The Criminal Code may appear for DDOS attacks
The government has prepared amendments to the Criminal Code that introduce liability for DDOS attacks: maximum punishment is a fine of up to 2 million rubles. Or up to eight years in prison. The new composition will be applied to targeted actions that have led to failures in the operation of digital systems. However, lawyers and cybersecurity specialists warn that without clear criteria for intent and technical implementation, bona fide users can also fall under such regulation.
“Kommersant” got acquainted with the second large -scale package of measures to combat cybercrime developed by the Ministry of Cyphra together with the participants in the markets, which will affect about a dozen federal laws. Dmitry Grigorenko “Kommersant” said to the Ministry of Council and apparatus of Deputy Prime Minister that the document “is on interdepartmental coordination and may change taking into account the proposals of departments and industry”.
On June 1, 2025, the law on the fight against telephone and Internet millennium, signed by President Vladimir Putin in early April, entered into force in Russia. The document provides for more than 30 measures, including the creation of the Antifrod state system for the exchange of data on suspicious numbers and accounts, mandatory marking of calls, a ban on the use of foreign messengers to communicate civilians and banks with citizens, as well as a ban on transferring SIM cards to third parties.
The new package of measures, which the officials themselves call “Antifrod 2.0” include several dozen new measures, as well as additions to criminal, criminal procedure and administrative codes. As specified in the press service of Mr. Grigorenko, the “second package” of measures is being developed on behalf of the apparatus.
Among other proposals, the authors of the document propose to enter in the Criminal Code of Art. 272.2 « The malicious impact on the information system, the information and telecommunication network, computer information or the power supply network. » It should determine the sanctions for DDOS attacks. The maximum punishment under the article provides for a fine of up to 2 million rubles, imprisonment up to eight years and a ban on holding certain positions up to three years. However, the project has an exception for persons who attacked resources, « access to which is prohibited or limited by law. » They do not bear responsibility for the acts.
The draft article, for which punishment is provided, is prescribed as a “targeted impact” on information and other systems, “associated with the blocking or destruction of computer information, which caused significant damage or entailed other serious consequences”. The “Kommersant” lawyers and IB-specialists responded that the definition of “targeted impact” is an important clarification in the project.
The loud precedent of the criminal punishment for the DDOS attack in Russia was already the case of Pavel Vrublevsky in 2013. Then the Tushino court of Moscow sentenced him and two hackers to two and a half years in prison for organizing such an attack on the Assist website. As the rule of law, Part 2 of Art. 272 of the Criminal Code of the Russian Federation « Unlawful access to computer information. »
“To bring to justice those who fall off the services are necessary, but it is necessary to determine exactly what exactly to be considered an attack. Any user can uninhabitedly create a load-a question in intent and technology, ”says Yaroslav Shitsle, head of the IT-disposal resolution practices in the Rustam Kurmayev and Partners Jurfirm. According to the managing partner of ADVOLAW Anton Pulyaev, it is important to determine the objective signs of violations for law enforcement (the use of bosses, abnormal requests, repeated actions with one IP, etc.), clearly indicate the concept of intent (coordination of actions, the use of special software, participation in cyberpromous groups) and establish the threshold of damage (failure duration, economic losses, consequences for critical critical systems). “Without this, there is a risk of qualifying random or conscientious actions as a crime,” the lawyer adds.
There is a gray zone of automated parsing (automated data collection from websites) and the scope of working with open APIs, Anton Cheyakin, the head of the analytical department of ServicePipe. Often, even the owners of the resource cannot unequivocally answer whether they want third -party organizations to turn to their knowledge bases, and if so, with what restrictions. According to the deputy director of the Central Committee of the NTI Timofei Voronin, with DDOS attacks you can also confuse a multiple increase in the number of orders on marketplaces and online stores, since the possible consequences of such excitement are similar to the consequences of the attack. “It is advisable to identify precisely the organizers of attacks to hold them accountable,” he concludes.
