At Moscow’s landmark Standoff cybersecurity competition, participants for the first time targeted a prototype of Russia’s digital ruble-and swiftly uncovered major security flaws. The vulnerabilities didn’t require exotic hacks: they stemmed from basic issues like default passwords, disabled signature verifications, and weak access controls. While this poses challenges for the Bank of Russia and commercial banks, it also highlights why the rollout of the digital ruble remains cautious and gradual.
”Code of Durov,” the team behind these findings, shared their results through Sovcombank Technologies, the organizer of the event. The 10th Standoff took place June 16-19 inside Moscow’s Cyberdome, featuring 23 teams from six countries simulating attacks against a virtual state infrastructure, including banks, factories, energy, and telecom systems. The digital ruble prototype was a key new target, modeled closely on the real setup: a central platform run by the Bank of Russia, intermediary banks, and messaging based on the ISO 20022 standard, deployed on national banking software.

This near-real environment revealed familiar misconfigurations-common in actual operational systems and far more frequent than headline-grabbing zero-day exploits. Participants noted that banks regularly fall prey to hacked passwords in config files and logs, forgotten keys on servers, or leftover tokens in test scripts.
Pavel Chernyshev, head of security analysis at Sovcombank and deputy captain of DreamTeam’s banking unit, emphasized that the sandbox provided a rare chance to test a technology still not launched broadly. The digital ruble’s architecture directly involves the central bank, commercial banks, and legally binding message exchanges, making any bug costlier than typical banking outages.
Over the entire simulated environment, spanning seven industries, competitors logged 245 critical incidents. Telecoms took the brunt with 74 breaches, while retail proved toughest, allowing only seven successful attacks. DreamTeam from Sovcombank Technologies clinched victory for the eighth time with 148,535 points.
Testing digital ruble security in a controlled environment
The Bank of Russia has framed the digital ruble as a third form of money alongside cash and bank deposits. Pilot programs with real transactions began in 2023, and regulators expanded participating banks and use cases in 2024, including transfers and payments. Yet, cautious about infrastructure readiness, both the regulator and market players have repeatedly delayed a full-scale launch.
Standoff’s attack simulation fits into a global pattern for central bank digital currencies (CBDCs). Central banks worldwide extensively test their digital currency projects in simulated environments before public rollout. According to the Atlantic Council, by mid-2026 more than 130 countries and currency unions will have explored or piloted CBDCs, with many stumbling over security, privacy, and banking integration challenges.
From a technical standpoint, the use of ISO 20022 messaging for the digital ruble aligns with global financial trends. This standard has become the backbone for payment systems and cross-border transfers, including SWIFT’s transition. Yet, ISO 20022 itself doesn’t guarantee security-if administrators leave default passwords active or disable signature checks, even well-architected systems become easy pickings for attackers.
For banks, these findings are more a familiar headache than a shock. The most expensive financial hacks often begin not with complex cryptographic failures but with leaked secrets, excessive service privileges, or misconfigured test environments. That’s why such contests are more than tech spectacles-they offer a cost-effective way to identify which system weaknesses attackers will hit first in the real world.
The critical path forward depends on how swiftly banks patch these basic vulnerabilities. If the Bank of Russia keeps widening the pilot programs, insights from Standoff and similar sandbox tests will serve as an important benchmark. Fixing flaws in a controlled environment is vastly preferable to scrambling after millions of users have been affected.

