian speaking threat actors are the following:

• V2Ray: is a versatile platform that supports multiple proxy protocols, including VMess, VLESS, and Shadowsocks. V2Ray enables users to circumvent internet censorship and filtering by configuring various protocols and transport methods.

• VMess: Developed as part of the V2Ray project, VMess is a proprietary protocol designed to facilitate secure and efficient communication. It employs encryption and obfuscation techniques to help users bypass internet censorship and maintain privacy. VMess supports multiple transport protocols and can be customized for various network configurations, making it versatile for users seeking to circumvent restrictions.

• VLESS: Introduced as an evolution of VMess, VLESS aims to reduce protocol overhead and improve performance. By minimizing metadata, VLESS enhances resistance to detection by Deep Packet Inspection (DPI) systems. It supports multiple transport layers, such as WebSocket and HTTP/2, providing flexibility in bypassing censorship. VLESS is particularly effective in environments with advanced censorship measures.

• Shadowsocks: A lightweight, open-source proxy protocol that encrypts traffic to facilitate secure and private internet access. It's widely used to bypass internet censorship, though its effectiveness can be limited under strict DPI conditions.

• Cloak: A tool designed to obfuscate proxy traffic, making it resemble regular HTTPS traffic. Cloak works alongside proxy programs like Shadowsocks, enhancing their ability to evade detection and censorship.

• GoodbyeDPI: is a Windows tool designed to bypass Deep Packet Inspection (DPI) systems used by ISPs to enforce censorship. It disrupts DPI by fragmenting data packets, modifying HTTP headers, and injecting fake packets, making it harder for censorship mechanisms to analyze and block traffic. This lightweight, serverless solution is particularly effective in heavily censored regions.

• Custom VPNs/Alternative VPNs (e.g., AmneziaVPN): AmneziaVPN is an open-source service that enables users to establish personal VPN servers, making it more challenging for authorities to detect and block connections. By allowing users to set up their own servers, AmneziaVPN helps circumvent censorship by avoiding reliance on commercial VPN servers, which are more easily targeted by censors[74].

Figure 16. Example of threads where a threat actor seeks advise about how to bypass the VPNs blockings.

Machine translated. Source: Exploit forum.

Logically, some threat actors active in the hosting business have sensed an opportunity and are now advertising custom VPNs specifically configured to bypass DPI filtering of the TSPU. Other cybercriminals also try to sell various services and advices to fellow threat actors who are afraid of being "wiretapped by law enforcement".

Figure 17. Example of threads on DarkMoney forum where threat actors seek advice about how to hide from surveillance in Russia, while other try to sell anonymity services and advices.

Machine translated. Source: DarkMoney forum.

Interestingly RKN is also sometimes adding to its blacklist IP addresses and domains belonging to Russian language cybercrime forums[75]. Usually, these bans are targeting only a specific thread after a complaint and a court decision, sometime however these bans target an entire cybercrime forums like for example Zelenka.guru also known as LolzTeam. These bans are nevertheless inefficient because only rarely and partially enforced. In the case of LolzTeam, not all the domains and mirrors of the forum are blocked. Thereby the members of this forum can access it either through a VPN not compiling with RKN’s rules or through the unblocked domains. It appears that the RKN could somewhat make harder for threat actors in Russia to access major cybercriminal forums, but it decided not to act.

Figure 18. Example of Russian-language cybercriminal forums temporarily or permanently blocked by RKN.

Source: Roskomsvoboda.

C) Uncertainty about Russian surveillance systems like TSPU and SORM fuels speculation among cybercriminals.

The introduction of new surveillance and censorship measures in Russia often sparks heated discussions among Russian-speaking cybercriminals. Systems like SORM and TSPU, shrouded in relative secrecy, provoke fears, misrepresentations, and speculation due to the lack of precise information about their capabilities. This uncertainty frequently leads to exaggerated or inaccurate interpretations of events within these communities.

On August 28, 2019, the threat actor "Null2Day" shared claims about vulnerabilities in the Russian surveillance system SORM, based on a presentation by Leonid "darkk" Evdokimov at Chaos Constructions 2019[76]. The presentation revealed exposed management panels and intercepted traffic dumps, including unencrypted HTTPS data, leading to speculation about SORM's ability to decrypt secure traffic. Hypotheses ranged from misconfigured hosts accepting unencrypted HTTP traffic on port 443 to SORM obtaining cryptographic keys through cooperation with service providers like Mail.ru. However, Mail.ru denied these allegations, explaining that the unencrypted traffic was linked to legacy ICQ client behavior. Ultimately, these claims lacked substantiation, and no concrete evidence supported the theory that SORM could decrypt HTTPS traffic.

Figure 20. The threat actor Null2Day shared his thoughts about the rumors surrounding SORM’s capability to decrypt https traffic. Machine translated. Source: Exploit forum.

Figure 21. The infamous Belarussian threat actor Ar3s calms down other users’ paranoia about SORM’s decryption capabilities. Machine translated. Source: XSS forum.

Another incident in August 2024 added further intrigue to the discussion around Russian surveillance systems. A member of the XSS forum, "coree", reported issues accessing the forum and its Jabber service hosted at “thesecure.biz” when using networks of SkyNet and Rostelecom. Coree discovered that the TSPU filtering system appeared to block his packets, but the issue disappeared after contacting his ISP to change his IP address. This sparked interest among the forum’s administrator and users, as it suggested the possibility of targeted censorship by RKN, potentially restricting access to websites based on individual IP addresses.

Figures 22 and 23. The threat actor "coree" claims that his connexion to the XSS forum and Jabber service was blocked by the TSPU. Machine translated. Source: XSS forum.

D) Communicating securely and anonymously on the RuNet – a growing challenge for Russian cybercriminals using Telegram.

Communicating securely and anonymously is one of the main necessities for cybercriminals from any country if they do not wish to be deanonymized and targeted by rivals or law enforcement. Outside of forums communications is usually conducted thanks to messaging protocols and applications such as XMPP (Jabber), Tox, Telegram, Signal, Session, Discord, WhatsApp and so on. In the context of the RuNet and Russian-speaking cybercriminal activities however using one if these messaging service or protocol has its own consequences and problematics.

Figure 24. According to "waahoo" it is better to use in Russia messaging services that do not have an office in the country and do not openly cooperate with Russian law enforcement. Machine translated. Source: XSS forum.

The choice of a messaging service or protocol often depends on the nature of cybercriminal activity, the perceived risks, and the need to remain accessible to potential customers. Tox and Jabber with OTR encryption are commonly favored communication tools among old-school threat actors and ransomware affiliates.

Telegram is currently the most popular communication application among Russian-speaking threat actors due to its popularity, user-friendly interface, API support, and the ability to deploy bots. However, the absence of automatic encryption for communications and the presence of Telegram's key developers and offices in Russia have raised concerns among the security and anonymity-focused segment of the Russian-speaking cybercriminal community. Many cautious threat actors believe that Telegram is cooperating with the FSB, granting it access to metadata or even the messages of high-profile targets.

Furthermore, the capabilities of the SORM system could enable Russian law enforcement to deanonymize users or collect metadata without the need to decrypt messages or use advanced techniques if threat actors make OPSEC mistakes.

Figure 25. The threat actor "bratva" has raised concerns about Telegram’s leadership being based in Russia and the FSB’s ability to deanonymize users through SORM’s geolocation capabilities, including IP collection and information provided by the target’s ISP. Machine Translated. Source: XSS forum.  

This last point seems to me particularly interesting and plausible as most threat actors do not use the encrypted messaging feature in Telegram to conduct discussion or advertise their activities and often make some OPSEC mistakes (IP leak...).

Around a year ago the Russian national M. Venediktov has shared a video demonstrating the capabilities of a Telegram investigation tool that he is developing for the Russian police. Just with access to open-source databases the amount of information that is available on different users seems impressive. If speculations about cooperation between the FSB and Telegram were true, the capability of surveillance and data gathering of the Russian law enforcement could be much more advanced.

Final thoughts: the evolving role of the sovereign RuNet and its future impact on cybercrime.

To conclude this section and the paper as a whole, the available evidence indicates that, at present, the creation of the “Sovereign RuNet” has impacted Russian threat actors both psychologically and by making it harder for them to maintain anonymity. However, it has not significantly hindered their ability or insensitive to carry out cybercrime, particularly when targeting entities outside of Russia. Meanwhile, the capabilities for surveillance and censorship at the disposal of Russian authorities are steadily expanding. The Kremlin, along with factions aligned with it, does not appear to have any clear intention of combating cybercrime within Russia, especially when it targets "unfriendly countries", unless it directly threatens their own interests or serves as a potential bargaining tool in negotiations with the West.

Looking ahead, if Russia’s political landscape shifts dramatically, the tools developed by Moscow to control the RuNet could potentially be employed to restrict access to the global Internet or to censor cybercrime forums and threat actors’ communication channels. The critical question is: under what political circumstances and conditions such drastic measures might be implemented and how effective or disruptive such actions would really be?

I hope you enjoyed the ride! If you have any questions or feedback do not hesitate to contact me, and of course, please share my work ;).

Sources:

[1] Chiara Castro published, “Russia Disconnects Several Regions from the Global Internet to Test Its Sovereign Net,” TechRadar, December 10, 2024, https://www.techradar.com/vpn/vpn-privacy-security/russia-disconnects-several-regions-from-the-global-internet-to-test-its-sovereign-net.

[2] “Учения по устойчивости рунета не затрагивают доступ в глобальную сеть для пользователей - Роскомнадзор - Москва || Интерфакс Россия,” November 14, 2024, https://www.interfax-russia.ru/index.php/moscow/news/ucheniya-po-ustoychivosti-runeta-ne-zatragivayut-dostup-v-globalnuyu-set-dlya-polzovateley-roskomnadzor.

[3] Iain Thomson, “Russian Court Fines Google $20 Decillion,” October 29, 2024, https://www.theregister.com/2024/10/29/russian_court_fines_google/.

[4] “The Russian Internet’s Domain Problems and How the War in Ukraine Narrows the Kremlin’s Options for Online Controls,” Meduza, February 1, 2024, https://meduza.io/en/feature/2024/02/01/the-russian-internet-s-domain-problems-and-how-the-war-in-ukraine-narrows-the-kremlin-s-options-for-online-controls.

[5] “Russia: Freedom on the Net 2024 Country Report,” Freedom House, accessed November 29, 2024, https://freedomhouse.org/country/russia/freedom-net/2024.

[6] “Russia Creates a Special ‘Internet for the Authorities’ for 4.8 Billion Rubles,” TAdviser.ru, June 20, 2023, https://tadviser.com/index.php/Article:Russian_State_Network_(RSNet).

[7]  Peter Dickinson, “The 2008 Russo-Georgian War: Putin’s Green Light,” Atlantic Council (blog), August 7, 2021, https://www.atlanticcouncil.org/blogs/ukrainealert/the-2008-russo-georgian-war-putins-green-light/. 

[8]  Marlene Laruelle, Is Russia Fascist?: Unraveling Propaganda East and West, Cornell University Press, 2021, https://www.jstor.org/stable/10.7591/j.ctv16t673d. 

[9] “Great Firewall | History, China, Hong Kong, & Facts | Britannica,” November 29, 2024, https://www.britannica.com/topic/Great-Firewall.

[10] Justin Sherman, “Reassessing RuNet: Russian Internet Isolation and Implications for Russian Cyber Behavior,” Atlantic Council (blog), July 12, 2021, https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/reassessing-runet-russian-internet-isolation-and-implications-for-russian-cyber-behavior/.

[11] “С 2019 года было проведено 6 учений по «суверенному Рунету»,” October 24, 2023, https://roskomsvoboda.org/en/post/uchenia-runet-6-raz/.

[12] “Роскомнадзор запустил в РФ аналог сервиса Whois и публичный сервис РАНР (реестр адресно-номерных ресурсов) Рунета,” Хабр, April 10, 2024, https://habr.com/ru/news/806591/.

[13]  “РКН сможет управлять сетями связи на основании требования генпрокурора,” TACC, July 29, 2024, https://tass.ru/obschestvo/21480195.

[14]  Anna Gross, Chris Campbell, and Alexandra Heal, “EU Plans Black Sea Internet Cable to Reduce Reliance on Russia,” May 12, 2023, https://www.ft.com/content/d07dbd19-5e8b-4543-85f6-bbf1a6a0858d.

[15]  Павел Васильев, “ТСПУ как угроза российскому бизнесу интернет-транзита,” Павел Васильев. Блог. (blog), December 20, 2022, https://pavel.su/internet/tspu-as-a-threat/. 

[16] Jan Kopriva, “The Strange Case of Disappearing Russian Servers,” SANS Internet Storm Center, November 25, 2024, https://isc.sans.edu/diary/31476.

[17] Zach Anderson, “The Most Common Protocol You’ve Never Heard Of,” Censys, January 29, 2019, https://censys.com/the-most-common-protocol-youve-never-heard-of/.

[18] Douglas Farah and Marianne Richardson, “Dangerous Alliances: Russia’s Strategic Inroads in Latin America,” INSS, December 2022.

[19] Alek Buttermann, “Russian Surveillance Network in Nicaragua Raises Alarm,” October 2, 2024, https://www.intellinews.com/russian-surveillance-network-in-nicaragua-raises-alarm-346368/.

[20] Doug Farah, “How Russian Surveillance Tech Is Reshaping Latin America,” September 27, 2024.

[21] “Контроль сети: как оборудование Роскомнадзора влияет на российский интернет,” Discours, https://discours.io/articles/social/roskomnadzor-technical-equipment.

[22] denis-19, “СМИ: в обновлённый перечень блокировки VPN-сервисов и VPN-протоколов Роскомнадзора вошёл Shadowsocks,” Хабр, November 15, 2023, https://habr.com/ru/news/773986/.

[23] “Роскомнадзор блокирует порядка 150 популярных VPN-сервисов,” TACC, https://tass.ru/ekonomika/20622877.

[24] “Купить VPN | VPNlove.Me,” accessed October 15, 2024, https://storage.googleapis.com/vpnlove/index.html.

[25] “Releases · ValdikSS/GoodbyeDPI,” GitHub, accessed October 15, 2024, https://github.com/ValdikSS/GoodbyeDPI/releases.

[26] “VLESS | Project X,” https://xtls.github.io/en/config/outbounds/vless.html.

[27] “Apple Complies With Russian Censorship, Pulls More VPNs From Russia’s App Store,” PCMAG, https://www.pcmag.com/news/apple-complies-with-russian-censorship-pulls-more-vpns-from-russia-app.

[28] “Russia - Apple Censorship,” https://applecensorship.com/app-store-monitor/na/RU.

[29] Slava Oglobin, “После погрома в Махачкале на юге России возникли проблемы с доступом к Telegram • «Агентство»,” «Агентство», October 30, 2023, https://www.agents.media/posle-pogroma-v-mahachkale-na-yuge-rossii-voznikli-problemy-s-dostupom-k-telegram/.

[30] EABT Staff, “1.2 Billion IP Addresses Blocked in Turkmenistan,” Eurasia Businesstoday (blog), October 13, 2022, https://eurasiabusinesstoday.com/technology-innovation/1-2-billion-ip-addresses-blocked-in-turkmenistan/.

[31] Times of Central Asia, “Turkmenistan Unblocks 3 Billion IP Addresses - But Why? - The Times Of Central Asia,” July 18, 2024, https://timesca.com/turkmenistan-unblocks-3-billion-ip-addresses-but-why/.

[32] Отдел аналитики, “О схемах пропуска трафика через ТСПУ – ГРЧЦ,” Digital Russia (blog), February 16, 2024, https://d-russia.ru/o-shemah-propuska-trafika-cherez-tspu-grchc.html.

[33] “Глава Роскомнадзора Липов: В России все узлы связи на 100% закрыты при помощи ТСПУ,” Российская газета, October 24, 2023, https://rg.ru/2023/10/24/glava-roskomnadzora-lipov-v-rossii-vse-uzly-sviazi-na-100-zakryty-pri-pomoshchi-tspu.html.

[34] “Putin’s Digital Iron Curtain: Russia Bypasses Sanctions, Buys Equipment to Block YouTube and Telegram,” The Insider, https://theins.press/en/politics/265749.

[35] “В Роскомнадзоре рассказали о полном импортозамещении оборудования ТСПУ,” Российская газета, June 3, 2024, https://rg.ru/2024/05/31/v-roskomnadzore-rasskazali-o-polnom-importozameshchenii-oborudovaniia-tspu.html.

[36] “Власти Начали Управлять Блокировками в Рунете с Помощью Отечественного Оборудования - CNews,” https://www.cnews.ru/news/top/2024-07-10_vlasti_nachali_upravlyat.

[37] “Российские Процессоры Байкал, Заказать Русский Микропроцессор ARM,” https://www.baikalelectronics.ru/.

[38] “Провайдер «Ярнет» из Ярославля раскрыл принцип работы ТСПУ от РКН при условии аварии в сетях оператора связи,” Хабр, November 17, 2023, https://habr.com/ru/news/774734/.

[39] “Блокировка VPN-Протоколов На ТСПУ (05.08.2023 - Xx.Xx.202x) - Internet Censorship All around the World / Russia,” NTC, August 7, 2023, https://ntc.party/t/%D0%B.

[40] “Блокировка VPN-Протоколов На ТСПУ (05.08.2023 - Xx.Xx.202x) - Internet Censorship All around the World / Russia,” NTC, August 7, 2023, https://ntc.party/t/%D0%B.

[41] “Шифрофрения – Газета Коммерсантъ № 183 (5933) От 04.10.2016,” accessed November 6, 2024, https://www.kommersant.ru/doc/3106585.

[42] Валерий Романов, “«Как минимум ФСБ имеет доступ к данным в WhatsApp»,” Газета.Ru, January 19, 2022, https://www.gazeta.ru/tech/2022/01/19_a_14434627.shtml.

[43]  “Communications Capabilities Development Programme - ORG Wiki,” https://wiki.openrightsgroup.org/wiki/Communications_Capabilities_Development_Programme.

[44]  “Заказчик Roman Sumaneev ID:386118 - Удаленная Работа, Фриланс, FL.Ru, Россия, Новосибирск,” https://www.fl.ru/users/gromvox/.

[45]  “Les Techniques de Renseignement Contrôlées Par La CNCTR | CNCTR,” https://www.cnctr.fr/techniques-de-renseignement.

[46]  Ryan Singel, “Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates,” Wired, accessed October 24, 2024, https://www.wired.com/2007/08/wiretap/.

[47] “Глаза Кремля,” Досье (blog), March 11, 2024, https://dossier.center/sorm/.

[48] “Госдума приняла закон о штрафах для операторов за неустановку систем хранения трафика,” https://roskomsvoboda.org/ru/post/shtrafy-za-ne-sorm/.

[49]  “Оператора Оштрафовали За Невыполнение Требований о СОРМ | Кабельщик,” August 11, 2023, https://www.cableman.ru/content/operatora-oshtrafovali-za-nevypolnenie-trebovanii-o-sorm. 

[50] “МТС снизила прогноз по затратам на ‘закон Яровой,’” Interfax.ru, March 19, 2019, https://www.interfax.ru/russia/654842. 

[51]  “Постановление Правительства Российской Федерации От 22.11.2023 № 1952 ∙ Официальное Опубликование Правовых Актов,” http://publication.pravo.gov.ru/document/0001202311240027.

[52]  “Минцифры приравняло услугу CDN к хостингу,” Ведомости, April 15, 2024, https://www.vedomosti.ru/technology/articles/2024/04/15/1031766-mintsifri-priravnyalo-uslugu-cdn-k-hostingu. 

[53] Романов, “«Как минимум ФСБ имеет доступ к данным в WhatsApp».”

[54]  “Все «под Колпаком». Российские Спецслужбы Взялись За WhatsApp и Viber » Tərəf - XOCANIN BLOGU,” https://teref.az/novosti/40987-vse-pod-kolpakom-rossiyskie-specsluzhby-vzyalis-za-whatsapp-i-viber.html.

[55]  “Суд оштрафовал Telegram на 800 тыс. рублей за отказ сотрудничать с ФСБ,” Interfax.ru, October 16, 2017, https://www.interfax.ru/russia/583337.

[56] “Количество заблокированных Роскомнадзором IP-адресов превысило четыре миллиона,” Meduza, accessed October 23, 2024, https://meduza.io/news/2018/04/17/kolichestvo-zablokirovannyh-roskomnadzorom-ip-adresov-prevysilo-dva-milliona.

[57] Jacob R Appelbaum, “Communication in a World of Pervasive Surveillance,” March 25, 2022.

[58]  “Минцифры РФ Обяжет Интернет-Ресурсы Передавать Силовикам Расширенные Данные Об IP-Адресах и Портах,” TAdviser.ru, May 6, 2024, https://www.tadviser.ru/index.php/%D0%A1.

[59]  “Федеральный сервер безопасности,” October 21, 2013, https://www.kommersant.ru/doc/2324684.

[60] “СОРМ-3 будет внедрен до 31 марта 2015 года,” 2014, https://roskomsvoboda.org/ru/post/sorm-3-budet-vnedren-do-31-marta-2015-goda/.

[61] “Федеральный Закон "О Внесении Изменений в Федеральный Закон ‘О Противодействии Терроризму’ и Отдельные Законодательные Акты Российской Федерации в Части Установления Дополнительных Мер Противодействия Терроризму и Обеспечения Общественной... \ КонсультантПлюс,” https://www.consultant.ru/document/cons_doc_LAW_201078/.

[62] “Федеральный Закон ‘О Внесении Изменений в Уголовный Кодекс Российской Федерации и Уголовно-Процессуальный Кодекс Российской Федерации в Части Установления Дополнительных Мер Противодействия Терроризму и Обеспечения Общественной Безопасности’ От... \ КонсультантПлюс,” https://www.consultant.ru/document/cons_doc_LAW_201087.

[63]  “В Госдуме решили принять антитеррористические поправки Яровой,” РБК, May 10, 2016, https://www.rbc.ru/rbcfreenews/5731d13d9a7947c95a529de9. 

[64]  “Разработчик СОРМ Начал Искать Подрядчиков Для Расшифровки Переписки в Мессенджерах — Meduza,” https://meduza.io/news/2016/10/04/rossiyskie-kompanii-nachali-iskat-sposoby-rasshifrovki-perepiski-v-messendzherah. 

[65]  “Вне прослушки: почему Роскомнадзор и ФСБ судятся с операторами связи,” РБК, November 9, 2017, https://www.rbc.ru/technology_and_media/09/11/2017/5a03187e9a7947d88f988f53. 

[66] “Красное СОРМово,” Коммерсантъ, April 14, 2021, https://www.kommersant.ru/doc/4771775.

[67]  “Информация Администрации Сети RSNet,” http://www.gov.ru/main/rsnet/page541.html.

[68]  “194.226.118.0/23 RSNET RUSSIAN STATE INTERNET NETWORK Main Division of Informations Resources for States Organs of the Russian Federation - Netblock Details,” https://whoisrequest.com/ip/AS8291/194.226.118.0/23.

[69]  “В России потратят 4,8 миллиарда на специальный «интернет для властей» - CNews,” CNews.ru https://gov.cnews.ru/news/top/2023-06-15_v_rossii_potratyat_48_milliarda. 

[70] Наталья Рудычева and Виктор Полевой, “Интернет-Издание о Высоких Технологиях,” CNews Analytics, 2009, https://www.cnews.ru/reviews/free/gov2009/articles/safe.shtml. 

[71] “Защититься от утечек: в России протестировали военный интернет,” Газета.Ru, October 21, 2024, https://www.gazeta.ru/tech/2019/08/01/12549583/minobr.shtml.

[72]  -> 69

[73] “ValdikSS (@ValdikSS) / X,” X (formerly Twitter), November 26, 2024, https://x.com/valdikss.

[74] Masha Borak, “The Open Source VPN Out-Maneuvering Russian Censorship,” Wired, April 7, 2023, https://www.wired.com/story/amnezia-vpn-russia-censorship/.

[75] “The Registry of Blocked Websites,” accessed December 15, 2024, http://reestr.rublacklist.net/en/.

[76] “Проруха На СОРМ,” https://darkk.net.ru/2019/cc/.