Russia's war on circumvention tools has reached a new stage: the state is no longer doing the blocking itself. On March 30, 2026, Digital Development Minister Maksut Shadaev met with representatives of more than 20 of the country's largest online platforms and gave them a deadline. By April 15, each was to detect and deny service to users connecting through a VPN — and to keep doing so for VPNs the state has not yet catalogued, using a technical manual the ministry handed out at the meeting (Meduza, citing RBC).
The roster is effectively the backbone of Russian digital life: Yandex's services, VK, Sberbank, Ozon, Wildberries, Avito, Aviasales, and Russian Railways among them. The mechanism is the part worth dwelling on. Companies receive a list of VPN IP addresses already identified by Roskomnadzor to blacklist, and the manual instructs them to go further — comparing a visitor's address against Russian and foreign IP ranges, then running parallel reachability checks against domestic versus foreign domains to infer that a tunnel is in use. Newly spotted VPNs are to be reported back to the regulator. The platform, in other words, becomes a sensor in a national detection grid.
The case the ministry makes
It is worth stating the official rationale at full strength, because it is not frivolous. The Digital Development Ministry argues that VPN blocking exists "to protect the data you enter on platforms," singling out government services "where citizens' personal data is stored." It adds that "most VPNs do not protect the privacy and personal data of users, and they are frequently used by malicious actors to intercept traffic" (Meduza). The kernel of truth is real: free and shady VPN apps do harvest user data, and credential-stuffing and fraud campaigns are routinely laundered through anonymizing infrastructure. A government insisting that a bank know who is logging in is not, on its face, acting in bad faith.
But the proportionality test is where this collapses. If the goal were fraud prevention, the tool would be targeted: flag anomalous logins, require step-up authentication, block known-malicious IP ranges. Instead the order is a blanket denial of service to anyone on any VPN — including the corporate and privacy-conscious users the ministry claims to be protecting. The means are radically wider than the stated end, which is the signature of a measure whose real purpose lies elsewhere.
Privatizing censorship
What makes this directive distinct from a decade of Russian filtering is who is being made to act. Roskomnadzor's deep-packet-inspection apparatus throttles and blocks at the network layer. This order instead recruits private companies as enforcement agents, and it does so without a statute on the table — through a ministerial "ask" backed by coercion. Non-compliance means losing IT accreditation, the status that confers reduced corporate tax rates and gives employees lower-rate mortgages and military-service deferrals, plus removal from the operational "whitelist" (The Moscow Times). That whitelist — a "registry of socially significant services" launched in September 2025 with 57 sites — is the set of services allowed to function when mobile internet is cut. Falling off it during a regional blackout is commercial death.
This is regulation by leverage rather than law: no bill, no parliamentary debate, no judicial review — just the threat of losing privileges the same state granted. For the tech sector it is the worst possible incentive structure, conscripting the most innovative firms into building surveillance features against their own users to keep tax benefits the state can revoke at will.
It does not even work cleanly
The detection method is crude, and the early results show it. Enforcement on April 15 was inconsistent — Ozon and the streaming service Kinopoisk began refusing VPN traffic while VK and Wildberries stayed reachable the same day (The Moscow Times). The companion plan to meter mobile VPN traffic — a 15-gigabyte monthly allowance, then 150 rubles per additional gigabyte — slipped past its May 1 start because carriers admitted they cannot reliably separate VPN traffic from ordinary foreign traffic. A tool that cannot distinguish a journalist's VPN from a multinational's encrypted corporate link will inevitably break legitimate commerce.
And it lands on an internet already under severe strain. Since May 2025 Russia has averaged roughly 2,000 mobile-internet shutdowns a month — more than the rest of the world combined in 2024 — and the cash-payment fallout has been sharp: with terminals and banking apps stranded offline, cash in circulation rose nearly fivefold in three months (Carnegie Endowment). Layering a VPN dragnet on top of rolling blackouts compounds the friction that already makes the Russian network unreliable for the firms expected to grow on it.
The cost is the innovation base
The deeper damage is not to dissidents alone but to the legitimate digital economy. A platform forced to gate access behind VPN-detection logic degrades its own product, alienates privacy-minded customers, and signals to every foreign partner and investor that the Russian net is a walled, conditional space. Security genuinely improves when users can choose strong, audited encryption — not when an entire class of privacy tools is declared hostile by decree.
The proportionate path is well understood: target fraud at the transaction layer, mandate transparency for data-harvesting VPN apps, and pursue malicious infrastructure through evidence and due process. What Russia has chosen instead — drafting its champions into a detection grid under threat of losing state favor — protects the apparatus of control, not the user. It is a template other governments tempted to outsource censorship to the private sector should study closely, and reject.