Mar 14, 2024NewsroomRansomware / Cyber Crime

A 34-year-old Russian-Canadian national has been sentenced to nearly four years in jail in Canada for his participation in the LockBit global ransomware operation.

Mikhail Vasiliev, an Ontario resident, was originally arrested in November 2022 and charged by the U.S. Department of Justice (DoJ) with “conspiring with others to intentionally damage protected computers and to transmit ransom demands in connection with doing so.”

News of Vasiliev’s jail term was first reported by CTV News.

The defendant, who had his home searched by Canadian law enforcement authorities in August and October 2022, is said to have kept a list of “prospective or historical” victims and screenshots of communications exchanged with “LockBitSupp” on the Tox messaging platform.

The raid also uncovered a text file with instructions to deploy LockBit ransomware, the ransomware source code, and a control panel used by the e-crime group to deliver the file-locking malware.

Vasiliev, according to CTV News, pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges last month. During the sentencing, he was characterized by Justice Michelle Fuerst as a “cyber terrorist” who was “motivated by his own greed.”

He is believed to have become a cyber criminal while at home during the COVID-19 pandemic, attempting to seek ransom payments from three Canadian companies between 2021 and 2022 by stealing their data and holding it hostage.

Vasiliev, who has consented to being extradited to the U.S., has also been ordered to pay back more than $860,000 in restitution.

One of the most prolific ransomware groups in history, LockBit suffered a huge blow in February 2024, when its infrastructure was seized in a coordinated law enforcement operation. The disruption was accompanied by arrests of three LockBit affiliates in Poland and Ukraine.

Although the group reemerged with a new data leak site, there is evidence to suggest that the new victims being listed are either old or fake, designed to give an impression that the group is back up and running.

The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material.

Ilya Lichtenstein, who pleaded guilty in August 2023 to the theft of about 120,000 bitcoin in connection to the hack of the Bitfinex cryptocurrency exchange, testified last month how he had used Bitcoin Fog 10 times to launder the virtual assets, Bloomberg reported.

“Bitcoin Fog was the longest-running cryptocurrency ‘mixer,’ gaining notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement,” the DoJ said.

“Over the course of its decade-long operation, Bitcoin Fog moved over 1.2 million bitcoin, which was valued at approximately $400 million at the time of the transactions.”

Feb 18, 2024NewsroomMalware / Cybercrime

A Ukrainian national has pleaded guilty in the U.S. to his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021.

Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father, and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the U.S. last year. He was added to the FBI’s most-wanted list in 2012.

The U.S. Department of Justice (DoJ) described Penchukov as a “leader of two prolific malware groups” that infected thousands of computers with malware, leading to ransomware and the theft of millions of dollars.

This included the Zeus banking trojan that facilitated the theft of bank account information, passwords, personal identification numbers, and other details necessary to login to online banking accounts.

Penchukov and his co-conspirators, as part of the “wide-ranging racketeering enterprise” dubbed Jabber Zeus gang, then masqueraded as employees of the victims to initiate unauthorized fund transfers.

They also used individuals residing in the U.S. and other parts of the world as “money mules” to receive the wired funds, which were ultimately funneled to overseas accounts controlled by Penchukov et al. A successor to Zeus was dismantled in 2014.

The defendant has also been accused of facilitating malicious activity by helping lead attacks involving the IcedID (aka BokBot) malware from at least November 2018. The malware is capable of acting as an information stealer and a loader for other payloads, such as ransomware.

Ultimately, as investigative journalist Brian Krebs reported back in 2022, he managed to evade prosecution by Ukrainian cybercrime investigators for many years due to his political connections with former Ukrainian President Victor Yanukovych.

Following his arrest and extradition, Penchukov pleaded guilty to one count of conspiracy to commit a racketeer-influenced and corrupt organization (RICO) act offense for his leadership role in the Jabber Zeus group. He also pleaded guilty to one count of conspiracy to commit wire fraud for his leadership role in the IcedID malware group.

Penchukov is scheduled to be sentenced on May 9, 2024, and faces a maximum penalty of 20 years in prison for each count.

The development comes as the DoJ announced the extradition of a 28-year-old Ukrainian national from the Netherlands in connection with fraud, money laundering and aggravated identity theft by allegedly operating and advertising an information stealer known as Raccoon.

Mark Sokolovsky, who was arrested by Dutch authorities in March 2022, leased Raccoon to other cybercriminals on a malware-as-a-service (MaaS) model for $200 a month. It first became available in April 2019.

“These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims,” the DoJ said.

“Raccoon infostealer then stole personal data from victim computers, including login credentials, financial information, and other personal records. Stolen information was used to commit financial crimes or was sold to others on cybercrime forums.”

At least 50 million unique credentials and forms of identification have been harvested by the malware, according to the U.S. Federal Bureau of Investigation (FBI) estimates.

Sokolovsky’s arrest was accompanied by a coordinated takedown of Raccoon’s digital infrastructure, but a new version of the stealer, called RecordBreaker, has since emerged in the wild.

He has been charged with one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and one count of aggravated identity theft.