{
	"id": "98f275ba-105e-4834-b428-841e27f7a74f",
	"created_at": "2026-04-06T00:11:58.275445Z",
	"updated_at": "2026-04-10T03:22:09.962378Z",
	"deleted_at": null,
	"sha1_hash": "7d934b7c90048e67e68478e55f1d47fd07a96625",
	"title": "Cybercrime: On the Trail of the Internet Extortionists",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 720720,
	"plain_text": "Cybercrime: On the Trail of the Internet Extortionists\r\nBy Kai Biermann, Astrid Geisler, Herwig G. Höller, Karsten Polke-Majewski, Zachary Kamel\r\nPublished: 2021-06-10 · Archived: 2026-04-05 19:38:27 UTC\r\nEach year, criminals make billions by attacking computer systems and extorting their victims. Those behind the\r\nmisdeeds are seldom caught. DIE ZEIT was able to track down two suspected perpetrators.\r\n10. Juni 2021, 5:19 Uhr\r\n© [M] Alexander Höpfner für ZEIT ONLINE, Fotos: Screenshots Polizei der Ukraine /\r\nGeneralstaatsanwaltschaft der Ukraine\r\nLesen Sie diesen Text auf Deutsch\r\nPetro Ponomarenko* wants his money back. And his computers. He needs the money for his child, who is\r\nsuffering from a heart ailment. And he needs the computers to earn a living, even if they are old. \"I bought\r\neverything on flea markets like eBay,\" he says. He claims to have used them to perform a bit of maintenance on\r\nservers belonging to regular customers, for $40 to $80 a month each. For other customers, he says, he has helped\r\ninstall new programs or transfer data from one computer to another. A kind of digital janitor: That’s the image he\r\nwould like to portray.\r\nInvestigators from Germany and the United States, though, believe that Petro Ponomarenko is a key player in one\r\nof the most significant instances of digital extortion in recent years. They believe the 48-year-old is a central\r\nplayer in a worldwide criminal network. Even just having found Ponomarenko is a huge success for investigators.\r\nAuthorities, after all, are almost never able to track down those involved in cyber-extortion operations. Mostly, in\r\nfact, they can’t even figure out who is behind them.\r\nhttps://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers\r\nPage 1 of 3\n\nA team of reporters from DIE ZEIT and the public broadcaster Bayerische Rundfunk was able to establish contact\r\nwith Petro Ponomarenko. He insists he is innocent, saying he was working on one of his computers when police\r\nclad in bullet-proof vests forced their way into his apartment. They searched his numerous PCs and confiscated a\r\nsignificant amount of cash. \"They said that the servers were being used to control a dangerous extortion software,\"\r\nhe says. \"I didn’t know anything about it.\"\r\nOn Jan. 26, 2021, police raided a decrepit, prefab concrete residential building in the Ukrainian city of Kharkiv,\r\nwhere Ponomarenko has an apartment. The police filmed the operation, a video which DIE ZEIT has obtained. It\r\nshows them hammering on a steel-reinforced door in the darkened hallway and yelling \"Police!\" One of the\r\nofficers manages to break down the door with a crowbar. Inside, the police find a computer, its side panel removed\r\nand the fan still on. They also discover other computers, loose hard drives in a plastic container, mobile phones, a\r\nworkbench with a soldering iron, power strips, keyboards and tools. A server with several drives stands in a\r\ncabinet.\r\nFor the investigators, the raid was the climax of a complicated, multi-year investigation. And finally, they found\r\nthemselves standing in the machine room of the extortion network behind the malware Emotet, a program that has\r\nbeen used to blackmail companies, institutions and private persons – a total of more than a million victims.\r\nOn the day of Petro Ponomarenko’s arrest in Kharkiv, police in the Netherlands also seized servers in several data\r\ncenters. In Germany, 60 police officers were involved in the operation. Investigators from Lithuania, France,\r\nBritain, Ukraine, the U.S. and Canada also helped out. Together, they managed to gain control of Emotet and\r\ndisarm the software.\r\nWith that, the international team of investigators was able to land a blow against one of the most lucrative and\r\nleast risky crimes in the world. According to a 2019 survey performed by the technology association Bitkom,\r\nGerman companies alone estimate they have suffered damages of up to 10.5 billion euros due to extortion using\r\nstolen and encrypted data. Last year, the insurance giant Alliance ranked such cybercrimes as the most serious risk\r\nfacing companies.\r\nThere are dozens of malware programs like Emotet out there, all operated by criminal groups. They usually adhere\r\nto a similar pattern: The perpetrators sneak into their victims’ computers by way of innocuous-looking email\r\nattachments or take advantage of security loopholes in widely used software programs. Malware is thus able to\r\ninfiltrate the targeted computer network, snoop around, copy data and then encrypt the system such that nobody\r\nbut the attackers themselves can access it. The cybercriminals only provide the decryption code once ransom\r\nmoney has been paid – and not always even then. Frequently, they will threaten to make the information they have\r\nstolen public: customer lists, company secrets, internal financial information and personal data.\r\nFor the victims, each attack translates to significant losses of money and data, along with a damaged reputation.\r\nJust recently, a pipeline operator in the U.S. had to suspend operations due to a cyberattack. In another attack,\r\nextortionists published notes from hundreds of therapy sessions to put pressure on a Finnish chain of psychiatric\r\nclinics. The University Hospital of Düsseldorf, meanwhile, had to close down its emergency room and cancel\r\nseveral operations following an attack, because doctors no longer had access to patient files and were unable to\r\nprescribe procedures. Copper manufacturer KME in Osnabrück paid a ransom of 1.27 million euros to be able to\r\ncontinue operations. In January, the internet service provider Netcom in Kassel lost access to its entire internal\r\nhttps://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers\r\nPage 2 of 3\n\nadministration, accounting department, email system and the data of 32,000 customers. The town of Neustadt am\r\nRübenberge had trouble paying out parent leave allowances.\r\nIt is extremely difficult to track down the perpetrators of such crimes. They never meet in person and frequently\r\nonly know each other under assumed names. And each is only responsible for a single link in the chain. One\r\nwrites the programs, another disseminates them, a third sets up and maintains the series of servers used to access\r\nthe victims’ computer systems. Still another negotiates with the victims and, finally, someone is responsible for\r\nmoving the extorted money through dark channels to recipients around the world.\r\nReporters from DIE ZEIT and Bayerische Rundfunk spent months following the tracks of the perpetrators. They\r\nspoke with police investigators and public prosecutors from several countries, they interviewed computer forensic\r\ninvestigators and security experts. They examined documents from security agencies and courts, and they pursued\r\nfinancial transactions. They were also able to read along live during a ransom negotiation, carried out via chat,\r\nbetween extortionists and their victims.\r\nIn January 2021, anonymous blackmailers encrypted the computer system belonging to a mid-sized fashion\r\ncompany from Canada and left behind an address where they could be reached. A company employee named\r\nNelson contacted the perpetrators, producing the following, slightly abridged, dialogue.\r\nSource: https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers\r\nhttps://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers"
	],
	"report_names": [
		"cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d934b7c90048e67e68478e55f1d47fd07a96625.pdf",
		"text": "https://archive.orkl.eu/7d934b7c90048e67e68478e55f1d47fd07a96625.txt",
		"img": "https://archive.orkl.eu/7d934b7c90048e67e68478e55f1d47fd07a96625.jpg"
	}
}