On February 7, 2023, a Russian national, Denis Mihaqlovic Dubnikov, admitted to money laundering and concealing the source of funds obtained through Ryuk ransomware attacks in a U.S. court. Dubnikov, who was arrested in Amsterdam in November 2021 and later extradited from the Netherlands in August 2022, will be sentenced on April 11, 2023.
According to the Department of Justice, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations across the U.S. and globally between August 2018 and August 2021. The group employed various criminal methods to hide the trail of the illegal funds.
The Department of Justice revealed that in July 2019, a portion of the 250 bitcoin ransom paid by a U.S. company after a Ryuk attack was sent to Dubnikov in exchange for $400,000. The cryptocurrency was then converted to Tether and transferred to a co-conspirator, who exchanged it for the Chinese Renminbi. The total amount laundered by the criminal enterprise is estimated to be at least $150 million in ransom payments.
Dubnikov is also the co-founder of Coyote Crypto and Eggchange, with the latter located in Federation Tower East (Vostok), a skyscraper known for harboring several cryptocurrency businesses linked to money laundering activities associated with ransomware operations. According to Chainalysis, Eggchange received over $34 million worth of cryptocurrency from darknet markets, scams, fraud shops, and ransomware operators between 2019 and 2021.
Ryuk, a threat actor tracked as “Wizard Spider,” first appeared on the threat landscape in 2018 and has targeted governments, academia, healthcare, manufacturing, and technology organizations. Delivered through first-stage malware such as TrickBot or BazarBackdoor, Ryuk is also a precursor to the Conti ransomware, which ceased operations in May 2022 and fragmented into smaller units.