Moving to the “The Shade” for $5k
A threat actor operating under the alias “Royal Bank” is advertising alleged immigration services to the US or Canada on Russian-language forum XSS, Flashpoint has identified. The post, pictured in Russian below, occurred on June 17.
The service is also called “Royal Bank” and its motto is: “The best place under the sun is in the shade.”
“The shade” is not located on the territory of the Russian Federation but instead in North Americas—in the US or Canada. The service allegedly costs $5,000.
Context: Sanctions, Economic Woes, Emigration
Rapidly worsening economic and political outlooks in Russia have prompted an exodus of dissidents and younger professionals. Estimates differ on how many IT specialists have left Russia following the February 2022 invasion of Ukraine, but experts agree that the number is in the tens of thousands, perhaps even more than 100,000.
To counter this, the Russian government has tried to mollify the effect of the brain drain on IT workers through various means, including tax breaks and preferential loans, as well as allowing imprisoned IT professionals to work remotely.
Russian authorities have also been ratcheting up repressive laws limiting the freedom of speech, including online. They are also planning to introduce heavier penalties on data theft and the distribution of stolen data.
At the same time, the war has drawn attention to Russian influence operations, espionage, and the various ways of evading sanctions, e.g. on technology transfer, which has prompted a breakdown of scientific cooperation and led to the expulsion of a large number of Russian diplomats.
Ordinary Russians have found it increasingly difficult to obtain visas to enter the United States and the EU. It is unclear to what extent the changing conditions have affected the scrutiny of Russian asylum claims in the West, but the issue is politically sensitive. In the US, the Biden administration has so far only increased access to asylum for Russian scientists, all while Russian asylum seekers reportedly appeared at the US Southern border.
Offering easier access to asylum in a Western country is by no means a novelty. In 2019, Flashpoint reported on a darknet seller who was offering “refugee status” in several member states of the European Union, namely France, Germany, Greece, the Netherlands and the United Kingdom, within 10-15 days.
The vendor then claimed to be able to rely on “people in the government” whom they had built relationships with. The service advertised on XSS could theoretically use similar connections, although the vendor has revealed very little about their modus operandi and did not mention law enforcement or government contacts. Instead, it appears that they provide falsified Russian documents to support asylum claims, likely based on leaked official documents.
Flashpoint intelligence analysts are aware of a Russian-language Telegram group where members shared advice on entering the United States via Mexico, including about “helpers” near the border. This group predated the February invasion, suggesting that Russian asylum seekers had probably found it increasingly difficult to enter the US legally already in 2021. The invasion and the exodus that ensued have given rise to a number of Telegram groups where users shared advice on both leaving Russia and integrating in the countries where they ended up. These groups, however, did not offer organized, guaranteed access to asylum in the United States.
Get Flashpoint on your side
Request a demo today and see firsthand how Flashpoint advanced threat intelligence solutions helps cyber, fraud, and physical security teams identify IOCs and take action to protect their assets from cybercriminals.