{
	"id": "b2801f2b-f20d-47ae-aacd-b7f980478afe",
	"created_at": "2026-04-06T00:15:12.789092Z",
	"updated_at": "2026-04-10T13:12:56.941405Z",
	"deleted_at": null,
	"sha1_hash": "787010028ffd69e6e7902348d8dfc191cf1de0eb",
	"title": "Who’s Behind the GandCrab Ransomware?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 95053,
	"plain_text": "Who’s Behind the GandCrab Ransomware?\r\nPublished: 2019-07-16 · Archived: 2026-04-05 19:21:25 UTC\r\nThe crooks behind an affiliate program that paid cybercriminals to install the destructive and wildly\r\nsuccessful GandCrab ransomware strain announced on May 31, 2019 they were terminating the program after\r\nallegedly having earned more than $2 billion in extortion payouts from victims. What follows is a deep dive into\r\nwho may be responsible for recruiting new members to help spread the contagion.\r\nImage: Malwarebytes.\r\nLike most ransomware strains, the GandCrab ransomware-as-a-service offering held files on infected systems\r\nhostage unless and until victims agreed to pay the demanded sum. But GandCrab far eclipsed the success of\r\ncompeting ransomware affiliate programs largely because its authors worked assiduously to update the malware\r\nso that it could evade antivirus and other security defenses.\r\nIn the 15-month span of the GandCrab affiliate enterprise beginning in January 2018, its curators shipped five\r\nmajor revisions to the code, each corresponding with sneaky new features and bug fixes aimed at thwarting the\r\nefforts of computer security firms to stymie the spread of the malware.\r\n“In one year, people who worked with us have earned over US $2 billion,” read the farewell post by the\r\neponymous GandCrab identity on the cybercrime forum Exploit[.]in, where the group recruited many of its\r\ndistributors. “Our name became a generic term for ransomware in the underground. The average weekly income\r\nof the project was equal to US $2.5 million.”\r\nThe message continued:\r\n“We ourselves have earned over US $150 million in one year. This money has been successfully cashed\r\nout and invested in various legal projects, both online and offline ones. It has been a pleasure to work\r\nwith you. But, like we said, all things come to an end. We are getting a well-deserved retirement. We\r\nare a living proof that you can do evil and get off scot-free. We have proved that one can make a\r\nhttps://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/\r\nPage 1 of 4\n\nlifetime of money in one year. We have proved that you can become number one by general admission,\r\nnot in your own conceit.”\r\nEvil indeed, when one considers the damage inflicted on so many individuals and businesses hit by GandCrab —\r\neasily the most rapacious and predatory malware of 2018 and well into 2019.\r\nThe GandCrab identity on Exploit[.]in periodically posted updates about victim counts and ransom payouts. For\r\nexample, in late July 2018, GandCrab crowed that a single affiliate of the ransomware rental service had infected\r\n27,031 victims in the previous month alone, receiving about $125,000 in commissions.\r\nThe following month, GandCrab bragged that the program in July 2018 netted almost 425,000 victims and\r\nextorted more than one million dollars worth of cryptocurrencies, much of which went to affiliates who helped to\r\nspread the infections.\r\nRussian security firm Kaspersky Lab estimated that by the time the program ceased operations, GandCrab\r\naccounted for up to half of the global ransomware market.\r\nONEIILK2\r\nIt remains unclear how many individuals were active in the core GandCrab malware development team. But\r\nKrebsOnSecurity located a number of clues that point to the real-life identity of a Russian man who appears to\r\nhave been put in charge of recruiting new affiliates for the program.\r\nIn November 2018, a GandCrab affiliate posted a screenshot on the Exploit[.]in cybercrime forum of a private\r\nmessage between himself and a forum member known variously as “oneiilk2” and “oneillk2” that showed the\r\nlatter was in charge of recruiting new members to the ransomware earnings program.\r\nOneiilk2 also was a successful GandCrab affiliate in his own right. In May 2018, he could be seen in multiple\r\nExploit[.]in threads asking for urgent help obtaining access to hacked businesses in South Korea. These\r\nsolicitations go on for several weeks that month — with Oneiilk2 saying he’s willing to pay top dollar for the\r\nrequested resources. At the same time, Oneiilk2 can be seen on Exploit asking for help figuring out how to craft a\r\nconvincing malware lure using the Korean alphabet.\r\nLater in the month, Oneiilk2 says he no longer needs assistance on that request. Just a few weeks later, security\r\nfirms began warning that attackers were staging a spam campaign to target South Korean businesses with version\r\n4.3 of GandCrab.\r\nHOTTABYCH\r\nWhen Oneiilk2 registered on Exploit in January 2015, he used the email address hottabych_k2@mail.ru. That\r\nemail address and nickname had been used since 2009 to register multiple identities on more than a half dozen\r\ncybercrime forums.\r\nIn 2010, the hottabych_k2 address was used to register the domain name dedserver[.]ru, a site which marketed\r\ndedicated Web servers to individuals involved in various cybercrime projects. That domain registration record\r\nhttps://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/\r\nPage 2 of 4\n\nincluded the Russian phone number +7-951-7805896, which mail.ru’s password recovery function says is indeed\r\nthe phone number used to register the hottabych_k2 email account.\r\nAt least four posts made in 2010 to the hosting review service makeserver.ru advertise Dedserver and include\r\nimages watermarked with the nickname “oneillk2.”\r\nDedserver also heavily promoted a virtual private networking (VPN) service called vpn-service[.]us to help users\r\nobfuscate their true online locations. It’s unclear how closely connected these businesses were, although a cached\r\ncopy of the Dedserver homepage at Archive.org from 2010 suggests the site’s owners claimed it as their own.\r\nVpn-service[.]us was registered to the email address sec-service@mail.ru by an individual who used the\r\nnickname (and sometimes password) — “Metall2” — across multiple cybercrime forums.\r\nAround the same time the GandCrab affiliate program was kicking into high gear, Oneiilk2 had emerged as one of\r\nthe most trusted members of Exploit and several other forums. This was evident by measuring the total “reputation\r\npoints” assigned to him, which are positive or negative feedback awarded by other members with whom the\r\nmember has previously transacted.\r\nIn late 2018, Oneiilk2 was one of the top 20 highest-rated members among thousands of denizens on the Exploit\r\nforum, thanks in no small part to his association with the GandCrab enterprise.\r\nSearching on Oneiilk2’s registration email address hottabych_k2@mail.ru via sites that track hacked or leaked\r\ndatabases turned up some curious results. Those records show this individual routinely re-used the same password\r\nacross multiple accounts: 16061991.\r\nFor instance, that email address and password shows up in hacked password databases for an account “oneillk2”\r\nat zismo[.]biz, a Russian-language forum dedicated to news about various online money-making affiliate\r\nprograms.\r\nIn a post made on Zismo in 2017, Oneiilk2 states that he lives in a small town with a population of around\r\n400,000, and is engaged in the manufacture of furniture.\r\nHEAVY METALL\r\nFurther digging revealed that the hottabych_k2@mail.ru address had also been used to register at least two\r\naccounts on the social networking site Vkontakte, the Russian-language equivalent of Facebook.\r\nOne of those accounts was registered to a “Igor Kashkov” from Magnitogorsk, Russia, a metal-rich industrial\r\ntown in southern Russia of around 410,000 residents which is home to the largest iron and steel works in the\r\ncountry.\r\nThe Kashkov account used the password “hottabychk2,” the phone number 890808981338, and at one point\r\nprovided the alternative email address “prokopenko_k2@bk.ru.” However, this appears to have been simply an\r\nabandoned account, or at least there are only a couple of sparse updates to the profile.\r\nThe more interesting Vkontakte account tied to the hottabych_k2@mail.ru address belongs to a profile under the\r\nname “Igor Prokopenko,” who says he also lives in Magnitogorsk. The Igor Prokopenko profile says he has\r\nhttps://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/\r\nPage 3 of 4\n\nstudied and is interested in various types of metallurgy.\r\nThere is also a Skype voice-over-IP account tied to an “Igor” from Magnitogorsk whose listed birthday is June 16,\r\n1991. In addition, there is a fairly active Youtube account dating back to 2015 — youtube.com/user/Oneillk2 —\r\nthat belongs to an Igor Prokopenko from Magnitogorsk.\r\nThat Youtube account includes mostly short videos of Mr. Prokopenko angling for fish in a local river and\r\ndiagnosing problems with his Lada Kalina — a Russian-made automobile line that is quite common across Russia.\r\nAn account created in January 2018 using the Oneillk2 nickname on a forum for Lada enthusiasts says its owner is\r\n28 years old and lives in Magnitogorsk.\r\nSources with the ability to check Russian citizenship records identified an Igor Vladimirovich Prokopenko from\r\nMagnitogorsk who was born on June 16, 1991.  Recall that “16061991” was the password used by countless\r\nonline accounts tied to both hottabych_k2@mail.ru and the Oneiilk2/Oneillk2 identities.\r\nTo bring all of the above research full circle, Vkontakte’s password reset page shows that the Igor Prokopenko\r\nprofile is tied to the mobile phone number +7-951-7805896, which is the same number used to set up the email\r\naccount hottabych_k2@mail.ru almost 10 years ago.\r\nMr. Prokopenko did not respond to multiple requests for comment.\r\nIt is entirely possible that whoever is responsible for operating the GandCrab affiliate program developed an\r\nelaborate, years-long disinformation campaign to lead future would-be researchers to an innocent party.\r\nAt the same time, it is not uncommon for many Russian malefactors to do little to hide their true identities — at\r\nleast early on in their careers — perhaps in part because they perceive that there is little likelihood that someone\r\nwill bother connecting the dots later on, or because maybe they don’t fear arrest and/or prosecution while they\r\nreside in Russia. Anyone doubtful about this dynamic would do well to consult the Breadcrumbs series on this\r\nblog, which used similar methods as described above to unmask dozens of other major malware purveyors.\r\nIt should be noted that the GandCrab affiliate program took measures to prevent the installation of its ransomware\r\non computers residing in Russia or in any of the countries that were previously part of the Soviet Union —\r\nreferred to as the Commonwealth of Independent States and including Armenia, Belarus, Kazakhstan, Kyrgyzstan,\r\nMoldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan. This is a typical precaution taken by\r\ncybercriminals running malware operations from one of those countries, as they try to avoid making trouble in\r\ntheir own backyards that might attract attention from local law enforcement.\r\nKrebsOnSecurity would like to thank domaintools.com (an advertiser on this site), as well as cyber intelligence\r\nfirms Intel471, Hold Security and 4IQ for their assistance in researching this post.\r\nUpdate, July 9, 2:53 p.m. ET: Mr. Prokopenko responded to my requests for comment, although he declined to\r\nanswer any of the questions I put to him about the above findings. His response was simply, “Hey. You’re wrong.\r\nI’m not doing this.” Silly me.\r\nSource: https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/\r\nhttps://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/"
	],
	"report_names": [
		"whos-behind-the-gandcrab-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/787010028ffd69e6e7902348d8dfc191cf1de0eb.pdf",
		"text": "https://archive.orkl.eu/787010028ffd69e6e7902348d8dfc191cf1de0eb.txt",
		"img": "https://archive.orkl.eu/787010028ffd69e6e7902348d8dfc191cf1de0eb.jpg"
	}
}