Russia is scrambling to rein in the country’s sprawling illicit market for leaked personal data, a shadowy ecosystem long exploited by investigative journalists, police and criminal groups.
For more than a decade, Russia’s so-called probiv market – a term derived from the verb “to pierce” or “to punch into a search bar” – has operated as a parallel information economy built on a network of corrupt officials, traffic police, bank employees and low-level security staff willing to sell access to restricted government or corporate databases.
While leaked databases exist everywhere, the scale and routine use of probiv is uniquely Russian. It grew out of the country’s deeply corrupt state infrastructure and became indispensable both to those seeking to exploit the system and to those trying to expose it.
For a modest fee – sometimes as little as $10 – buyers can obtain passport numbers, home addresses, travel histories, car registrations and internal police records. At the higher end, entire dossiers could be purchased on individuals, including metadata on calls and movements.
Probiv, whose use remains controversial among Russian journalists, have underpinned high-profile investigations, including tracing the FSB state security unit behind the poisoning of Alexei Navalny.
It also served the police and security services themselves, who routinely used the black market to track activists, opposition figures and anyone who fell outside the state’s favour.
“It is one of the paradoxes of modern Russia: on the one hand, these services are illegal and rely on leaked data, yet on the other, they are far more convenient for day-to-day police work than the multitude of official departmental databases,” said Andrei Zakharov, an investigative journalist who recently published a book on probiv.
But as the war in Ukraine stretched into its fourth year, the Kremlin began to view probiv less as a tolerated convenience and more as a threat.
Phone scam syndicates were using leaked data on an industrial scale, while Ukrainian intelligence had learned to exploit the country’s porous information landscape to identify and assassinate military officials inside Russia.
During his annual phone-in with the nation last year, President Vladimir Putin himself admitted that a close friend had fallen victim to a phone scam.
That incident, said Zakharov, was the signal for security services to start closing down on the probiv market. Over the past year, Putin has signed laws tightening penalties for data leaks, imposing up to 10 years in prison for accessing or distributing such information.
The security services have also begun an aggressive hunt for probiv operators, detaining several brokers and targeting the infrastructure they rely on. Among the most high-profile arrests was of the team behind Usersbox, one of the widest-used and cheapest services.
But the Kremlin’s war on probiv appears to have had the opposite effect, Zakharov said. Many of the leading probiv operators and brokers have moved their businesses abroad where they are far less constrained by informal deals with the security services or fear of immediate arrest.
“Before, they still worked with the security services, or would think twice before releasing something extremely sensitive. Now all their brakes are off,” Zakharov said. “They’re dumping one sensitive leak after another.”
He cited last year’s massive FSB database known as Kordon-2023, which was leaked online, containing details of people who had crossed Russia’s borders between 2014 and 2023. Zakharov described it as one of the largest and most consequential leaks to date.
Well-known services such as Himera, which had been known to cooperate with the authorities, have changed course: the group said it had cut off law-enforcement access and relocated all its staff.
Ukrainian hackers have joined in. Since Russia’s full-scale invasion, pro-Ukrainian hackers and other intelligence groups have repeatedly breached Russian state and commercial systems, stealing data and releasing it openly – often for free, and largely for ideological reasons.
Last year, the Ukrainian hacker group KibOrg published online a database belonging to clients of Alfa Bank, Russia’s largest private commercial bank.
The leak allegedly contained personal data on roughly 24 million individuals and more than 13m organisations.
“Taken together,” Zakharov said, “it has never been easier to find private Russian data on the market.”
