Skip to main content
Advertisement
Live broadcast
Main slide
Beginning of the article
Озвучить текст
Select important
On
Off

Telephone fraudsters and call center owners are already adapting to the provisions of the law, dubbed "Anti-fraud 2.0", and have developed mechanisms to circumvent blocking by banks, Izvestia found out. They distribute instructions in profile chats on how to transfer money through drop cards and make transfers between individuals in the new conditions. Their bet is not on directly hacking bank security, but on using a distributed drop network and imitating the usual behavior of the client. As a result, the law can make such schemes more expensive and more difficult, but by itself it does not block the infrastructure through which the stolen money is quickly fragmented and sent down the chain, experts interviewed by the publication believe. The details are in the Izvestia article.

The law against fraudulent infrastructure

On June 9, the State Duma adopted Bill No. 1110676-8 in the second and third readings. On June 26, the President signed the document: it was published as Federal Law No. 210-FZ. The basic rules will enter into force in stages: a part — from September 1, 2026, a significant block — from March 1, 2027, and a number of other provisions — from September 1, 2027.

отделение банка
Photo: IZVESTIA/Sergey Lantyukhov

The new law strengthens several lines of protection at once. Banks will have access to data from the government's anti-ICT crimes system to verify transfers, will be able to delay individual transactions for up to six hours, and will be required to reject them if malware is detected on a customer's device. A single payment card accounting system and a limit are being introduced separately: banks will be able to provide one individual with a total of no more than 20 cards from which transfers are possible. Telecom operators, in turn, will receive additional responsibilities for detecting suspicious calls and informing subscribers.

The purpose of the package is not only to stop suspicious transactions, but also to increase the cost of the fraudulent scheme. The fewer banking details available and the faster banks and operators exchange data, the more difficult it is to withdraw the victim's money before it is blocked. However, the materials of the shadow market studied by Izvestia show that its participants are preparing to circumvent not a literal ban, but the criteria by which banks distinguish the criminal flow from ordinary transfers.

20 cards per person: drop networks distribute the load

Starting from September 1, 2027, there will be a limit on the number of payment cards — no more than 20 per customer. Before issuing a new card, banks will check the information in the unified accounting system and refuse to exceed the limit.

Деньги и карты
Photo: IZVESTIA/Yulia Mayorova

Externally, this measure looks like a blow to card farms. But Izvestia's interlocutors, who are familiar with the work of the high-risk segment, say that even now a single drop rarely requires several dozen cards. Shadow processing works differently: the load is distributed among a large number of people, and the blocked account is quickly replaced with a new one. Therefore, it is not the number of cards per holder that becomes a critical resource, but the constant influx of new owners and the period during which their details remain operational.

This can be seen from the ads in the Telegram channels studied by the editors. They openly offer to redeem cards and bank accounts of the largest credit institutions. Sellers ask for about 9,000 to 14,000 rubles for one set of banking details, and the price depends on the bank and the age of the owner.

Other publications are already distributing instructions on how to create new accounts and issue virtual cards to additional numbers. This shows that the shadow market is more likely to adapt to the massive attraction of new drops than to the use of dozens of cards by one person.

A snapshot of a blocked bank wallet posted in one of the channels is also indicative. Judging by the data on the screen and the caption to the publication, more than 5 million rubles were spent through it before the restrictions were imposed.

It is impossible to verify the origin of this amount from a single screenshot, but the publication itself shows how market participants measure the effectiveness of banking details: the volume of the flow before blocking, and not the number of cards the owner has, experts say.

The limit is thus able to reduce the most crude schemes in which dozens of payment instruments are issued per person. However, it does not solve the problem of distributed networks, where each participant uses only one or more cards, according to Izvestia sources in the industry.

Six hours to check: operations are disguised as everyday

The second important barrier is to strengthen control over suspicious transfers. The law obliges banks to take into account information from the state system for countering ICT crimes. If the customer has confirmed the order or has tried to carry out the transaction again, the bank will be able to postpone its execution for up to six hours in cases prescribed by law. During this time, he will be able to additionally verify the transfer and, if necessary, stop the withdrawal of funds.

Карта и телефон
Photo: IZVESTIA/Anna Selina

The shadow market's response is to "warm up" cards and accounts. The instructions studied by Izvestia suggest creating a story in advance similar to the behavior of an ordinary customer: making purchases, using different categories of goods and services, avoiding sudden changes in activity and not turning the account into an obvious transit hub. The editors deliberately do not provide step-by-step recommendations and specific modes of operations, so as not to reproduce the manual for drop guides.

The authors of such manuals separately warn about actions that may attract the bank's attention: a sudden increase in turnover, a series of similar transfers, a quick transfer of money immediately after receipt, a change of number or device. Instead, they suggest stretching account preparation over time and mixing transfers between individuals with regular purchases.

This tactic does not eliminate the six-hour delay, but it reduces the likelihood that a particular operation will be classified as suspicious at all. The anti-fraud system does not analyze criminal intent, which is not visible in the bank transaction, but a set of signs. Accordingly, the shadow market is trying to make these signs as similar as possible to the behavior of an ordinary user," Evgeny Masharov, head of the Center for Legal Support for Victims of Remote Fraud, Illegal Financial Transactions and Illegal Gambling, a member of the Public Chamber of Russia, told Izvestia.

хакер работает
Photo: IZVESTIA/Anna Selina

He added that this is the main limitation of behavioral control: the more accurately fraudsters copy everyday operations, the more difficult it is to strengthen filters without increasing the number of erroneous locks. A single suspicious transaction is easier to detect than a scheme with hundreds of regular accounts. In such cases, it is necessary to track the entire chain of transfers, rather than individual payments, the expert believes.

Fraudulent groups also have instructions on how to work with "manual drops" — not those who are lured out of codes by phone, but those who voluntarily cooperate with scammers for a fee, providing them with their data. Issuing a card by a real individual in a bank can "lull" the system's vigilance, experts believe.

Device protection: virus can be noticed, deception is not always

Another rule concerns cases when the client's device is infected with malware: the operation will not be performed in this case. The user will be informed of the reason for the refusal and will be offered to use other equipment or contact the branch. By September 1, 2027, customer consent will be required to enable security features.

According to the Vice President for Information Security at DOM Bank.Dmitry Nikishov's Russian Federation, the necessary mechanisms for such work have already been built.

Photo: IZVESTIA/Dmitry Korotaev

— We analyze session activity on clients' devices to detect malware. The system takes into account not only the signs of suspicious transactions, but also the abnormal behavior of the device from which the customer enters the bank. If a risk is detected, the operation is suspended, and an SMS is sent to the user explaining the reason for the safety of his funds. Then the bank contacts the client by phone to confirm that the transaction is voluntary," Nikishov said.

Such protection is important against remote hacking of an online bank, but it does not cover all scenarios, the manuals studied by Izvestia show. A significant part of phone fraud is based on social engineering: the victim himself confirms the transfer from an uninfected device. P2P chains can also use cards issued to real people and devices with a digital profile familiar to the bank.

This is exactly what the instructions from the shadow channels are aimed at. Their authors advise not to unnecessarily change the phone number, number and bindings, and in some cases, to keep the opportunity to contact the formal account holder for confirmation of the transaction or a visit to the branch. In other words, criminals try to make their actions look like the usual behavior of the client, and not as an attempt to hack. The malware rule blocks one technical channel of attack, but does not solve the problem of voluntary transfer under the influence of deception and subsequent withdrawal through legitimately issued accounts.

Why high-risk is recovering quickly

Funds received from the victim rarely stay in one account. They are crushed, passed through a chain of cards and accounts, and sometimes transferred to cryptocurrency through a P2P exchange. Intermediaries who provide such transactions call this area high-risk processing — processing of an increased (for them) risk of blockages. It serves not one platform, but many diverse clients, and uses a distributed infrastructure: Telegram channels, closed cabinets, panels with banking details, drop-in teams, and constantly updated lists of banking products.

A screenshot of one of these panels provided to the editorial staff shows an active device, a limit of more than 2 million rubles, and completed transactions of about 100,000 rubles each in USDT. In specialized communities, they simultaneously buy bank accounts, hold phone calls, and exchange information about which methods have stopped working. If one bank increases control, the flow is redistributed. If a set of banking details is blocked, it is replaced. If the processing site is closed, large clients switch to other channels.

The interlocutors cite the history of the illegal PaySelection/PaymentCenter platform as an illustration of this stability. In March, Arsen Hakobyan and a number of alleged members of his team were detained. Izvestia previously reported that the investigation linked their activities to the maintenance of illegal gambling. The final assessment of the charge must be given by the court.

Fintech entrepreneur and payment technology expert Ivan Pritula told Izvestia that Hakobyan's PaySelection/PaymentCenter could accumulate a significant share of high-risk traffic.

— It is difficult to give accurate estimates, but according to various sources, its share could reach up to 5-10% of the market, — he noted.

Photo: IZVESTIA/Sergey Lantyukhov

At the same time, Pritula stressed, even the withdrawal of large sites rarely brings down the segment.

"Large merchants in this market, as a rule, do not keep all traffic in one solution, but assemble large cascades from different processing and payment instruments, between which they distribute the flow," he noted.

Therefore, the effect of "Anti-Fraud 2.0" will depend not only on the severity of restrictions, but also on how quickly system participants will be able to exchange data, track related transactions and identify drops at an early stage, the expert believes. Otherwise, the law will close individual entrances, while the market will continue to change routes.

Don't block a regular customer

The downside of increased control is the risk of false alarms. The broader the risk assessment system and the longer the delay in operations is allowed, the higher the probability of erroneous blockages against bona fide customers. According to an estimate by Informzashita, which was cited by Kommersant in January, 2-3 million ordinary citizens could be temporarily blocked in the first two weeks of 2026 alone. Economist Andrey Barkhota told Izvestia that excessive tightening of controls could have a side effect.

карта и ноутбук
Photo: IZVESTIA/Yulia Mayorova

If you tighten the screws completely — monitor and suspend even transfers of 10 thousand rubles, introduce periods of cooling, blocking and freezing, this can lead to an increase in demand for cash. People will use them more often and may start withdrawing funds from their accounts," he suggested.

This trend is already being recorded by statistics. According to the Bank of Russia, the volume of cash outside the Central Bank increased from 19.45 trillion rubles on January 1 to 20.49 trillion on June 1, 2026. In May, the volume of growth amounted to 381.2 billion rubles, which was a record monthly result since at least 1995, Forbes noted, citing data from the regulator. By itself, this increase does not prove a connection with anti-fraud measures: the regulator cited among the reasons the desire of citizens to have a reserve of cash and business adaptation to higher taxes. However, it shows that the convenience and predictability of non-cash payments remain a sensitive factor.

According to experts interviewed by Izvestia, banks and the regulator face the task of making drop schemes unprofitable and short—lived, but maintaining the simplicity of regular transfers for bona fide customers. Fraudsters are already adapting schemes to behavioral criteria, so the effectiveness of the law will depend not on the card limit or a six-hour pause, but on the ability of the financial system to combine disparate signals and quickly distinguish imitation of normal life from normal life itself, experts add.

Переведено сервисом «Яндекс Переводчик»

Live broadcast