The logic behind the age-old spycraft of physical dead drops—to eliminate personal, observable contact between a source and handler—translates into contemporary mediums like cyber operations. Russian intelligence services have demonstrated this with salience, encoding institutional doctrine with a digitally refined version of the analog dead drop. Even Salafi-jihadist groups like al Qaeda, al Shabaab, and the Islamic State have used digital dead drops as a response to widespread deplatforming across the internet. In both instances – a few of many – the same principle applies between the human and cyber domains. It functions not as a static technique or relic of the past, but as an important example of how historic tradecraft techniques evolve to meet contemporary demands. [source, source]
Scholars and web writers heavily document the dead drop technique itself and its digital rendition in existing literature and contemporary web articles. And, physical dead drops are not a relic of the past. They work because they work, and remain as a relevant tradecraft practice to date. A notable example is the illicit drug market in Europe and Asia. Some Russian dealers use dead drop locations as a pickup site for customers. Once a customer makes a purchase, they receive information on where to pick up the product. In a world where dark web purchases can go straight to a home address, that may seem strange, but it is for a purpose. The sheer speed and convenience are an advantage over using the postal service, and that means higher profitability for the vendor. [source] [source]
With that, the purpose of this article is not to reinvent the technique or revisit already established trails. Instead, the attention directed towards the evolution of the dead drop – the digital dead drop – is a demonstration of how tradecraft is flexible and adaptable, which helps inform how analysts can respond to it today. To that end, this article will examine dead drop doctrine as practiced by various actors before assessing the current state of countermeasures against it.
1.0 The Evolution of the Dead Drop
The Dead Drop: Two parties establish communication. A location for the drop is determined. One actor places the item in the drop site. Later, another picks it up. Neither actor crosses paths, nor are words exchanged. That is the core logic.
Physical dead drops predate the internet by centuries, with proto-methods going back as far as Ancient Rome and the American Revolutionary War. But as we know the tradecraft today, the Cold War is where its evolution to the digital domain began. Double agents and intelligence operations utilising the physical dead drop mark the proverbial canon of spy craft. Aldrich Ames, Rudolf Abel, Robert Hanssen, and Russian illegals uncovered as part of Operation Ghost Stories to name a few.
Operation Ghost Stories is as recent as the 2010s and is one of the most well-documented examples of real-life physical dead drop use. In short, Ghost Stories was an FBI counterintelligence operation targeting and apprehending 10 Russian Foreign Intelligence (SVR) operatives in the domestic United States. Extensive surveillance during the operation unveiled and captured SVR tradecraft on camera, including the use of physical dead drops. [source]
1.1 Physical Dead Drops to Electronic and Digital
Physical dead drops fall under the category of “impersonal communications”. As the name alludes, that means methods of transmitting communications or materials without the necessity of direct contact. A related yet distinct category within impersonal communications is covert communications (COVCOM). Unlike dead drops, COVCOM focuses on tasking and reporting, omitting the exchange of physical materials like rolls of film or copies of documents.
We can highlight the evolution from physical to electronic methods by examining changes within COVCOM. Like in the late 1960s with the Czech-developed Short-Range Agent Communications (SRAC) device. In essence, an agent would record a message on a UHER 4000 tape recorder. They would then place the UHER in a vehicle, and connect the SRAC and the vehicle’s antenna, and drive to the general vicinity of the dead drop zone. While driving around the zone, the agent would transmit the message through the SRAC over short-range VHF radio. Another agent, the receiver, hidden within the zone, would receive the broadcast and record it. [source] [source] [source]
SRAC did not replace physical dead drops, as it addressed a different operational requirement. What it illustrates, however, is that the broader category of impersonal communication was moving towards electronic mediums decades before the internet formally existed.
From the Cold War on, there are various examples of how the practice developed. Skipping the 90s – existing reporting points to the use of digital dead drops by al-Qaeda going back to 2005. The “foldering” technique is one method where operatives access saved messages in the drafts folder of a shared email account. In theory, keeping the communications within unsent drafts makes it difficult to intercept them. Intelligence services would need to access the email hosts servers to do so. Additionally, al-Qaeda, al-Shabaab, and ISIS have used services like Telegram, JustPaste.it, and cloud-based file sharing as digital dead drop analogues. And again, the same core logic applies. The sender determines the drop location and stores the file. The receiver uses a previously communicated link to access it. It is in the cyber operations of state actors, however, where dead drop logic has been consistently and deliberately institutionalised. [source]
2.0 Institutionalisation: The Russian Intelligence Case
Russia’s Foreign Intelligence Service (SVR) and Federal Security Service (FSB) have each converged on the same digital dead drop principle consistently across an array of toolsets and a decade of recorded operations that are consistent with institutional doctrine. The evidence that supports this assessment is substantial, yet necessarily inferential. It warrants moderate confidence that this observation represents embedded operational doctrine versus ad hoc technical improvisation.
2.1 SVR: Operation Ghost
Operation Ghost is an ongoing SVR cyber espionage operation conducted by Advanced Persistent Threat 29 (APT29). APT29 — also named Dukes, CozyBear, Yttrium — the primary cyber arm of the SVR . Operation Ghost likely started in 2013 and remained undetected until 2019. Targets include Western and former USSR governments and think tanks, among other politically involved parties and institutions. On the technical side, Operation Ghost used the PolyglotDuke malware family for their digital dead drops. When a machine was first infected, PolyglotDuke would connect to a public service like Imgur, Reddit, and Twitter, and access stored images encoded with steganography. Those images contained the correct address of the command-and-control server (C2). [source][source]
In theory, PolyglotDuke functions just like a physical dead drop. The image is the deposited information, using a neutral public service to host it. Unless you knew it contained an encrypted message, it would be just another picture on the clear web. There is no direct contact between the operator and the operation. Within the MITRE ATT&CK matrix, which is a knowledge base of common adversary tactics and techniques, PolyglotDuke’s dead drop function falls under T1102.001 – Web Service: Dead Drop Resolver. [source]
There is a shared name overlap between Operation Ghost and Operation Ghost Stories that is purely coincidental. The SVR is behind both operations, and dead drops are present as a tradecraft practice: physical dead drops in Ghost Stories, digital dead drops in Ghost. In that regard, Operation Ghost represents one of the most transparently documented examples of the dead drop evolution. And alongside Operation Ghost Stories, is supportive of the broader argument for institutional continuity within Russian tradecraft.
2.2 FSB: Turla
Turla, a FSB-linked threat actor with activity going back to 2004, provides a parallel case. While Operation Ghost is a case study in SVR tradecraft, Turla and its tools reflect the same core logic but with a different service.
In December 2020, researchers from the cybersecurity firm ESET disclosed Crutch – a previously undocumented backdoor within the Turla toolset. Crutch had been in use since 2015 against a Ministry of Foreign Affairs office within a European Union country. In essence, it would exfiltrate stolen documents to Dropbox accounts controlled by Turla operations (and receive commands the same way). The documents uploaded as ZIP archives and then read and executed on the tool’s own schedule. Dropbox traffic does not register as suspicious, making it a viable platform for the dead drop, with Turla as the handler. [source]
A related tool, Carbon, offers the clearest documented evidence between the cases. Security researchers from Accenture identified a configuration parameter within Carbon explicitly labelled “[RENDEZVOUS_POINT].” The parameter points to a Pastbin URL containing encrypted code. Decryption then reveals the bundled malware. The parameter name stands out as intelligence tradecraft language over engineering convention. ESET researchers also reconstructed the likely working hours of Crutch operators. They analysed 506 different Dropbox upload timestamps. This is a reminder that even the most well-executed digital dead drops leave forensic traces. [source]
The SVR and FSB arrived at the same operational principle, spanning multiple toolsets and a decade of activity. The pattern’s consistency, while inferential, supports with modern confidence the assessment that the digital dead drop represents embedded doctrine within Russian intelligence tradecraft, rather than independent technical choices implemented by separate teams.
3.0 The Challenge of Detection
Shared doctrine across different services suggests that the use of digital dead drops is not a one-off activity. If the tradecraft lacked durability, its implementation would be more incidental. Because it is not incidental, the same structural logic – a neutral intermediary a defender cannot eliminate without cost to themselves – gives the dead drop resistance to exposure across every medium it has occupied. For over half a century, at that.
With the use of public services as the neutral intermediary, a structural problem is glaring for defenders. When an organisation blocks Google Drive, OneDrive, GitHub, Dropbox, Pastebin, Reddit, X, etc., its operations become impeded. And in today’s enterprise environment, cloud services are a vital part of company infrastructure. This is a structural asymmetry, as defenders have an open-ended set of potential intermediaries, while attackers only need to discover one that is unblocked. Also, this is why Crutch’s Dropbox traffic and Carbon’s Pastebin requests did not trigger alerts in their respective environments. It wasn’t about the platform, as any platform could have served the same purpose.
The attacker also has a residual advantage. If malware connects to an attacker’s server, the defender only needs to identify the IP address and block it to eliminate the threat. In response, the attacker must construct new infrastructure and redistribute the malware with its new address to target machines. This process is slow and has significant risks. Especially if the defender is situationally aware and bolsters the network to prevent further intrusions.
But with PolyglotDuke or Carbon, the malware does not possess the actual C2 address. Instead, it contains the instructions to find the address, keeping the actual address stored externally and with the capability for change at any time. This is where the residual advantage comes into play. If the defender locates the intermediary service used to store the dead drop, and it gets taken down, the attacker does not need to touch the malware. They simply upload a new encoded file, and the malware on infected machines will look for the same type of location as programmed, encountering a new pointer. Because of this, chasing individual dead drops yields short-lived victories.
However, that issue does not negate the potential countermeasures. Instead of targeting the drop locations, you target the resolver – the logic malware uses to find and decode its instructions, no matter the host location.
4.0 The Countermeasures Effort
The disposable nature of individual dead drops requires durable countermeasures that can target the underlying and unchanging malware logic that finds and decodes them. That idea is the premise behind VADER, a forensics system developed by security researchers at Georgia Tech and the United States Military Academy. [source]
Functionally, VADER analyses the method a malware sample uses to decode hidden content. Then, extract the logic the malware uses to locate and decrypt a dread drop, regardless of the drop’s host location. The known logic can be applied to tools that scan live web traffic for other content sharing its use. From that, previously unencountered dead drops surface. It identifies them proactively rather than passively waiting for a report. [source]
VADER tested a dataset containing 100,000 malware samples from the internet. Through that analysis, they identified 8,906 samples across 110 malware families using dead drop resolver techniques. Further, they discovered 273 dead drops across seven different web platforms. When the extracted logic was applied to live traffic, VADER unearthed 57.1% more dead drops across eleven platforms, along with 67 previously unidentified C2 addresses. [source] [source]
While VADER exists as a research system rather than an operational tool, its approach points to a model defenders can build upon to identify digital dead drops proactively versus after a compromise occurs. The asymmetry underlying the detection challenge is far from disappearing. The providers behind the services used as dead drop intermediaries lack true visibility into how attackers manipulate their services in this way. VADER and the researchers behind it are in the early stages of shifting the balance away from asymmetry. However, whether the shift narrows the gap meaningfully remains an open question at this stage.
5.0 Conclusion
The dead drop’s survivability has endured because it is not a mere technology, but a structure. This structure builds on the asymmetry between the attacker and a defender. The attacker needs one viable neutral intermediary, while the defender must account for many. And through time, the structure has held across SRAC transmitters, shared email drafts, and cloud service storage alike. That is because the logic underneath it, of indirection and severed contact, never depended on the medium.
What the Russian cases show is that the dead drop’s adaptability is not incidental. The SVR and FSB – two services with distinct operational goals – have independently converged on the same principle throughout a decade of implementation, using various toolsets. It is plausible – with moderate confidence, given the inferential nature of pattern attribution – that the dead drop principle has become embedded institutionally.
For analysts and defenders, this evolution is less about a specific technique and more about what lies ahead. A framework that relies on specifics like services, indicators, and malware families will always be one step behind a competent attacker who views them as disposable. Instead, solutions and countermeasures must account for the asymmetry and focus on anticipating the next evolution, rather than documenting the latest discovery.