{ "id": "42b1e667-44b9-4d8e-9f4a-ae08081754b6", "created_at": "2026-04-06T00:20:53.809941Z", "updated_at": "2026-04-10T03:36:11.317177Z", "deleted_at": null, "sha1_hash": "63be2c0bfeda1ccf6ad4461fb8a2d32ea4f73eb8", "title": "Russian man pleads guilty to laundering Ryuk ransomware money", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4089375, "plain_text": "Russian man pleads guilty to laundering Ryuk ransomware money\r\nBy Sergiu Gatlan\r\nPublished: 2023-02-07 · Archived: 2026-04-05 15:14:24 UTC\r\nRussian citizen Denis Mihaqlovic Dubnikov pleaded guilty on Tuesday to laundering money for the notorious Ryuk\r\nransomware group for over three years.\r\nThe guilty plea comes after Dubnikov, a former crypto-exchange executive and the co-founder of crypto trading platforms\r\nCoyote Crypto and Eggchange, was arrested in Amsterdam in November 2021 and extradited to the United States in August\r\n2022.\r\nHe made his first appearance in a U.S. federal court in Portland one day after the extradition date, on August 17, 2022.\r\nhttps://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFrom August 2018 to August 2021, Dubnikov and 13 other accomplices participated in money laundering activities\r\ninvolving proceeds from Ryuk ransomware attacks targeting individuals and organizations in the United States and\r\nworldwide.\r\nThe money laundering group, including Dubnikov, used various financial transactions, including international ones, to hide\r\nthe origin, location, and identity of those who received the ransom payments.\r\nRyuk is a former ransomware-as-a-service (RaaS) operation active between August 2018 and the middle of 2020, when the\r\nWizard Spider cybercrime group behind it switched to Conti ransomware.\r\nConti also shut down operations in May 2022, when it rebranded into multiple smaller units that either launched new\r\noperations or infiltrated existing ransomware gangs.\r\nRyuk ransomware submissions (ID Ransomware)\r\nDubnikov laundered Ryuk ransom paid by US company\r\nAccording to a superseding indictment, after victims paid the Ryuk ransoms in the form of bitcoin to private wallets, the co-conspirators involved in the money laundering scheme divided the payments into smaller amounts. Then they transferred the\r\nransoms to various other private wallets. \r\nThe criminal group used hundreds of private wallets to carry out these transactions, each with thousands of associated public\r\nkeys.\r\nThey then moved some of the bitcoin from the private wallets to cryptocurrency exchange accounts where the bitcoin was\r\nexchanged for Tether, other cryptocurrencies, or fiat currency.\r\nThe Ryuk ransom proceeds (exchanged into Tether or another cryptocurrency) were then sent to other conspirators' accounts\r\nat other cryptocurrency exchanges to be exchanged for fiat currency (usually Chinese Renminbi) using those exchanges'\r\n\"over the counter\" services.\r\n\"Specifically, in July 2019, a United States-based company paid a 250 Bitcoin Ryuk ransom after a ransomware attack. On\r\nor about July 11, 2019, in Moscow, Russia, Dubnikov accepted 35 Bitcoin from a co-conspirator in exchange for\r\napproximately $400,000,\" the Department of Justice said in a press release issued today.\r\n\"The Bitcoin transferred to Dubnikov were directly sourced from the ransom paid by the American company. Dubnikov\r\nconverted the Bitcoin to Tether and sent it to a second co-conspirator, who eventually exchanged it for Chinese Renminbi.\"\r\nIf found guilty, Dubnikov can get a sentence of up to 20 years of federal imprisonment, three years of supervised release,\r\nand a fine of up to $500,000. The defendant will be sentenced on April 11, 2023.\r\nhttps://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/\r\nhttps://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money/" ], "report_names": [ "russian-man-pleads-guilty-to-laundering-ryuk-ransomware-money" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434853, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63be2c0bfeda1ccf6ad4461fb8a2d32ea4f73eb8.pdf", "text": "https://archive.orkl.eu/63be2c0bfeda1ccf6ad4461fb8a2d32ea4f73eb8.txt", "img": "https://archive.orkl.eu/63be2c0bfeda1ccf6ad4461fb8a2d32ea4f73eb8.jpg" } }