Arrested Russian hacker Pavel Sitnikov looks to start a new chapter
Image: Pavel Sitnikov
Dmitry Smilyanets July 7, 2022

Arrested Russian hacker Pavel Sitnikov looks to start a new chapter

Arrested Russian hacker Pavel Sitnikov looks to start a new chapter

Editor’s Note: In December 2020, The Record published an interview between Recorded Future’s Dmitry Smilyanets and Russian hacker Pavel Sitnikov about ransomware, cybercrime, and his self-proclaimed connection with the notorious hacking group APT28, or Fancy Bear.

Since then, Sitnikov’s fortunes have changed: He was arrested last May by Russian authorities, who charged him with distributing malware via his Telegram channel called Freedomf0x. His home was raided, and he faced up to five years in prison for allegedly sharing the source code of the Anubis banking trojan on Freedomf0x.

Sitnikov, who says that “everything ended well” for him after paying a fine, talked with Smilyanets about the incident and how he is navigating a new career in the legal cybersecurity industry. “My life after the end of the litigation, which lasted a whole year, has fundamentally changed,” he said. The conversation was conducted in Russian via Telegram and was translated to English with the help of Recorded Future’s Insikt group linguists. The interview below has been lightly edited for clarity.

Dmitry Smilyanets: Pavel, not much time has passed since our last interview, but certain events have occurred since then that I really want to understand. I’ll start with the most important question. In May 2021, you were arrested, and a few months ago you were sentenced under Article 273 of the Criminal Code of the Russian Federation [covering the creation, use and dissemination of harmful computer viruses]. Tell me in detail what happened.

Pavel Sitnikov: Greetings! Early in the morning on May 20, 2021, six operatives from the Moscow Criminal Investigation Department and employees of the Velikoluksky FSB [Federal Security Service] office came to my apartment. I was anticipating this turn of events, as I was warned by some people I know six months before. 

The officers read out the warrant for my arrest and further search. The warrant read like this: [they were investigating me for] the distribution of Anubis malware. This really surprised me. During the search, and through talking with them, they made it clear to me that they were here for a totally different reason, and [the accusation of the Anubis distribution] was just a pretext for my arrest. 

They said that my case was being handled from the very top, and was related to a leak of personal information of COVID-19 patients in Moscow from the Department of Information Technology (DIT) of the Moscow Mayor’s Office. Then I was taken to Moscow to the Main Investigation Department, where they interrogated me all day until night. That is how I celebrated my 39th birthday.

DS: You were then called in for questioning after the Group-IB offices were searched. How is the Group-IB situation connected to you at all?

PS: They called me for an interrogation, but it was not an interrogation, they simply asked me to sign some stupid piece of paper. It seemed to me that it was specially planned for the media ; ) Many of our media outlets wrote about me with regards to this issue on the day I was called in. I was proudly silent because I did not really understand why they needed me, they didn’t explain to me on the phone, and they didn’t explain to my lawyer either.

DS: How did this story with the DIT Moscow database end? Were the guilty punished?

PS: Everything ended well for me, I did not harm anyone by my actions (according to Article 273 of the Criminal Code), and I was simply fined. All this to say, I’m not a felon ; ) With regards to the leak of the DIT [database], no one has been punished and never will be!

DS: How has your life changed since the verdict? And in general, how is it even possible that you were arrested — I thought that Fancy Bear was above the law? It seems you are either not a “real bear,” or you are very guilty of something.

PS: My life after the end of the litigation, which lasted a whole year, has fundamentally changed. I changed my mind about my prior actions. Now I have my own cybersecurity company, I work strictly legally “in the white [hat]” field. I no longer have to prove anything to anyone as before, using radical methods of conveying information. Regarding the allegation that I am considered a member of Fancy Bear: It was 2016, the first time I came out of the shadows. I was invited to meet hackers from Moscow DC [DEF CON]. At the meeting, right off the bat, we decided that at the conference I would be presented as “the one” from Fancy Bear who hacked Hillary Clinton. I agreed, it was fun. 

Then I changed all my profiles on forums and social networks, so as to appear affiliated with APT28. After a short period, other foreign intelligence services started to believe in this, and many people from abroad contacted me. I maintained my reputation because there was this thought at the conference that I’m from the fearsome APT28 group for one, but to deceive practically all of the intelligence communities in the world was absolutely amazing. And so this story was born : )

Sitnikov at the event where he was presented as a Fancy Bear affiliate.

DS: An interesting report came out recently that clearly links you to ZERODAY TECHNOLOGIES (0DT) LLC and their product, Fronton. Are you into botnets now? [Editor’s Note: The report describes the company’s ties to the Russian government and criminal underground groups. Nisos, the company behind the report, said: “We assess that [Sitnikov] likely has extensive knowledge of the functionality of the Fronton infrastructure.”]

PS: When my court case began, I was officially unemployed. My lawyer recommended that I get a job because this is a plus in the eyes of the court. In the first month after my arrest, the head of the 0DT LLC, Ruslan, contacted me and offered any kind of help. I asked to be employed, on the condition that for the duration of the trial I was simply listed as an employee and could only provide consulting services. As for the Fronton system, it all happened long before me. From what I know, the development of Fronton is a cover for the security forces to “siphon off” budget money. Almost immediately after my sentencing and the removal of restrictions on my freedoms and certain actions, I quit 0DT LLC and created my own cybersecurity company.

DS: Your Telegram channel Freedomf0x has more than 30,000 subscribers, what do you hope to achieve by operating this channel?

PS: I gave the Freedomf0x channel to an unknown actor a couple of years before my arrest. But I am still a content ideologist — I just write my thoughts in information security chats, the Freedomf0x administrators constantly monitor all this and adhere to my opinion. The channel was created for the Russian audience since not everyone can afford to pay for the materials that are getting published [the channel posts paywalled material that its users can access].

DS: What are you working on now?

PS: Now I’m trying to understand how the legal information security business works in Russia. My first impression is that nobody needs anything here until they get fucked. I am developing several projects; one is a project related to protestware (revealing vulnerabilities in open source) and a project related to AML (anti-money laundering) in cryptocurrency. I’m really looking forward to the first contract in order to pay for the licenses of the FSTEC FSB [the Russian Federal Service for Technical and Export Control, FSB arm], without them a lot of things cannot be done. I have a large pool of different specialists. In the future, I plan to go into the development of Red Team [offensive security] tools. Right now in Russia, everything is in standby mode, we are surviving, so to speak!

DS: Pavel, I want to know your opinion about military operations in cyberspace. We see dozens of groups on both sides of the conflict in Ukraine. What group do you belong to?

PS: In my opinion, this is not a war, this is a conspiracy! Groups on both sides are just propaganda for the media! I don’t know how things are with information security in Ukraine (in a prior life I recall it was very bad), but in Russia they are deplorable, if it’s a real war, then let’s say the entire critical infrastructure of Moscow can be put down within 24 hours ; ) 

“I’m trying to understand how the legal information security business works in Russia. My first impression is that nobody needs anything here until they get fucked.”

— Pavel sitnikov

A few years ago, my friend and I conducted a study, and in the course of one night penetrated almost all of Moscow’s critical network nodes, without touching anything there. On both sides, children are involved, who are easily manipulated not by money, but by notions of patriotism, nationalism, and other -isms : ) They are supervised by ideologists from the special services. One thing I can say to these youths: “all this will someday come to an end, but the traces will remain, think about it!” I, and many colleagues in the field, are neutral about everything that happens, we are waiting for the end of this shitshow.

DS: Are KillNet or XakNet serious threats to the global community? Or are they skids? Who is leading them?

PS: Killnet, Xaknet, and the rest, as I said above, are a front for important world changes. Yes, the bulk of them are children, but there are also professionals. They may pose a threat, but they will never use it. They are led once again by groups of ideologists, political scientists, and propagandists from the special services.

DS: How badly has Ukraine’s digital infrastructure suffered over the past three months? And in Russia? 

PS: Regarding the digital infrastructure of Ukraine, honestly I don’t know. I don’t think it suffered more than it suffered before the war. In Russia, everything was attacked before the war, it’s just that now it’s all published openly to everyone.  

DS: Are there enough information security specialists in Russia to successfully repel numerous attacks on the digital infrastructure of the Russian Federation?

PS: All the information security we have is designed for “siphoning off” the budgets and I’m more than sure that this will never change. But even if 1,000 specialists remain in Russia, with proper treatment and appropriate funding, everything will be in order.

DS: Recently, the Conti ransomware group attacked Costa Rica, after which the president declared a state of emergency in the country. Why do you think this act of cyber terrorism was committed against a sovereign state?

PS: Conti is supervised by serious dudes in power. An act of vandalism with Costa Rica is again a cover for important events in the world’s redistribution of spheres of influence! All of this is right out of the “Conducting Sabotage Activities” textbook ; )

DS: Will we see more coordinated cyber attacks against countries?

PS: From the Russian side, you won’t see them. It’s like they say in the “kitchen,” these groups serve as an “APT [advanced persistent threat group] mixer”. They [APT groups] will be covered on top with ransomware and with stealers.

DS: Wanna tell me a secret? 

PS: Yes, I always dreamed of serving in the special services, but they didn’t take me because I’m a mess and a bully. But everyone still thinks that I’m a lieutenant colonel in the FSB : )

Mission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of experience and expertise in cybercrime activity that includes being a former member of an elite Russian-based hacking organization.