{
	"id": "d1f954af-3001-45d4-94e6-75dfbd17940d",
	"created_at": "2026-04-06T00:16:37.032297Z",
	"updated_at": "2026-04-10T03:29:39.802308Z",
	"deleted_at": null,
	"sha1_hash": "297af91a116a3dff40bd590bea729249beaf4cfc",
	"title": "Who Wrote the ALPHV/BlackCat Ransomware Strain?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1150116,
	"plain_text": "Who Wrote the ALPHV/BlackCat Ransomware Strain?\r\nPublished: 2022-01-28 · Archived: 2026-04-05 19:01:28 UTC\r\nIn December 2021, researchers discovered a new ransomware-as-a-service named ALPHV (a.k.a. “BlackCat“),\r\nconsidered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust\r\nprogramming language. In this post, we’ll explore some of the clues left behind by a developer who was reputedly\r\nhired to code the ransomware variant.\r\nImage: Varonis.\r\nAccording to an analysis released this week by Varonis, ALPHV is actively recruiting operators from several\r\nransomware organizations — including REvil, BlackMatter and DarkSide — and is offering affiliates up to 90\r\npercent of any ransom paid by a victim organization.\r\n“The group’s leak site, active since early December 2021, has named over twenty victim organizations as of late\r\nJanuary 2022, though the total number of victims, including those that have paid a ransom to avoid exposure, is\r\nlikely greater,” Varonis’s Jason Hill wrote.\r\nOne concern about more malware shifting to Rust is that it is considered a much more secure programming\r\nlanguage compared to C and C++, writes Catalin Cimpanu for The Record. The upshot? Security defenders are\r\nconstantly looking for coding weaknesses in many ransomware strains, and if more start moving to Rust it could\r\nbecome more difficult to find those soft spots.\r\nResearchers at Recorded Future say they believe the ALPHV/BlackCat author was previously involved with the\r\ninfamous REvil ransomware cartel in some capacity. Earlier this month the Russian government announced that at\r\nthe United States’ request it arrested 14 individuals in Russia thought to be REvil operators.\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 1 of 6\n\nStill, REvil rolls on despite these actions, according to Paul Roberts at ReversingLabs. “The recent arrests have\r\nNOT led to a noticeable change in detections of REvil malicious files,” Roberts wrote. “In fact, detections of files\r\nand other software modules associated with the REvil ransomware increased modestly in the week following the\r\narrests by Russia’s FSB intelligence service.”\r\nMeanwhile, the U.S. State Department has a standing $10 million reward for information leading to the\r\nidentification or location of any individuals holding key leadership positions in REvil.\r\nWHO IS BINRS?\r\nA confidential source recently had a private conversation with a support representative who fields questions and\r\ninquiries on several cybercrime forums on behalf of a large and popular ransomware affiliate program. The\r\naffiliate rep confirmed that a coder for ALPHV was known by the handle “Binrs” on multiple Russian-language\r\nforums.\r\nOn the cybercrime forum RAMP, the user Binrs says they are a Rust developer who’s been coding for 6 years.\r\n“My stack is Rust, nodejs, php, golang,” Binrs said in an introductory post, in which they claim to be fluent in\r\nEnglish. Binrs then signs the post with their identification number for ToX, a peer-to-peer instant messaging\r\nservice.\r\nThat same ToX ID was claimed by a user called “smiseo” on the Russian forum BHF, in which smiseo advertises\r\n“clipper” malware written in Rust that swaps in the attacker’s bitcoin address when the victim copies a\r\ncryptocurrency address to their computer’s temporary clipboard.\r\nThe nickname “YBCat” advertised that same ToX ID on Carder[.]uk, where this user claimed ownership over the\r\nTelegram account @CookieDays, and said they could be hired to do software and bot development “of any level\r\nof complexity.” YBCat mostly sold “installs,” offering paying customers to ability to load malware of their choice\r\non thousands of hacked computers simultaneously.\r\nThere is also an active user named Binrs on the Russian crime forum wwh-club[.]co who says they’re a Rust\r\ncoder who can be reached at the @CookieDays Telegram account.\r\nOn the Russian forum Lolzteam, a member with the username “DuckerMan” uses the @CookieDays Telegram\r\naccount in his signature. In one thread, DuckerMan promotes an affiliate program called CookieDays that lets\r\npeople make money by getting others to install cryptomining programs that are infected with malware. In another\r\nthread, DuckerMan is selling a different clipboard hijacking program called Chloe Clipper.\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 2 of 6\n\nThe CookieDays moneymaking program.\r\nAccording to threat intelligence firm Flashpoint, the Telegram user DuckerMan employed another alias — Sergey\r\nDuck. These accounts were most active in the Telegram channels “Bank Accounts Selling,” “Malware developers\r\ncommunity,” and “Raidforums,” a popular English-language cybercrime forum.\r\nI AM DUCKERMAN\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 3 of 6\n\nThe GitHub account for a Sergey DuckerMan lists dozens of code repositories this user has posted online over the\r\nyears. The majority of these projects were written in Rust, and the rest in PHP, Golang and Nodejs — the same\r\ncoding languages specified by Binrs on RAMP. The Sergey DuckerMan GitHub account also says it is associated\r\nwith the “DuckerMan” account on Telegram.\r\nSergey DuckerMan’s GitHub profile.\r\nSergey DuckerMan has left many accolades for other programmers on GitHub — 460 to be exact. In June 2020,\r\nfor example, DuckerMan gave a star to a proof-of-concept ransomware strain written in Rust.\r\nSergey DuckerMan’s Github profile says their social media account at Vkontakte (Russian version of\r\nFacebook/Meta) is vk.com/duckermanit. That profile is restricted to friends-only, but states that it belongs to a\r\nSergey Pechnikov from Shuya, Russia.\r\nA look at the Duckermanit VKontakte profile in Archive.org shows that until recently it bore a different name:\r\nSergey Kryakov. The current profile image on the Pechnikov account shows a young man standing closely next\r\nto a young woman.\r\nKrebsOnSecurity reached out to Pechnikov in transliterated Russian via the instant message feature built into\r\nVKontakte.\r\n“I’ve heard about ALPHV,” Pechnikov replied in English. “It sounds really cool and I’m glad that Rust becomes\r\nmore and more popular, even in malware sphere. But I don’t have any connections with ransomware at all.”\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 4 of 6\n\nI began explaining the clues that led to his VK account, and how a key cybercriminal actor in the ransomware\r\nspace had confirmed that Binrs was a core developer for the ALPHV ransomware.\r\n“Binrs isn’t even a programmer,” Pechnikov interjected. “He/she can’t be a DuckerMan. I am DuckerMan.”\r\nBK: Right. Well, according to Flashpoint, the Telegram user DuckerMan also used the alias Sergey Duck.\r\nSergey: Yep, that’s me.\r\nBK: So you can see already how I arrived at your profile?\r\nSergey: Yep, you’re a really good investigator.\r\nBK: I noticed this profile used to have a different name attached to it. A ‘Sergey Kryakov.’\r\nSergey: It was my old surname. But I hated it so much I changed it.\r\nBK: What did you mean Binrs isn’t even a programmer?\r\nSergey: I haven’t found any [of] his accounts on sites like GitHub/stack overflow. I’m not sure, does binrs sell\r\nRust Clipper?\r\nBK: So you know his work! I take it that despite all of this, you maintain you are not involved in coding malware?\r\nSergey: Well, no, but I have some “connections” with these guys. Speaking about Binrs, I’ve been researching his\r\npersonality since October too.\r\nBK: Interesting. What made you want to research his personality? Also, please help me understand what you\r\nmean by “connections.”\r\nSergey: I think he is actually a group of some people. I’ve written him on telegram from different accounts, and\r\nhis way of speaking is different. Maybe some of them somehow tied with ALPHV. But on forums (I’ve checked\r\nonly XSS and Exploit) his ways of speaking are the same.\r\nBK: …..\r\nSergey: I don’t know how to explain this. By the way, binrs now is really silent, I think he’s lying low. Well, this\r\nis all I know.\r\nNo doubt he is. I enjoyed speaking with Sergey, but I also had difficulty believing most of what he said. Also, I\r\nwas bothered that Sergey hadn’t exactly disputed the logic behind the clues that led to his VK account. In fact,\r\nhe’d stated several times that he was impressed with the investigation.\r\nIn many previous Breadcrumbs stories, it is common at this point for the interviewee to claim they were being set\r\nup or framed. But Sergey never even floated the idea.\r\nI asked Sergey what might explain all these connections if he wasn’t somehow involved in coding malicious\r\nsoftware. His answer, our final exchange, was again equivocal.\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 5 of 6\n\n“Well, all I have is code on my github,” he replied. “So it can be used [by] anyone, but I don’t think my projects\r\nsuit for malwares.”\r\nUpdate, Jan 29, 4:26 p.m. ET: Sergey Duckerman has deleted their GitHub account. Meanwhile, the user Binrs\r\nhas been (preemptively?) banning their profile from multiple cybercrime forums where they were previously\r\nactive.\r\nSource: https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nhttps://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/"
	],
	"report_names": [
		"who-wrote-the-alphv-blackcat-ransomware-strain"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434597,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/297af91a116a3dff40bd590bea729249beaf4cfc.pdf",
		"text": "https://archive.orkl.eu/297af91a116a3dff40bd590bea729249beaf4cfc.txt",
		"img": "https://archive.orkl.eu/297af91a116a3dff40bd590bea729249beaf4cfc.jpg"
	}
}