Cyber Crime

German investigators identify crypto millionaire behind REvil operations

German authorities have identified a Russian man named Nikolay K. who is suspected to be a prominent member of the REvil ransomware gang.

REvil ransomware gang is one of the most successful ransomware operations, the group and its affiliated hit hundreds of organizations worldwide. On July 2, the gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers, it asked $70 million worth of Bitcoin for decrypting all impacted systems.

Nikolay K. claims to be a trader of cryptocurrencies in social networks. The man lives in Russia and shows a luxurious lifestyle online, he is still at large because Russian authorities have yet to accuse him.

Now German investigators claim to have identified a Russian man named Nikolay K. who is suspected to be a mastermind of the criminal organization.

“According to information from Bayerischer Rundfunk and Zeit Online, German investigative authorities have been targeting Nikolay K. for months. Investigators from the Federal Criminal Police Office (BKA) and LKA Baden-Württemberg consider the man to be one of the masterminds behind the notorious REvil malware and its alleged predecessor Gandcrab.” reported the Bavaria24 website.

The investigators have collected evidence that links REvil to GandCrab,

The LKA Baden-Württemberg investigated a series of Bitcoin transactions associated with the payment of ransoms to the GandCrab ransomware group. One of the attacks, against a software developer, took place in 2019. Threat actors gained access to the employee’s access data and were able to break into the systems of some customers.

Another victim was the Stuttgart State Theaters.

The German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legit crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.

 “More than 60 websites were registered with this, some with authentic contact information, such as cell phone numbers. That comes from a database of the IT security company Domaintools. One of these cell phone numbers is linked to a Telegram account that supposedly specializes in trading cryptocurrencies. Payments worth almost 400,000 euros were transferred to a Bitcoin address specified there. These payments probably originate from ransomware incidents, as explained by an expert who specializes in the evaluation of Bitcoin payments.” consider the post.

 Researches are not able to exclude that the man received the money from members of the ransomware gangs like REvil.

Recently the Reuters news agency announced that the REvil’s infrastructure was hijacked as the result of an international operation conducted by law enforcement, for this reason, ransomware operators have been extremely cautious.

Experts believe that the German authorities will require support from Russian peers, but the Russian Government will likely deny the extradition of the man and his prosecution.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Microsoft Internet Explorer and Twilio Authy bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Internet Explorer and Twilio Authy bugs…

4 hours ago

China-linked APT group uses new Macma macOS backdoor version

China-linked APT group Daggerfly (aka Evasive Panda, Bronze Highland) Evasive Panda has been spotted using an…

14 hours ago

FrostyGoop ICS malware targets Ukraine

In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems…

1 day ago

Hackers abused swap files in e-skimming attacks on Magento sites

Threat actors abused swap files in compromised Magento websites to hide credit card skimmer and…

1 day ago

US Gov sanctioned key members of the Cyber Army of Russia Reborn hacktivists group

The US government sanctioned two Russian hacktivists for their cyberattacks targeting critical infrastructure, including breaches…

2 days ago

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

2 days ago

This website uses cookies.