US DoJ takedown shows Russian eCrime actors co‍-‍opted for state espionage

On Friday the US Department of Justice unsealed an indictment against Russian nationals accused of developing, administering and operating DanaBot malware-as-a-service (MaaS), tracked by CrowdStrike as SCULLY SPIDER — a Russia-based eCrime adversary.

Active since 2018, DanaBot evolved from a banking trojan into a rentable botnet platform used for eCrime, espionage and DDoS attacks — including activity targeting Ukrainian entities. Sub-botnets 24 and 25 were found to have ties to Russian intelligence, highlighting how eCrime infrastructure can be repurposed for state-backed operations.

Despite operating openly from within Russia, SCULLY SPIDER faced little domestic enforcement — a pattern suggesting tolerance or proxy use by the Kremlin.

CrowdStrike says it supported the takedown providing threat intelligence, infrastructure analysis and insight into the group’s technical operations. The company has published a blog post detailing SCULLY SPIDER’s tactics and what this disruption means for weakening Russian-aligned cyber capabilities.

The post states that evidence of DanaBot’s alignment with Russian state interests emerged shortly after Russia’s full-scale invasion of Ukraine. On 2 March 2022, DanaBot’s sub-botnet 5 was utilised to conduct HTTP-based DDoS attacks against the Ukrainian Ministry of Defence webmail server, and on 7 March 2022 the same sub-botnet was used to facilitate an HTTP-based DDoS attack against the National Security and Defense Council Ukraine. The timing and targeting of these attacks suggests direct support of Russian military objectives, demonstrating how eCrime infrastructure can be rapidly repurposed for state-aligned disruptive operations.

The case of SCULLY SPIDER highlights why Russian eCrime groups must be viewed through a political lens — as extensions of state power rather than mere criminal enterprises. The Russian Government’s tolerance of such actors, the direct use of DanaBot in attacks supporting Russia’s invasion of Ukraine, and the revelation of espionage-focused sub-botnets all suggest a calculated strategy of leveraging criminal proxies for state objectives.

“DanaBot is a prolific malware-as-a-service platform in the eCrime ecosystem, and its use by Russian-nexus actors for espionage blurs the lines between Russian eCrime and state-sponsored cyber operations,” said Adam Meyers, CrowdStrike’s Head of Counter Adversary Operations. “SCULLY SPIDER operated with apparent impunity from within Russia, enabling disruptive campaigns while avoiding domestic enforcement. Takedowns like this are critical to raising the cost of operations for adversaries.”

Image credit: iStock.com/traffic_analyzer