{ "id": "d9f3c4e5-c7c7-4aff-b526-02f23dc84226", "created_at": "2026-04-06T01:32:39.843686Z", "updated_at": "2026-04-10T03:21:52.068906Z", "deleted_at": null, "sha1_hash": "a4e12077a2e4d05ebea38bf442e0c133c9ab18c5", "title": "GandCrab ransomware distributor arrested in South Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 162982, "plain_text": "GandCrab ransomware distributor arrested in South Korea\r\nBy Catalin Cimpanu\r\nPublished: 2022-11-17 · Archived: 2026-04-06 00:20:25 UTC\r\nSouth Korean national police have announced today the arrest of a 20-year-old suspect on charges of distributing\r\nand infecting victims with the GandCrab ransomware.\r\nThe suspect, whose name was not released, operated as a customer of the GandCrab Ransomware-as-a-Service\r\n(RaaS) cybercrime operation.\r\nKnown as an affiliate —or a distributor— police say the suspect operated by taking copies of the GandCrab\r\nransomware and distributing them via email to victims across South Korea.\r\nBetween February and June 2019, the suspect sent nearly 6,500 emails to South Koreans. The emails mimicked\r\nofficial communications from local police stations, the Constitutional Court, and the Bank of Korea.\r\nhttps://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/\r\nPage 1 of 4\n\nHowever, when victims opened documents attached to emails they received, they infected themselves with the\r\nGandCrab ransomware, which then proceeded to encrypt their files and ask for a $1,300 payment in Bitcoin.\r\nSouth Korean national police say they tracked at least 120 users who fell victim to the suspect's phishing\r\ncampaigns.\r\nDespite the large number of victims, authorities said the suspect only made 12 million won, which stands to\r\naround $10,500, as he only received a 7% cut from the sum victims were paying on the GandCrab ransom portal.\r\nSuspect tracked via cryptocurrency transactions\r\nThe suspect's attacks stopped in June 2019 after the GandCrab group announced their retirement and moved on to\r\ncreate and run the REvil (Sodinokibi) RaaS instead, which focused on infecting companies rather than regular\r\nusers.\r\nhttps://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/\r\nPage 2 of 4\n\nThe South Korean individual marks the second GandCrab distributor arrested since the GandCrab shutdown. A\r\n31-year-old suspect was previously arrested in Belarus in August 2020.\r\nSouth Korean national police said the recent arrest, which took place last month on February 25, was the result of\r\nan international investigation led by Interpol focused on tracking down the GandCrab gang and its network of\r\ndistributors. Law enforcement agencies from ten countries are involved in the investigation.\r\nAuthorities also said they tracked the suspect based on cryptocurrency transactions associated with the GandCrab\r\noperation, which led them to the suspect's bank account, despite him using a cloak of servers and IP addresses to\r\nhide his real location.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/\r\nPage 3 of 4\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/\r\nhttps://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/gandcrab-ransomware-distributor-arrested-in-south-korea/" ], "report_names": [ "gandcrab-ransomware-distributor-arrested-in-south-korea" ], "threat_actors": [], "ts_created_at": 1775439159, "ts_updated_at": 1775791312, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4e12077a2e4d05ebea38bf442e0c133c9ab18c5.pdf", "text": "https://archive.orkl.eu/a4e12077a2e4d05ebea38bf442e0c133c9ab18c5.txt", "img": "https://archive.orkl.eu/a4e12077a2e4d05ebea38bf442e0c133c9ab18c5.jpg" } }