FBI Seizes Bitcoins From Alleged REvil Ransomware AffiliateCryptocurrency Worth $2.3 Million Seized; Allegedly Amassed by Russian National
The FBI has seized 39.9 bitcoins from an alleged affiliate of the notorious REvil ransomware group, which has been tied to illicit profits of more than $200 million.
See Also: Case Study: The Road to Zero Trust
The seizure occurred Aug. 3 and came to light Tuesday via a complaint for forfeiture filed by acting U.S. Attorney Chad E. Meacham in the U.S. District Court for the Northern District of Texas, backed by FBI Special Agent Joshua Jacobs. It says the funds were seized from an Exodus wallet, which refers to a piece of software that manages the private keys needed to access the addresses where cryptocurrency - aka crypto - funds are being stored.
News of the court filing was first reported by Bleeping Computer.
The Department of Justice says the funds are subject to civil forfeiture because they were gained via computer fraud, wire fraud and money laundering. As of Wednesday morning, the value of the seized cryptocurrency was $2.3 million.
Under federal law, the government must identify any defendant it believes could make a valid claim for the funds and attempt to notify them of the forfeiture. Any claimant would then have 21 days to file an answer to the complaint or file a motion.
The DOJ's civil forfeiture claim says "the individual reasonably appearing to the government, at this time, to be potential claimant to the defendant property," is Aleksandr Sikerin, aka Alexander Sikerin and Oleksandr Sikerin. His last known address is listed as being in St. Peterburg, Russia, and the government says his email address is "firstname.lastname@example.org."
Sikerin is accused of working as an affiliate of the REvil - aka Sodinokibi - ransomware group.
"The offenses involved concern the ransomware variant known as Sodinokibi/REvil," the court document states. "Between on or about April 2019, and July 2021, ransomware attacks across the United States, and elsewhere, were committed resulting in the receipt of over $200 million in ransom payments by Sodinokibi actors."
The filing states that the seized cryptocurrency "constitutes, was derived from, and is traceable to ransomware attacks committed by Sikerin," and that the cryptocurrency "is also involved in and traceable to the money laundering conspiracy involving Sodinokibi ransom payments."
Multiple Seizures and Arrests
Short of arresting suspects, security experts say that disrupting the ransomware business model remains a needed intervention by police.
"It is a good move by law enforcement to hit cybercriminals where it hurts by seizing their funds," says John Fokker, the principal engineer and head of cyber investigations for Advanced Threat Research at McAfee Enterprise.
The seizure of Silkerin's alleged bitcoins follows the DOJ having seized other stashes of cryptocurrency allegedly gained from ransom payments, including $6.1 million worth of bitcoins allegedly amassed by Russian national Yevgeniy Polyanin, 28, who remains at large. An indictment unsealed last month charges him with having run multiple REvil attacks. Reporters with the Daily Mail recently tracked Polyanin to his home in the Siberian city of Barnaul, where he's reportedly "living freely."
Also last month, the Justice Department issued an extradition request, seen by The Wall Street Journal, for Russian national Denis Dubnikov, 29, who was arrested Nov. 2 by Dutch authorities after he was expelled from Mexico. The Journal reports that the extradition request, which cites a sealed indictment, accuses Dubnikov of receiving in 2018 bitcoins worth $400,000 from attackers tied to the Ryuk ransomware operation.
Multiple security researchers say Sikerin - the defendant named in the Tuesday forfeiture complaint - appears to be tied to activities carried out by a REvil affiliate known as Lalartu, which is the name of a ghostly, vampiric spirit in Sumerian legend.
Using open-source intelligence methods, security researcher Alon Gal in February 2020, for example, detailed on his Under the Breach blog finding that Lalartu was active both on the Exploit.in hacking forum, as well as on Russian hacking forum BHF.io, with the usernames Protokol, Marka, and Eng_Fog. The latter, of course, parallels the "email@example.com" email address cited in the U.S. government's forfeiture complaint.
While that connection alone might appear to be circumstantial, multiple security experts have told Information Security Media Group that they believe Sikerin is Eng_Fog or Engfog, as well as Lalartu.
Lalartu has a history. In 2019, security firm McAfee reported that Lalartu was an affiliate of Sodinokibi as well as its predecessor, GandCrab. It said Lalartu was then one of dozens of active Sodinokibi affiliates, and that he'd boasted in a cybercrime forum post of having earned $287,000 from his ransomware activities in just 72 hours.
Besides boasting of working with ransomware operations, Lalartu also sold access to hacked sites via Exploit.in, New York-based cyber intelligence firm Advanced Intelligence, aka AdvIntel, reported in 2019.
Lalartu's specialty was using Cobalt Strike and Metasploit penetration frameworks, sometimes backed by stolen remote desktop protocol credentials, to breach sites and gain persistent, remote access to administrative panels and Active Domain controllers," Yelisey Boguslavskiy, director of research at AdvIntel, told ISMG at the time.
Target: Ransomware Supply Chain
The government has not said how it identified or seized the cryptocurrency allegedly amassed by Sikerin. In the case of Polyanin, Deputy Attorney General Lisa Monaco told reporters last month only that the seizure was facilitated by "good, old-fashioned detective work," and that "we were able to recover ransom by following the money."
The Biden administration this past summer announced that it would be devoting significantly more resources to combating ransomware, not just from a law enforcement standpoint but also via diplomatic channels as well as trying to boost the cybersecurity resilience of American businesses.
"The current multidisciplinary approach is showing some clear results and sends a powerful message that crime shouldn't pay," McAfee Enterprises' Fokker tells ISMG.
Despite the timing of the Biden administration's ransomware-crackdown announcement, the latest seizures and arrests may date from efforts begun much earlier, says cybercrime expert Alan Woodward, who's a visiting professor in the University of Surrey's computer science department.
"The general message about ransomware is that the law enforcement agencies have swung their big guns onto the subject," he says. "It takes to time to catch these criminals so this is not a new focus as such, but is the culmination of strategic decisions made possibly two years ago."
The crackdowns and disruptions now coming to light demonstrate that "anyone involved" in any way with using or supplying, or aiding and abetting anyone or anything in "the supply chain of ransomware is now a target for the law enforcement agencies," Woodward says.