{
	"id": "9aef7bc5-c03d-4b72-a89e-5974d9f6055e",
	"created_at": "2026-04-06T00:09:14.205806Z",
	"updated_at": "2026-04-10T03:20:33.984403Z",
	"deleted_at": null,
	"sha1_hash": "2c69906f2e9d2afa8f7bf7740e331b0b10b981f1",
	"title": "I scrounged through the trash heaps ... now I'm a millionaire:' An interview with REvil's Unknown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 443896,
	"plain_text": "I scrounged through the trash heaps ... now I'm a millionaire:' An\r\ninterview with REvil's Unknown\r\nBy Dmitry Smilyanets\r\nPublished: 2023-01-24 · Archived: 2026-04-05 13:21:10 UTC\r\nEditor’s Note: It’s undeniable that ransomware is the big moneymaker in cybercrime right now. And some groups\r\nlooking to make a fortune are aggressively pushing the boundaries by raising their demands to seven or eight-figure sums, threatening to release data online if payments aren’t made, and targeting hospitals and other\r\nvulnerable organizations.\r\nOne group that has gained prominence for its audacious and lucrative tactics is REvil, also known as Sodinokibi.\r\nThe group runs a ransomware-as-a-service operation, in which developers sell malware to affiliates who use it to\r\nlock up an organization’s data and devices.\r\nIn addition to publishing victim data online when companies don’t pay demands, REvil has attracted attention for\r\ntrying to extort then-President Donald Trump and claiming to bring in $100 million in revenue from their\r\noperations. And according to an REvil representative that uses the alias “Unknown,” the group has big plans for\r\n2021.\r\nSome of Unknown’s claims, like affiliates with access to ballistic missile launch systems and nuclear power plants,\r\nseem outlandish—until you read reports that make them seem eerily plausible. The Record is not able to verify the\r\nassertions. Unknown talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets recently\r\nabout using ransomware as a weapon, staying out of politics, experimenting with new tactics, and much more. The\r\ninterview was conducted in Russian and translated to English with the help of a professional translator, and has\r\nbeen edited for clarity.\r\nDmitry Smilyanets: Unknown, how did you decide to get into the business of ransomware?\r\nUnknown: Speaking personally, it was a long time ago. Since 2007, when there were winlockers and SMS. Even\r\nthen, it brought a good profit.\r\nDS: You had a $1 million deposit on a hacking forum and mentioned $100 million in revenue — considering\r\nyou get payments in cryptocurrency, then today you probably have half a billion dollars. How much is\r\nenough to make you quit ransomware?\r\nUNK: You counted everything correctly. The deposit was withdrawn precisely because of the exchange rate. For\r\nme personally, there is no ceiling amount. I just love doing it and making a profit from it. There is never too much\r\nmoney—but there’s always the risk of not enough money. Although, if we talk about advertisers, one felt that $50\r\nmillion U.S. was enough and he retired. However, after four months he returned—turned out that wasn’t enough\r\nmoney. Think about it.\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 1 of 6\n\nFor me personally, there is no ceiling amount. I just love doing it and making a profit from it. There is\r\nnever too much money—but there’s always the risk of not enough money.\"\r\nDS: You previously said that you remain apolitical, and are purely financially motivated. But if you do\r\ndecide that you’ve made enough money, could your point of view change and you decide to impact\r\ngeopolitics?\r\nUNK: I don't really want to be a bargaining chip. We brushed up against politics and nothing good came of it—\r\nonly losses. With the current geopolitical relationships, everything is very beneficial for us even without any\r\ninterference.\r\nDS: What makes REvil so special? The code? Affiliates? Media attention?\r\nUNK: I think it's all of that working together. For example, this interview. It seems like, why would we even need\r\nit? On the other hand, better we give it than our competitors. Unusual ideas, new methods, and brand reputation all\r\ngive good results. As I said, we are creating a new branch of development for extortion. If you look at the\r\ncompetitors, unfortunately, many people simply copy our ideas and what is most surprising—the style of the text\r\nof our messages. It's nice—they try to show that they are as good as us, trying to reach the level and even striving\r\nto surpass in somethings. And in some things they are already better. For example, with those Linux versions and\r\nso on. But this is temporary. Of course, we are working on all of this as well, but with one caveat—it will all be\r\nmuch better. Therefore, a little bit slower.\r\nREvil uses its dark web \"Happy Blog\" to publicize data auctions for ransomware victims who have not paid\r\ndemands.\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 2 of 6\n\nDS: Elliptic Curve Cryptography (ECC) was a really good choice [editor’s note: ECC has a smaller key size\r\nthan the RSA-based public-key system, which makes it attractive to affiliates] what else are you proud of,\r\nwhat part of the code? How do you decide when it’s time for new features in the code?\r\nUNK: A search by IOCP [Input/output completion port], a back connection borrowed from crabs [carders], a\r\nserver-side protection system—there are many advantages, it is better to read AV reviews. Personally, I really like\r\nthe encryption system. It came out almost perfect.\r\nDS: I have been impressed with the variety of packers and crypters I’ve seen with your malware. Do you\r\nsell them to others? I saw one used in a Maze malware sample once. Do you sell them or did one of your\r\nemployees move to a competitor?\r\nUNK: Partners often switch affiliate programs and because of this, there is that kind of variety.\r\nDS: Pavel Sitnikov said that you bought the GandCrab code from Maksim Plakhtiy, is this true?\r\nUNK: It’s true that we bought it, but the names and so on are unknown to us. Even if it was the Rotten Gene, we\r\ndon't care.\r\nDS: Do you believe that ransomware is a perfect weapon for cyberwar? Are you afraid that one day it could\r\nstart a real war?\r\nUNK: Yes, as a weapon it can be very destructive. Well, I know at the very least that several affiliates have access\r\nto a ballistic missile launch system, one to a U.S. Navy cruiser, a third to a nuclear power plant, and a fourth to a\r\nweapons factory. It is quite feasible to start a war. But it's not worth it—the consequences are not profitable.\r\nAs a weapon [ransomware] can be very destructive... It is quite feasible to start a war. But it's not worth\r\nit—the consequences are not profitable.\"\r\nDS: What other regions besides the CIS [mainly comprised of post-Soviet republics] do you try to avoid?\r\nWhat organizations never pay?\r\nUNK: All the CIS, including Georgia and Ukraine. Primarily because of geopolitics. Secondly because of the\r\nlaws. Thirdly, for some, because of patriotism. Very poor countries don’t pay — India, Pakistan, Afghanistan, and\r\nso on.\r\nDS: You previously mentioned that you and your affiliates understand the risks of going abroad and don’t\r\ntravel. Do you think there can be a “winds of change” and local law enforcement will start paying attention\r\nto your operations?\r\nUNK: If we get into politics, yes. If we look at the countries in the CIS, yes. For everything else—we remain\r\nneutral.\r\nDS: Do old-school criminals cause any issues?\r\nUNK: They don’t.\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 3 of 6\n\nDS: What’s your usual reaction when you see a ransomware gang or affiliate getting charged or arrested?\r\nNetwalker and Egregor reduced their operations since the raids, how do you feel about that?\r\nUNK: Neutral. This is a normal workflow. Due to the closure of the Maze, we have only increased the number of\r\npromising affiliates. So for us, I would say it is positive, in a way.\r\nDS: What was the highest number of affiliates you had at any one time?\r\nUNK: 60.\r\nDS: When they leave, is it because they’re done with ransomware or because they jump ship to another\r\nransomware-as-a-service for better rates? Does it create any issues or problems for you when an affiliate\r\nmoves to a competitor?\r\nUNK: There are definitely two sides to this. 30% leave because they have earned enough. But naturally, they\r\nalways come back sooner or later. Otherwise, yes, they go to competitors who dump the rates (up to 90% and so\r\non). Of course, this is unpleasant, but this is competition. It means that we need to make sure that people return.\r\nGive them what others don’t.\r\nDS: Some operators give a percentage of their earnings to charities. What’s your opinion on this? Who\r\nwould you like to donate a million to?\r\nUNK: Free projects for anonymity.\r\nDS: How has your interaction with victim organizations changed since the beginning of the pandemic? \r\nUNK: It’s definitely changed. The crisis is palpable, they are not able to pay the same amounts as before. Except\r\nfor manufacturers of pharmaceutical products. I think it is worth paying more attention to them. They are doing\r\njust fine. We need to help them.\r\nDS: Do your operators target organizations that have cyber insurance?\r\nUNK: Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and\r\nwork in a targeted way from there. And after you go through the list, then hit the insurer themselves.\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 4 of 6\n\nDS: How do you treat ransomware negotiators? Is it easier to deal with professionals? Do they help or make\r\nit more difficult?\r\nUNK: 70% are just there to knock down the price. Very often they make it harder. Well, for example, the company\r\nhas a revenue of $1 billion. They are being ransomed for $1 million. The negotiator comes and says, we don't care,\r\nwe won't give more than $15,000. We reduce the price to $900,000. He offers $20,000. Well, then we understand\r\nthat the conversation with him is meaningless and we start publishing the data so that the owners of the network\r\nsmack him upside the head for negotiating like that. And of course, after those kinds of tricks, the price tag only\r\ngoes up. Instead of $1 million, they will pay one-and-a-half. Nobody likes hagglers, especially show-offs. So,\r\nmore often than not, they are likely to do more harm. They only help purely in buying BTC or Monero. The rest is\r\nharmful.\r\nDS: Do you recommend any specific negotiators to the compromised businesses or do they act on their\r\nown? Not everyone has 100 BTC on hand to buy out the data and it’s not that easy to get on short notice.\r\nUNK: We write to decent intermediaries to let them know the target so that they can reach out themselves. We\r\ngive good discounts to decent intermediaries so that they can make a bit of profit and the companies pay less. And\r\nin terms of deadlines—we can always give some extra time. In general, if there is an understanding that you have\r\nto pay, no other options, but not as much, we will find a common language. But if we get delusional messages\r\nlike, “There is no money” or, “We will pay one-tenth,” you have no one to blame but yourself.\r\nReferences to REvil attacks gathered from private and underground sources. Courtesy of Recorded Future.\r\nDS: You said that you like to apply additional pressure through DDoS [editor’s note: distributed denial-of-service attacks involve flooding a site with junk traffic, making it unreachable]. How effective is this\r\nscheme?\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 5 of 6\n\nUNK: We do not use it often, in contrast to calls. Calling gives a very good result. We call each target as well as\r\ntheir partners and journalists—the pressure increases significantly. And after that, if you start publishing files,\r\nwell, it is absolutely gorgeous. But to finish off with DDoS is to kill the company. Literally. I also think we will\r\nexpand this tactic to persecution of the CEO and/or founder of the company. Personal OSINT, bullying. I think\r\nthis will also be a very fun option. But victims need to understand that the more resources we spend before your\r\nransom is paid—all this will be included in the cost of the service. =)\r\nDS: Tell me a secret.\r\nUNK: As a child, I scrounged through the trash heaps and smoked cigarette butts. I walked 10 km one way to the\r\nschool. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even\r\nthree days. Now I am a millionaire.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nDmitry Smilyanets\r\nMission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of\r\nexperience and expertise in cybercrime activity that includes being a former member of an elite Russian-based\r\nhacking organization.\r\nSource: https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nhttps://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/"
	],
	"report_names": [
		"i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775791233,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c69906f2e9d2afa8f7bf7740e331b0b10b981f1.pdf",
		"text": "https://archive.orkl.eu/2c69906f2e9d2afa8f7bf7740e331b0b10b981f1.txt",
		"img": "https://archive.orkl.eu/2c69906f2e9d2afa8f7bf7740e331b0b10b981f1.jpg"
	}
}