On February 7, 2023, a Russian citizen pleaded guilty in the United States to money laundering charges and attempts to conceal the source of funds obtained in connection with the Ryuk ransomware attack.
Denis Mihaqlovic Dubnikov, 30, was arrested in Amsterdam in November 2021 before being extradited from the Netherlands in August 2022. He is awaiting his April 11, 2023 sentencing.
“Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of a Ryuk ransomware attack against individuals and organizations in the United States and abroad,” the Department of Justice (DoJ) said. says.
Dubnikov and his accomplices are said to have been involved in various criminal schemes designed to cover the trail of ill-gotten proceeds.
According to the DoJ, part of the 250 bitcoin ransom paid by a US company following the Ryuk attack in July 2019 was sent to Dubnikov in exchange for about $400,000. The cryptocurrency was then converted to Tether and transferred to the co-conspirators, who exchanged it for Chinese yuan.
Overall, it is estimated that parties involved in the criminal enterprise laundered at least $150 million in ransom payments.
Dubnikov is also the co-founder of Coyote Crypto and Eggchange, which is headquartered in Federation Tower East (or Vostok). Vostok is a skyscraper and is known for having multiple cryptocurrency businesses linked to money laundering related ransomware operations.
According to Chainalysis, Eggchange received over $34 million in cryptocurrency from darknet markets, scams, scam shops, and ransomware operators between 2019 and 2021.
First appearing in the threat world in 2018, Ryuk is believed to come from a threat actor tracked as the Wizard Spider, compromising government, academia, medical, manufacturing, and technology organizations.
Often delivered via first-stage malware such as TrickBot and BazarBackdoor, Ryuk is also the predecessor to the Conti ransomware, which ceased activity in May 2022 and split into smaller units.
