Russian Hacker Pleads Guilty to Money Laundering Linked to Ryuk Ransomware

A
Russian
national
on
February
7,
2023,
pleaded
guilty
in
the
U.S.
to
money
laundering
charges
and
for
attempting
to
conceal
the
source
of
funds
obtained
in
connection
with
Ryuk
ransomware
attacks.

Denis
Mihaqlovic
Dubnikov,
30,
was

arrested
in
Amsterdam
in
November
2021
before
he
was
extradited
from
the
Netherlands
in
August
2022.
He
is
awaiting
sentencing
on
April
11,
2023.

“Between
at
least
August
2018
and
August
2021,
Dubnikov
and
his
co-conspirators
laundered
the
proceeds
of
Ryuk
ransomware
attacks
on
individuals
and
organizations
throughout
the
United
States
and
abroad,”
the
Department
of
Justice
(DoJ)

said.

Dubnikov
and
his
accomplices
are
said
to
have
engaged
in
various
criminal
schemes
designed
to
obscure
the
trail
of
the
ill-gotten
proceeds.

According
to
DoJ,
a
chunk
of
the
250
Bitcoin
ransom
paid
by
a
U.S.
company
in
July
2019
after
a
Ryuk
attack
was
sent
to
Dubnikov
in
exchange
for
about
$400,000.
The
crypto
was
subsequently
converted
to
Tether
and
transferred
to
a
co-conspirator,
who
then
exchanged
it
for
the
Chinese
Renminbi.

In
all,
the
parties
involved
in
the
criminal
enterprise
are
estimated
to
have
laundered

at
least
$150
million
in
ransom
payments.

Dubnikov
is
also
the
co-founder
of
Coyote
Crypto
and
Eggchange,
with
the
latter
headquartered
in
Federation
Tower
East
(or
Vostok),
a
supertall
skyscraper
known
to

harbor
several
cryptocurrency
businesses
with
ties
to
money
laundering
associated
with
ransomware
operations.

According
to
Chainalysis,
Eggchange

received
over
$34
million
worth
of
cryptocurrency
from
darknet
markets,
scams,
fraud
shops,
and
ransomware
operators
between
2019
and
2021.

Ryuk,
which
first
emerged
on
the
threat
landscape
in
2018,
is
attributed
to
a
threat
actor
tracked
as

Wizard
Spider
and
has
compromised
governments,
academia,
healthcare,
manufacturing,
and
technology
organizations.

Often
delivered
through
first-stage
malware
such
as

TrickBot
or

BazarBackdoor,
Ryuk
is
also
a
precursor
to
the

Conti
ransomware,
which
shuttered
its
operations
in
May
2022
and
splintered
into
smaller
units.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts