German investigators identify crypto millionaire behind REvil operations

German authorities have identified a Russian man named Nikolay K. who is suspected to be a prominent member of the REvil ransomware gang.

REvil ransomware gang is one of the most successful ransomware operations, the group and its affiliated hit hundreds of organizations worldwide. On July 2, the gang hit the Kaseya cloud-based MSP platform impacting MSPs and their customers, it asked $70 million worth of Bitcoin for decrypting all impacted systems.

Nikolay K. claims to be a trader of cryptocurrencies in social networks. The man lives in Russia and shows a luxurious lifestyle online, he is still at large because Russian authorities have yet to accuse him.

Now German investigators claim to have identified a Russian man named Nikolay K. who is suspected to be a mastermind of the criminal organization.

“According to information from Bayerischer Rundfunk and Zeit Online, German investigative authorities have been targeting Nikolay K. for months. Investigators from the Federal Criminal Police Office (BKA) and LKA Baden-Württemberg consider the man to be one of the masterminds behind the notorious REvil malware and its alleged predecessor Gandcrab.” reported the Bavaria24 website.

The investigators have collected evidence that links REvil to GandCrab,

The LKA Baden-Württemberg investigated a series of Bitcoin transactions associated with the payment of ransoms to the GandCrab ransomware group. One of the attacks, against a software developer, took place in 2019. Threat actors gained access to the employee’s access data and were able to break into the systems of some customers.

Another victim was the Stuttgart State Theaters.

The German police discovered Nikolay’s email address, which was also used to register to over 60 websites, along with his phone number that is associated with a Telegram account. This account was used for legit crypto-trading activities, but the investigation into some of the transactions revealed that some of them were associated to ransom payments.

 “More than 60 websites were registered with this, some with authentic contact information, such as cell phone numbers. That comes from a database of the IT security company Domaintools. One of these cell phone numbers is linked to a Telegram account that supposedly specializes in trading cryptocurrencies. Payments worth almost 400,000 euros were transferred to a Bitcoin address specified there. These payments probably originate from ransomware incidents, as explained by an expert who specializes in the evaluation of Bitcoin payments.” consider the post.

 Researches are not able to exclude that the man received the money from members of the ransomware gangs like REvil.

Recently the Reuters news agency announced that the REvil’s infrastructure was hijacked as the result of an international operation conducted by law enforcement, for this reason, ransomware operators have been extremely cautious.

Experts believe that the German authorities will require support from Russian peers, but the Russian Government will likely deny the extradition of the man and his prosecution.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]