The Blocking Ladder. Part Two: from throttling to isolation (2025–2026)
Chapter 1. Introduction: the year a forecast turned into a chronicle
The first part of this study ended in the spring of 2025 with a forecast of the next rungs on the blocking ladder: a full block of Telegram, statistical methods for spotting VPNs, blocking of large blocks of IP addresses, the tactic of grey lists and deliberate degradation of connectivity, a shift from blacklists to whitelists and, finally, the complete isolation of the RuNet. Some of these steps were assigned to the distant future.
Within a year almost every rung has been climbed, and some of them faster than the most pessimistic forecast. Telegram is blocked, next-generation VPN protocols are detected by the behaviour of their traffic, blocks of IP addresses go into the registry in batches, whitelists are deployed across most regions, and splitting traffic into domestic and international has become the subject of concrete meetings at the Ministry of Digital Development. The 2025–2026 period also added what the analysis had not foreseen as central instruments: everyday rolling shutdowns of mobile internet and the coercion of tens of millions of users into a state messenger. The previous stage was described by the formula "ban access to what is unnecessary"; the new one by "permit access only to what is necessary". This is a qualitative shift: from pinpoint filtering to managing the very possibility of a connection.
A caveat about terms: almost nowhere does the state use the word "block", preferring "throttling", "partial restriction", "coercive measures". The actual result — the inability to use a service — is achieved by technical means without any formal announcement.
Chapter 2. The year of the shutdown
The main novelty of 2025 was mass shutdowns of mobile internet. According to the Na Svyazi project, May 2025 recorded 68 cases in the month, June already 652, with the peak in the summer: 1,967 in July and 2,099 in August (more than the entire world for all of 2024). By autumn the intensity had settled at a high level. For 2025 as a whole — 12,024 incidents.
The first mass shutdown occurred during the "celebrations of the 80th anniversary of the Victory" (7–9 May 2025) in Moscow and more than thirty regions: mobile internet is used to control drones, so during mass events it was switched off.
The turning point was the Ukrainian Operation Spiderweb on 1 June 2025, when drones covertly delivered deep into Russia struck the strategic aviation fleet. After that, shutdowns ceased to be tied to holidays and became a routine reaction to any threat. On 8 July 2025 a new low was set: the internet was switched off in 77 of the 89 federal subjects.
By the spring of 2026 the shutdowns had reached the centre of Moscow: from 6 March the internet was switched off for more than a week straight — presumably because of the final testing of the whitelists in the capital. Yet the effectiveness of the shutdowns is doubtful: according to Novaya Gazeta Europe, around 85% of shutdowns fell on days with no reports of drone strikes, and in regions beyond the reach of drones (Novosibirsk Region, Krasnoyarsk and Khabarovsk Krais) the internet was switched off on more than 98% of days. The shutdown turned from a situational measure into a permanent regime.
The cost is enormous. The Internet Protection Society, using the Brookings Institution methodology, estimated an hour of a full shutdown at roughly 46 billion roubles nationwide. Top10VPN named Russia the world leader of 2025 for the duration of restrictions: 37,166 hours, around 146 million users affected, damage of 11.9 billion dollars — more than 60% of the global total.
Behind the chaotic nature of the shutdowns lies not a strategy but the logic of departmental reporting. Regional authorities have no real means against drones, but a region is held to account for preventing damage — and switching off the internet serves not the result but the paperwork.
Chapter 3. Whitelists: the flip side of the shutdowns
The most significant consequence of the shutdowns was the shift from a blacklist model to a whitelist one — not as an ideological decision but as a forced reaction to the chaos of the shutdowns. Under whitelists, everything is unavailable by default except what is explicitly permitted.
A total shutdown hits not so much the drones as the economy and the loyalty of citizens: banks, payments, taxis, government services and maps stop working. Whitelists became the compromise: the regulator needed a way both to keep switching off the network and, at the same time, to preserve vital services. The idea was voiced publicly by Minister Maksut Shadaev on 7 August 2025.
Chart 1. Mobile internet shutdowns and whitelist coverage, 2025
The first list appeared on 5 September 2025: Gosuslugi, VKontakte, Odnoklassniki, Mail.ru, the Max messenger, Yandex services, government websites. By May 2026 it included more than 500 Russian services. By March 2026 the regime was in place across 68–71 regions.
Technically the regime is implemented through filtering by DNS, IP and subnets by the operators themselves. Changing your IP or using a VPN does not help: foreign addresses are blocked as a class. By the middle of 2026 the share of successful connections under the whitelist regime does not exceed ten percent.
A separate measure is the SIM card "cooling-off period". A card returning from roaming or activated after a long break is automatically stripped of mobile internet for 24 hours. Officially this is protection against drone control; in practice it is the ability to isolate any subscriber instantly.
Formally the whitelists are compiled by the Ministry of Digital Development, but the list is approved after agreement with the FSB. From February 2026 the FSB banned the inclusion of banking apps that had not installed SORM — which is why the lists contain no apps from Sberbank, T-Bank or Gazprombank. The availability of a banking app during a shutdown has been made conditional on the bank's readiness to surveil its clients.
Chapter 4. The state messenger MAX
In parallel with the blocks, the state was building the "positive" part of the strategy — the forced promotion of controlled platforms. On 25 March 2025 the VK holding announced the Max messenger as an analogue of WeChat: communication, payments, government services, mini-apps. On 24 June 2025 Federal Law No. 156-FZ was signed, with LLC MAX named as its operator.
Through a chain of legal entities, Max belongs entirely to VK. VK's CEO is Vladimir Kiriyenko, son of Sergei Kiriyenko, the first deputy head of the Presidential Administration responsible for domestic policy and censorship. The controlling stake belongs to a consortium of structures from Putin's inner circle. Thus Max is not a commercial project but a state initiative under family-nomenklatura management.
The transition was made mandatory. From September 2025 Max is preinstalled on all new smartphones. The Ministry of Digital Development ordered state organisations to switch over by 1 January 2026. The law of 29 December 2025 made it mandatory for the "building chats" run by management companies to be kept specifically in Max. By March 2026 the platform reported 100 million registered users.
The criticism centres on privacy: Max has no end-to-end encryption, its rules provide for the transfer of data to state bodies, and the app collects IP addresses and checks for the presence of a VPN.
In the summer of 2026 the VK ecosystem lost the App Store: on 3 June Apple removed MAX itself, and on 25 June around two dozen of the holding's other apps, citing sanctions legislation. On Google Play the VK and MAX apps are still available.
Chapter 5. Strangling WhatsApp and Telegram
The campaign against the last two mass-market independent messengers proceeded in stages — from degrading individual features to actually closing off access. Officially it was a fight against fraud; in fact it was a clearing of the field and a migration of the audience into Max.
In August 2025 mass call failures began; on 13 August Roskomnadzor confirmed a "partial restriction" of calls in Telegram and WhatsApp.
Chart 2. Blocking of WhatsApp, availability chart
WhatsApp: according to OONI, on 1 December availability fell below 90% for the first time, on 21 December below 50%, and on 25 December the service was effectively blocked (below 10%). This was not an instant switch-off but a controlled descent over almost a month. By the summer of 2026 availability had partly recovered (20–25%) thanks to the adaptation of circumvention tools.
Chart 3. Blocking of Telegram, availability chart
Telegram: on 10 February 2026 Roskomnadzor announced throttling. Between the announcement and the actual block came about two months of open dispute — war correspondents, deputies, propagandists and clergy came out against it. The security bloc won the dispute once again. According to OONI, the decisive collapse came on 10 April (below 10%). According to Pavel Durov, by April 2026 around 65 million Russians were using Telegram via VPN every day.
Chapter 6. Blocking the circumvention protocols
By the end of 2025 the TSPU had reached almost full coverage of the networks, and Roskomnadzor moved on to detecting the VLESS, REALITY, XTLS and Shadowsocks protocols, previously considered resilient. From 24 November 2025 complaints came in from a dozen regions.
The fundamental difference of the new phase is that the system stopped relying on signatures alone. Detection is built in several layers at once: signature analysis of the first bytes, fingerprinting of the TLS handshake (JA3/JA4), active probing of servers, behavioural (statistical) analysis of traffic. This is precisely the implementation of the "statistical method" that the first part described as a hypothesis: the system does not crack the encryption but computes the user from the shape of their network behaviour.
Behind the escalation stands a built-up industry. The key integrator and supplier of the TSPU is JSC DTsOA, controlled by Rostelecom. In June 2026 DTsOA announced a procurement of servers with GPUs — direct preparation for filtering by means of machine learning. The plans are enormous: TSPU capacity is to grow 2.5-fold by 2030 (around 84 billion roubles).
Chart 4. Google Trends and VPN penetration
VPN penetration is growing. The starting point is around 1.6 million users in February 2022, rising to around 24 million by May 2022. An estimation model gives around 70 million users and a penetration of 65–68% by June 2026. According to a Russian Field survey (April 2026), 40% of Russians actively use a VPN, and in Moscow 62%. The main conclusion: the fight against circumvention is itself the main driver of its spread.
Chapter 7. Controlling the perimeter
The technical measures were complemented by legal ones, with the state offloading part of the censorship work onto users, business and infrastructure.
Punishment for searching for extremism. Federal Law No. 281-FZ (in force from 1 September 2025) introduced fines for the deliberate searching of "knowingly extremist materials", including via VPN. For the first time liability was shifted onto the end consumer of content.
A tax on Apple. From 1 April 2026 mobile operators, at the authorities' demand, disabled the topping-up of an Apple ID balance from a phone account. The aim is to force Apple to return the removed VPN apps by cutting off its payment channel.
Censorship by the hands of the corporations. In March–April 2026 the Ministry of Digital Development set a deadline for implementing VPN detection — 15 April. From that date Ozon, Wildberries, Kinopoisk, ivi and other services stopped working fully with a VPN switched on. The lever of coercion is unprecedented: for refusal a company faces exclusion from the whitelists and the loss of its IT accreditation, and with it the draft deferral for all its employees. For the first time, censorship is backed by the risk of employees' mobilisation.
A ban on advertising on restricted resources. Federal Law No. 72-FZ (in force from 1 September 2025) banned advertising on Instagram, Facebook, X and any restricted platforms.
Regulation of hosting providers. From 1 January 2026 there are fines of up to a million roubles for hosting outside the registry. In the summer of 2026 Roskomnadzor moved on to rolling restrictions of whole subnets of data centres, including previously safe ones (Selectel, Yandex Cloud, Cloud.ru).
Chapter 8. Dividing the internet
The most strategically significant direction of 2026 was the attempt to divide traffic into domestic and international — an approach to isolation. At its basis is an admission of a technical limit: blocking a VPN by blanket filtering does not work. Hence the change of approach: from technical suppression to economic containment — to make circumvention expensive without switching off foreign traffic entirely.
A charge for international traffic. On 28 March 2026 Shadaev proposed introducing a charge for international traffic on mobile networks above a limit of 15 GB a month. VPN traffic is indistinguishable from ordinary foreign traffic, so the measure hits all international traffic at once. By the end of the second quarter of 2026 the mechanism has not been fixed in regulation, but the direction has been set.
A moratorium on international channels. On 16 April 2026 around twenty companies that own channels to Europe signed an agreement with the Ministry of Digital Development to suspend their expansion. The reason is directly linked to VPNs: the growth in their use quickly fills the cross-border bandwidth.
By the forecast of a TransTeleCom representative, by the autumn of 2026 the channels may become saturated, and providers will begin introducing differentiated tariffs: the Russian internet cheaper, the foreign one more expensive.
Chapter 9. A new curator: the FSB takes control
The institutional upshot of the period was a shift of the centre of censorship management from Roskomnadzor to the security bloc. Government Decree No. 1667 (in force from 1 March 2026) placed management of the TSPU jointly with Roskomnadzor, the FSB and the Ministry of Digital Development.
Behind the anonymous "FSB" stands a specific division — the Second Service, heir to the Fifth Directorate of the KGB, which specialised in domestic dissent. Handing it control means that internet censorship has been assigned to the category of political policing. Since 2006 the service has been headed by Colonel General Alexei Sedov (under UK, US, Canadian and Ukrainian sanctions since 2021 over the Navalny poisoning case).
Roskomnadzor's role is changing: from an agency that defined the threats, it is turning into a technical executor under a security curator. Having failed to win the technical race with VPNs, the security curator changed tactics — shifting the fight onto business, forcing marketplaces, banks and hosters to identify and disconnect circumvention users themselves.
Conclusion
Of the six probable rungs named in the spring of 2025, by the middle of 2026 almost all have been climbed or are being actively climbed. The period also added what the earlier analysis did not consider central: everyday rolling shutdowns and coercion into a state messenger. The logic of the "ladder" has been fully preserved — every measure passes through the same four stages, with only the scale and the speed having changed.
What has not changed is the fundamental dilemma: shutdowns and whitelists hit the economy by billions of dollars. That is why the authorities still choose "quiet" methods — throttling instead of blocking, a traffic limit instead of severing the channels. Nor has the balance of forces changed: VPN penetration holds at around 40%, and in the capitals it exceeds 60%. The blocking ladder keeps being built upwards, but the counter-movement of those who circumvent it does not stop. The outcome is not predetermined.
Findings
- The forecast turned into a chronicle. Of the six rungs of 2025 almost all have been climbed: the effective blocking of Telegram, the statistical detection of VPNs, the blocking of large IP blocks, the deliberate degradation of connectivity, whitelists and the first steps towards dividing traffic. Added to these were everyday shutdowns and coercion into a state messenger.
- The logic of censorship changed. The "what is on the list is banned" model gave way to the "only what is on the list is allowed" model. Whitelists arose as a forced reaction to the chaos of the shutdowns, but the security bloc turned them into a lever.
- Censorship was offloaded onto business and users. Companies are forced to identify VPNs themselves under threat of exclusion from the lists, loss of IT accreditation and the mobilisation of their employees.
- The logic of the "ladder" was preserved; the scale and speed changed. Behind the technology stands a built-up industry with budgets of tens of billions of roubles and a transition to filtering based on machine learning.
- The centre of control shifted from Roskomnadzor to the FSB. Control over access to information moved from the administrative plane into the plane of security, with closed procedures.
- The outcome is not predetermined. Despite all the measures, VPN penetration holds at around 40% (in the capitals above 60%), and each new wave of blocks widens the circumvention audience.
This is an abridged version. The full study with detailed data, sources and charts:
Download full version (PDF)