Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

This Insikt Group report ('Dark Covenant 3.0') assesses how Operation Endgame (May 2024–May 2025) and attendant Western policy measures have reshaped the Russian cybercriminal ecosystem: enforcement and sanctions have disrupted monetization and infrastructure nodes (e.g., Cryptex, UAPS, loaders, Lumma), while selective domestic protection, political patrons, and alleged intelligence touchpoints have allowed high-value ransomware operators (notably Conti/Trickbot alumni) to remain comparatively insulated; as a result, the underground is decentralizing, tightening affiliate vetting and OPSEC, proliferating low-credibility variants, and shifting payment/hosting strategies — producing higher transaction costs and fragmented visibility but not an overall collapse of capability.