The advent of digital passports in Russia could spark a new surge of online fraud aimed at stealing access to the State Services accounts. This warning comes from Igor Bederov, who leads the information and analytical research department at T.Hunter and shared insights with socialbites.ca. His assessment emphasizes that cybercriminals will likely pivot to exploiting the rollout, exploiting gaps between policy announcements and real-world user behavior. The potential for misuse grows as more citizens begin interacting with an electronic identity system that ties closely to government services.
A digital passport is a form of electronic identity that can, in certain situations, stand in for a traditional paper document. The plan envisions the digital credential being linked to each citizen’s account on the State Services platform and, in practice, being accessible via the portal’s website or mobile app. On September 18, a presidential decree instructed the government to draft within three months a list of scenarios where the digital ID may be treated as equivalent to a paper document. The central idea is to streamline access to government services while maintaining security, but it also broadens the surface for social engineering and credential theft if proper safeguards aren’t in place.
According to Bederov, the initial wave of risk is likely to revolve around email and social media messages that mimic legitimate Gosuslugi communications. Cybercriminals may push users to visit fraudulent sites that imitate the Gosuslugi interface, with the aim of harvesting login credentials and one-time codes used in two-factor authentication. The attacker’s goal is clear: obtain direct access to accounts and the associated personal data, which can then be exploited for financial or identity-related crimes.
He explains that the content of phishing messages could be crafted to trigger a sense of urgency. For instance, a letter might allege an immediate need to obtain a digital passport, or urge recipients to log into Gosuslugi to verify where electronic ID works. The language is designed to lower resistance, pressuring victims to act quickly before they have fully evaluated the risk. This pattern mirrors broader phishing tactics that prey on people’s routine interactions with government portals and digital IDs, turning everyday communications into traps.
The consequences of stolen access extend beyond personal inconvenience. Attackers might use compromised accounts to initiate microloans or other financial services through the State Services portal, a vulnerability that could ripple through the financial system. In some cases, compromised credentials are bought and sold on underground markets, enabling repeat offenses or more elaborate schemes. The risk landscape expands when a single breached account unlocks a larger network of services connected to the user’s identity, creating a domino effect that is hard to unravel.
There is also concern about the role of digital IDs in civic processes. The same credentials used for service access could conceivably be misused during electronic voting or validation steps tied to elections. Bederov notes that upcoming political milestones may attract intensified attempts to compromise state platforms, as criminals seek to influence outcomes or steal sensitive information. The warning is not just hypothetical: as digital identity adoption grows, so too does the incentive for bad actors to develop ways to defeat authentication measures and exploit user trust.
Recent discussions about the iPhone 15 and other consumer devices raise additional questions about fake sites and credential theft in the RuNet. While those cases highlight consumer risk more broadly, they underscore the urgency of robust user education, stronger authentication, and continuous monitoring of unusual activity within government-facing systems. The core takeaway is simple: as digital identity becomes more integrated with public services, the need for layered security—combining knowledge-based, possession-based, and inherence-based factors—becomes essential to protect citizens and preserve the integrity of national digital infrastructure. The public sector is urged to communicate clear guidance on recognizing phishing attempts, securing personal devices, and reporting suspicious activity promptly, while service providers tighten defenses against credential compromise and data exfiltration. Attribution: insights from T.Hunter’s security analysis and related discussions in the cyber threat community.