{
	"id": "e09fb576-9142-4dbc-8278-8be0116a2583",
	"created_at": "2026-04-06T00:22:19.195455Z",
	"updated_at": "2026-04-10T03:21:46.606752Z",
	"deleted_at": null,
	"sha1_hash": "9ada8682f7ddfed91f1b53b2ff081273d019b572",
	"title": "REvil Affiliates Confirm: Leadership Were Cheating Dirtbags",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 765424,
	"plain_text": "REvil Affiliates Confirm: Leadership Were Cheating Dirtbags\r\nBy Lisa Vaas\r\nPublished: 2021-09-23 · Archived: 2026-04-05 19:03:26 UTC\r\nAfter news of REvil’s rip-off-the-affiliates backdoor \u0026 double chats, affiliates fumed, reiterating prior claims\r\nagainst the gang in “Hackers Court.”\r\nA day after news broke about REvil having screwed their own affiliates out of ransomware payments – by using\r\ndouble chats and a backdoor that let REvil operators hijack ransom payments – those affiliates took to the top\r\nRussian-language hacking forum to renew their demands for REvil to fork over their pilfered share of ransom\r\npayments.\r\nAdvanced Intelligence, the threat intelligence firm that disclosed the backdoor and double chats, told Threatpost\r\non Thursday that a high-profile actor with an established reputation on the top Russian language hacking forum –\r\nExploit – used AdvIntel’s report findings to revitalize a claim filed in May against REvil on the Russian\r\nunderground.\r\nThe way that ransomware-as-a-service (RaaS) operations such as REvil or DarkSide work is that affiliates do all\r\nthe dirty work of network compromise, in exchange for (in the case of the original REvil RaaS) 70 percent of\r\nwhatever ransom that victims fork over.\r\nREvil leadership was supposed to pocket the remaining 30 percent – and only that much – of ransom payments, in\r\nexchange for providing the ransomware payload that the affiliates use to seize control of victims’ data and\r\nsystems.\r\nBut when negotiations suddenly, mysteriously collapse and the affiliates are left in the lurch, they start to get\r\nsuspicious, and they turn to the underground’s version of arbitration.\r\nYou can see why: Ransomware and other types of cyber attacks are, after all, big business.\r\nRansomware attacks spiked by 350 percent between 2018 and May 2021. When money goes missing, the\r\nunderground community takes a businesslike approach to seeking redress. Namely, the underground has its own\r\nversions of “People’s Court” – or, as the case may be, “Hacker’s Court.”\r\nThat’s what happened with DarkSide, responsible for the Colonial Pipeline attack: Affiliates had a tough time\r\ngetting paid for their work after DarkSide’s servers were shut down in May, so they turned to admins of the\r\ngroup’s Dark Web criminal forum to sort things out.\r\nAccording to AdvIntel’s Yelisey Boguslavskiy – head of research at the cyber risk prevention firm – aggravated,\r\nscammed affiliates had taken that route in May 2021, seeking to recoup $21.5 million USD from REvil for\r\nhttps://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/\r\nPage 1 of 4\n\nallegedly scamming them.\r\nRipped-Off Affiliates Fume\r\nBelow are screen captures of the actor reiterating the claim from May 2021 on the Exploit criminal forum on\r\nThursday. The threat actor’s reiteration confirmed AdvIntel’s assumption: REvil leadership did indeed create a\r\nbackdoor that enabled them to cut off ransom negotiations between victims and the gang’s own affiliates, to run a\r\ndouble chat that enabled leadership to pose as victims who threw in the towel mid-negotiation, and to then step in\r\nto resume the negotiations, cut the affiliates out of the deal, and pocket the entire ransom payment.\r\nhttps://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/\r\nPage 2 of 4\n\nSource: AdvIntel.\r\n‘See? Told You So’\r\n“While repeating this claim, the actor confirmed our assumption about the use of the backdoor, and, most\r\nimportantly, about the use of double chats,” Boguslavskiy told Threatpost.\r\nIt wasn’t just the aggrieved affiliate who confirmed how slimy the REvil slimebags were, Boguslavskiy added:\r\n“Moreover, the representative of #LockBit also joined the discussion and stated that former REvil affiliates shared\r\nwith them that they were scammed due to the double chat scheme.”\r\nLockBit 2.0 is an extremely prolific RaaS gang that’s been proliferating like happy bunny rabbits, as evidenced by\r\nHerjavec Group’s LockBit 2.0 profile and its long list of LockBit 2.0’s victims. In other words, the gang’s reps\r\nprobably know whereof they speak. When one of the gang confirms that REvil ripped off its own affiliates, there’s\r\na fair chance they’re telling the truth.\r\nWill This Cripple REvil?\r\nNow that REvil has kind of, sort of sputtered back to life, with a new representative (but with little respect or trust\r\non the criminal underground’s behalf), Boguslavskiy is hoping that confirmation of REvil’s comfort with screwing\r\nits own affiliates via a backdoor and double chats will lead to the gang being shunned on the underground,\r\npotentially weakening their ties and ability to recruit and collaborate within the community.\r\n“Ideally, the revitalization of this May 2021 [claim] will lead to further bans against rebranded REvil on forums,\r\nwhich can further complicate their ability to interact with the community,” he suggested.\r\nRule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN\r\nThreatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security.\r\nYour top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE\r\nevent on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out\r\nLinux security best practices and take your most pressing questions in real time.\r\nhttps://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/\r\nPage 3 of 4\n\nSource: https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/\r\nhttps://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/"
	],
	"report_names": [
		"174972"
	],
	"threat_actors": [],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ada8682f7ddfed91f1b53b2ff081273d019b572.pdf",
		"text": "https://archive.orkl.eu/9ada8682f7ddfed91f1b53b2ff081273d019b572.txt",
		"img": "https://archive.orkl.eu/9ada8682f7ddfed91f1b53b2ff081273d019b572.jpg"
	}
}