When external threats become internal risks

Our latest analysis of NetClean’s global threat feed shows that around 20% of CSAM hosting URLs and domains use the .ru top level domain.

That figure isn’t coincidental. It aligns with Recorded Future’s Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals, which describes how Russia’s cyber ecosystem has evolved into a “managed market” — a space where criminal infrastructure is selectively tolerated or controlled by the state.

The same networks that enable ransomware, fraud and disinformation are also used to distribute child sexual abuse material.

A shared ecosystem of crime and state control

That 20% footprint is not unique to CSAM. Similar proportions appear across ransomware and malware infrastructure globally, reflecting how Russian-registered domains have become a persistent hub for both criminal and state-aligned operations.

When we connect these dots, we see a larger pattern: the same infrastructure that supports ransomware also sustains content distribution and espionage.

The human layer as the bridge

Why this matters for enterprises is simple: the human layer is the bridge. When access to CSAM is detected inside a corporate network, it is a security signal.

Individuals consuming illegal content are at high risk of compromise, coercion or blackmail. Both the UK’s National Protective Security Authority and the U.S. CISA Insider Threat Program highlight blackmail and coercion as key methods used by adversaries to recruit or exploit insiders.

From external actors to internal compromise

There is growing evidence that these tactics are real. U.S. Department of Justice filings describe how Russian actors attempted to pay a Tesla employee to plant malware for data exfiltration — a direct link between criminal ecosystems and insider compromise.

At the same time, Mandiant and CrowdStrike have documented mature Russian-language marketplaces where initial access brokers sell corporate footholds and infostealer logs trade stolen credentials, effectively monetizing insider access at scale.

When employees visit high-risk .ru sites, they leave behind digital footprints — IPs, browser fingerprints and credential traces — that can end up in those same markets, exposing both the individual and their employer to exploitation.

A geopolitical risk hidden inside the firewall

This pattern reflects Recorded Future’s assessment that Russian cybercrime increasingly serves “influence, information acquisition and leverage in Russia’s geopolitical strategy.”

In other words, the same infrastructure that sustains ransomware and espionage also supports the resale of corporate access and data — a natural outlet when insiders are coerced or compromised.

Human behavior is now a national security issue

The overlap between criminal infrastructure and human vulnerability is no longer theoretical. It is visible in our data — and actionable for adversaries.

Understanding insider risk today means looking beyond perimeter threats and paying attention to high-risk behaviors inside the network that can be weaponized.