{
	"id": "11607f62-424d-4645-b044-34f588e658b1",
	"created_at": "2026-04-06T00:19:56.953085Z",
	"updated_at": "2026-04-10T13:12:51.285141Z",
	"deleted_at": null,
	"sha1_hash": "0ada10a6d20c7d89b66b772c423dc2a9eaaf7b37",
	"title": "Russian hacker Pavel Sitnikov arrested for sharing malware source code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 898746,
	"plain_text": "Russian hacker Pavel Sitnikov arrested for sharing malware source\r\ncode\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-16 · Archived: 2026-04-05 16:23:26 UTC\r\nRussian authorities have detained earlier this month a popular figure on the Russian hacking scene on charges of\r\ndistributing malicious software via his Telegram channel.\r\nPavel Sitnikov, known primarily for operating the now-suspended @Flatl1ne Twitter account and the Freedom\r\nF0x Telegram channel, was raided by law enforcement officials on May 20 at his home in the town of Velikiye\r\nLuki, in the Pskov region in Eastern Russia.\r\nHe was charged the next day under Article 273, Part 2 of Russian criminal law, and forbidden to leave the town or\r\nuse any electronic devices until his trial.\r\nSources close to Sitnikov have told Recorded Future analysts that the Russian hacker was allegedly charged for\r\nposting the source code of the Anubis banking trojan on Freedom F0x, a Telegram channel where Sitnikov often\r\nposted data leaks and malware source code under the pretense of helping the security community.\r\nSuspect's wife claims arrest is payback\r\nBut in a video interview with Russian news site Readovka, which first reported on the arrest, Sonia Sitnikov, the\r\nsuspect's wife, claimed the arrest was actually related to a post her husband made on December 9, last year, when\r\nhe shared a download link to the personal data of more than 300,000 COVID-19 patients that registered with the\r\nMoscow Department of Health.\r\nhttps://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/\r\nPage 1 of 3\n\nThe data, which contained names, phone numbers, addresses, and COVID-19 status, sparked an outcry at the time,\r\nbut Moscow officials eventually confirmed that the leak occurred because of a human error and not because of a\r\nmalicious intrusion.\r\nNevertheless, despite high-ranking officials admitting their mistake, Sitnikov's wife believes the investigation and\r\nthe Anubis-related charges are payback for publicizing the leak last December.\r\nIn an interview with The Record last year, Sitnikov touched on the sensitive nature of leaking data from Russian\r\ncompanies, such as banks, and the reason he did it.\r\nThis data is obtained either from the banks themselves, or fraudulently by various cybercriminal groups\r\nor researchers. Either sold or leaked publicly. As long as the knowledge about the leak is hidden and not\r\npublicized, people affected by the leak continue to suffer. As soon as it is announced, the most\r\nimportant thing is that at least for the moment those who are mentioned in the leak think about their\r\nsecurity.\r\nPavel Sitnikov\r\nSuspect faces up to five years in prison\r\nhttps://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/\r\nPage 2 of 3\n\nSitnikov, who at one point claimed to have connections to Russian state-sponsored hacking group APT28 (Fancy\r\nBear), has a long and muddled history on the cybercrime underground.\r\nA member of multiple underground hacking communities, Sitnikov previously sold and shared the source code of\r\nmultiple malware strains, such as Carberp, Dexter, Alina, Rovnix, and Tinba; hence the reason why the recent\r\ncharges did not surprise those who followed his past activity.\r\nUnder Article 273, Part 2 of Russian criminal law, Sitnikov risks up to five years in prison.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/\r\nhttps://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/"
	],
	"report_names": [
		"russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775826771,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ada10a6d20c7d89b66b772c423dc2a9eaaf7b37.pdf",
		"text": "https://archive.orkl.eu/0ada10a6d20c7d89b66b772c423dc2a9eaaf7b37.txt",
		"img": "https://archive.orkl.eu/0ada10a6d20c7d89b66b772c423dc2a9eaaf7b37.jpg"
	}
}