Amid Exodus, Threat Actor Announces US Immigration Services on DDW Forum in Russian XSS


As Russians leave their country in droves, a threat actor offers suspected immigration services to the United States or Canada.

Move to “The Shade” for $5,000

A threat actor operating under the pseudonym “Royal Bank” is advertising suspected immigration services in the United States or Canada on the Russian-language forum XSS, Flashpoint has identified. The post, pictured in Russian below, took place on June 17.

The service is also called “Royal Bank” and its motto is: “The best place under the sun is in the shade”.

The “shadow” is not located on the territory of the Russian Federation, but rather in North America, the United States or Canada. The service would cost $5,000.

Context: sanctions, economic setbacks, emigration

The rapidly deteriorating economic and political outlook in Russia has caused an exodus of dissidents and young professionals. Estimates differ on the number of IT specialists who left Russia after the invasion of Ukraine in February 2022, but experts agree that number is in the tens of thousands, possibly even more. of 100,000.

To counter this, the Russian government has tried to mitigate the effect of the brain drain on IT workers through various means, including tax breaks and preferential loans, as well as allowing IT professionals imprisoned from working remotely.

Russian authorities have also tightened repressive laws limiting freedom of expression, including online. They also plan to introduce tougher penalties on data theft and the dissemination of stolen data.

Screenshot of the “Royal Bank” logo on XSS. The threat actor advertises alleged immigration services in the United States and Canada for $5,000.

At the same time, the war drew attention to Russian influence operations, espionage and various ways to evade sanctions, for example on technology transfer, which led to a breakdown in cooperation. scientific and led to the expulsion of a large number of Russian diplomats.

Ordinary Russians are finding it increasingly difficult to obtain visas to enter the United States and the EU. It is unclear to what extent changing conditions have affected the consideration of Russian asylum applications in the West, but the issue is politically sensitive. In the United States, the Biden administration has so far only increased access to asylum for Russian scientists, while Russian asylum seekers have reportedly appeared on the southern border of the United States.


Providing easier access to asylum in a Western country is by no means a novelty. In 2019, Flashpoint reported on a darknet vendor that offered “refugee status” in several European Union member states, namely France, Germany, Greece, the Netherlands, and the United Kingdom. United, within 10-15 days.

The seller then claimed to be able to rely on “people from the government” with whom he had established relations. The service advertised on XSS could theoretically use similar connections, although the provider revealed very little about its modus operandi and did not mention law enforcement or government contacts. Instead, it appears they are providing falsified Russian documents to support asylum claims, likely based on leaked official documents.

Flashpoint intelligence analysts are aware of a Russian-language Telegram group where members shared advice on entering the United States through Mexico, including “helpers” near the border. This group predates the February invasion, suggesting that Russian asylum seekers likely found it increasingly difficult to legally enter the United States already in 2021. The invasion and subsequent exodus have gave rise to a number of Telegram groups where users shared advice on leaving Russia and integrating into the countries where they ended up. These groups, however, did not offer organized and guaranteed access to asylum in the United States.

Get Flashpoint on your side

Request a demo today and see for yourself how Flashpoint’s advanced threat intelligence solutions help cybersecurity, fraud, and physical security teams identify IOCs and take action to protect their assets from cybercriminals.

Sylvester L. Goldfarb