The Russian government has unveiled a sweeping package of draft legislation billed as a crackdown on online fraud, but rights groups warn it will significantly expand state surveillance powers and online repression, Meduza reported on September 30.

The proposals were published by the Digital Development Ministry and will create legal cover for cyberattacks against opposition media and foreign organisations as the Kremlin ramps up its efforts to police online activity in Russia.

The Russian government has approved a sweeping Action Plan to tighten its control over internet infrastructure in August, mandating operators to monitor user activity and granting law enforcement agencies powers to restrict communication services.

The effort is part of a years-long effort by the Kremlin to impose a “digital sovereignty” on the RuNet, as the Russian internet is known, similar to the regime run by China. The efforts started with the Yarovaya law in 2018, that laid a legal basis for better state control over the internet that required that mobile phone operators and internet companies store recordings of users' calls and online activities for six months and give the Federal Security Service (FSB) more access to the data.

Under the new draft law, among the most far-reaching changes is the creation of a centralised database of all mobile device identifiers, most likely International Mobile Equipment Identity (IMEI) numbers, Meduza reports. Under the plan, each telecom operator would maintain its own registry, feeding into a national system managed by the federal censorship agency Roskomnadzor. The FSB would determine which devices are blacklisted from Russian networks.

The Kremlin’s campaign against foreign owned services has escalated recently, when both the Telegram and WhatsApp messaging services were disrupted in August, targeting only Russia-based IP addresses. YouTube was also slowed to a crawl in February as the Kremlin reportedly tests new technology that can block foreign services in Russia, but has caused internet outages on occasion as the system remains imperfect. At the same time, the Kremlin is pushing homespun alternative applications. This month, it launched the Russian-made Max messaging service which is pre-installed on all new smart phones as standard in Russia.

Foreign nationals will also face tighter restrictions under the new rules. From January 2025, mobile contracts for foreigners must include device identifiers, and carriers could be fined if customers insert SIM cards into another handset.

“This violation will be added to the already lengthy Article 13.29 of the Administrative Code,” Meduza reported. Companies would face fines of RUB300,000–500,000 ($3,600–$7,200), while individuals and officials could be fined between RUB30,000 and RUB50,000 ($360–$600). Repeat violations could bring criminal charges if damages exceed RUB5mn ($60,300).

The package also limits the number of SIM cards allowed per individual. From November 1, Russian citizens will be capped at 20 SIMs and foreigners at 10, with fines for mobile operators that issue more than permitted.

New criminal penalties are also proposed for cyber extortion and system interference. A new article, 163.1, would cover ransomware and DDoS attacks, carrying sentences of up to 15 years and fines of RUB5mn ($60,300) for organised groups or large-scale ransoms. A separate article, 272.2, would criminalise deliberate interference with information systems, punishable by up to eight years in prison.

One of the most controversial provisions would shield hackers from liability if their targets are websites already banned in Russia. “A person shall not be held criminally liable under this article if their actions are directed against information resources on the Internet whose access is prohibited or restricted under Russian law,” the text states. Observers say this would effectively permit cyberattacks on outlets such as Meduza, which has been designated an “undesirable organisation”.

The draft laws also introduce explicit provisions for cryptocurrency confiscation. Digital assets will be classified as property under the Criminal Code, allowing investigators to seize hardware wallets, online wallets or even seed phrases. Seized funds would be transferred to government-controlled wallets under procedures still to be established.

The proposals follow recent restrictions that banned voice and video calls on WhatsApp and Telegram, cutting millions of Russians off from their primary communication channels. Critics argue that while parts of the legislation target genuine cybercrime, the broader effect is to entrench state control over digital communications.