Exclusive
Status: 10/28/2021 7:35 a.m.
German prosecutors have loud BR and “Zeit Online” identified a suspected mastermind behind the blackmail of companies and authorities. The man lives in Russia and arrest is unlikely.
Nikolay K. (name changed) presents himself as a trader of cryptocurrencies in social networks. His profiles are private, but his motto can be read by the whole world: “In Crypto we trust”. He trusts cryptocurrencies like Bitcoin – a look at his wrist shows that. His watch has a five-digit purchase price and the Bitcoin logo shines from the center of the dial.
The Instagram profile picture shows K. in a luxury car, holding hands with his wife. The social networks allow deep insights into the lifestyle of the man who lives in a house with a pool near a major city in southern Russia: He spends vacations in Dubai or the Maldives. A yacht that he chartered costs 1300 euros – per day.
This luxurious lifestyle is apparently financed by extortion money – paid by companies and authorities that have become victims of hacker attacks. According to information from Bavarian Broadcasting and Zeit Online have been targeting Nikolay K. by German investigative authorities for months. The Federal Criminal Police Office (BKA) and LKA Baden-Württemberg consider the man to be one of the masterminds behind the REvil malware and its alleged predecessor Gandcrab.
Billions in damage
With so-called ransomware, even large company networks can be encrypted and companies blackmailed within minutes. A figure from the US Treasury Department shows how big the phenomenon is now: Criminal hackers have stolen at least five billion dollars in just a few years thanks to ransomware. The REvil group is known for making particularly high demands in order to decrypt data again: the previous record is 70 million US dollars.
REvil is organized like a franchise company: Developers license the software and pass it on to so-called affiliates. They are the real hackers who break into corporate networks and extort ransom. You have to give part of the profit for this. Exactly what role Nikolay K. should have played is unclear – however, investigators have heard that he is “undoubtedly” a member of the REvil core group and thus probably earned a lot in every hacker attack.
Investigators are tracking Bitcoin payments
The arrest warrant is according to information from BR and “Zeit Online” prepared, months of investigative work has flowed into it. The LKA Baden-Württemberg found Nikolay K. through Bitcoin payments. In spring 2019, a software developer filed a complaint near Stuttgart. The hackers got hold of an employee’s access data and were able to break into the systems of some customers.
These also included the Stuttgart State Theaters. The e-mail traffic there was paralyzed for five days, instead of online tickets viewers received replacement cards written on with a ballpoint pen. In order to decrypt the data, the state theaters are said to have paid 15,000 euros in digital currency, according to media reports.
Following this attack, an investigation team was set up at the LKA Baden-Württemberg. It bears the name “Krabbe” – at that time the hacker was known under the name Gandcrab. Investigators and IT security experts believe that REvil and Gandcrab are the same criminals.
Talks at the highest political level
IT security experts think it obvious that many ransomware groups are based in Russia. In June, US President Joe Biden threatened his Russian counterpart Vladimir Putin with consequences if he did not take action against the hacker gangs operating from Russia.
The Federal Government also regularly raises the question of cyber threats to the Russian government, according to the Foreign Office. But identifying specific suspects is extremely difficult. This is exactly what the German investigators in the Nikolay K. case have now apparently achieved.
Network searches corroborate suspicions
Also reporters from BR and Zeit Online succeeded in following the traces Nikolay K. left on the internet. For example, there are photos from his youth, still without expensive watches and designer clothes. There are also indications that K. received money that is said to come directly from ransomware incidents. If you enter your Instagram username in search engines, you end up with an email address first. More than 60 websites were registered with this, some with authentic contact information, such as cell phone numbers. That comes from a database of the IT security company Domaintools.
One of these cell phone numbers is linked to a Telegram account that supposedly specializes in trading cryptocurrencies. Payments worth almost 400,000 euros were transferred to a Bitcoin address specified there. These payments probably originate from ransomware incidents, as explained by an expert who specializes in the evaluation of Bitcoin payments. Another assumes that K. got the money from someone who works for various ransomware groups, possibly an affiliate. One of these groups is REvil.
LKA does not comment on ongoing investigations
Officially, neither BKA nor LKA Baden-Württemberg want to comment on ongoing investigations. The responsible public prosecutor’s office in Stuttgart did not want to comment for over half a year and after repeated telephone inquiries. Just so much: the investigation was ongoing.
But some investigators believe that one needs to talk more clearly about the success of the investigation: “If we had someone who stole these sums of money in a bank robbery, there would be a lot more pressure. But the danger is not understood,” says one of them. In addition, public reporting makes it clear how successfully German authorities can work. That you have both talented staff and the technical means.
holidays in Turkey
Nevertheless, Nikolay K. is still at large – because German investigative authorities could only arrest him if he left Russia and traveled to a country that extradited to Germany. According to research by BR and Zeit Online given last year: The man spent his summer vacation with friends and his wife on the Turkish Mediterranean coast. However, there was no extradition request. The reasons are unclear.
Since it became known in mid-October that international investigators had succeeded in hijacking the hackers’ infrastructure, the hackers are likely to be extremely cautious. Whether Nikolay K. knows that he has been the focus of investigations for months is open. K. left a request unanswered. As long as he has not been legally convicted, the presumption of innocence applies. In any case, you can also find holiday photos from Turkey on Instagram this summer. But the wife apparently traveled alone – Nikolay K. stayed in Russia this time.