US DoJ Indicts Ukrainian Over Russia-Linked Cyberattack Groups That Paid in Crypto

The U.S. Department of Justice has issued two indictments against a Ukrainian individual accused of being involved with two Russian state-sanctioned cyberattack groups.

33-year-old Victoria Eduardovna Dubranova, a Ukrainian national who was extradited to the United States earlier this year, is alleged to have provided support to the CyberArmyofRussia_Reborn (CARR) and NoName.

The indictment alleges that both groups committed cyberattacks—including denial-of-service attacks—against critical infrastructure and individuals across the world, with NoName members paid in cryptocurrency.

Both indictments against Dubranova allege that she committed conspiracy to damage protected computers, while the indictment in connection with CARR also charges the Ukrainian with one count of tampering with public water systems, one count of access device fraud, and one count of aggravated identity theft.

The DoJ also says that the Russian government has provided both CARR and NoName with financial support, which both groups used to conduct cyberattack campaigns.

In CARR’s case, it used its funding to subscribe to  DDoS-as-a-service platforms, while NoName developed its own proprietary distributed denial-of-service software.

CARR’s exploits include targeting public drinking water systems across several American states, attacking a meat processing facility in Los Angeles in November 2024, and targeting election infrastructure during U.S. elections.

In NoName’s case, it’s accused of taking credit for hundreds of cyberattacks against victims across the world, in support of Russia’s geopolitical interest.

The group allegedly published details of its exploits on Telegram, where it also recruited volunteers, published leaderboards of the most prolific DDoS attackers, and paid the individuals in crypto.

Dubranova, who the DoJ claims was involved heavily in both groups, will face trial in relation to NoName charges on February 3 of next year, while her trial in relation to CARR exploits will begin April 7.

She faces up to 27 years in prison if found guilty of the CARR-related charges, and up to five years if convicted of the charges associated with her alleged NoName involvement.

NoName, CARR and crypto

While the DoJ’s indictment provides no further details on how either NoName or CARR made use of cryptocurrencies, such use extended beyond paying volunteers.

“CARR and NoName directed a portion of the cryptocurrency donations to purchase infrastructure used for disruptive DDoS attacks,” says Jacqueline Burns-Koven, the Head of Cyber Threat Intelligence at Chainalysis.

Speaking to Decrypt, Burns-Koven suggested that, despite crypto’s popular reputation for privacy, it can function as a valuable law-enforcement tool in cases such as these.

“Although they did not amass significant funds from their donations or DDoS campaigns, and while DDoS infrastructure is relatively cheap, even the smallest trace of cryptocurrency can be used to help identify and disrupt threat actors,” she said.

The existence of pre-existing sanctions in relation to CARR, as well as this week’s indictment, will widen the net that serves to restrict pro-Russia cyber activity.

Burns-Koven explained, “With these designations in place, it will be harder for entities to donate to these groups—or for the groups to off-ramp or launder the funds—because transactions can be easily identified on-chain through the use of blockchain analytics solutions.”

While new Russia-aligned hacking groups may display a tendency to appear where older ones have disappeared, Burns-Koven also suggested that the public identification and arrest of individuals does have a deterrent effect, while also working to “sow distrust and discord” among remaining members.

For example, she said, CARR, “allegedly collaborated with a number of hacktivist groups and their demise is a tangible reminder to groups of the costs of engaging in this kind of activity.”