{
	"id": "22f4575f-9b4e-4865-8982-eca0d1fb0af4",
	"created_at": "2026-04-06T00:19:04.96839Z",
	"updated_at": "2026-04-10T03:22:10.85685Z",
	"deleted_at": null,
	"sha1_hash": "cb0cee33d1249079a4af0e4d634d5f91480ff70d",
	"title": "Russian Hacker “Wazawaka” Indicted for Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 586532,
	"plain_text": "Russian Hacker “Wazawaka” Indicted for Ransomware\r\nPublished: 2023-05-16 · Archived: 2026-04-05 17:04:36 UTC\r\nA Russian man identified by KrebsOnSecurity in January 2022 as a prolific and vocal member of several top ransomware\r\ngroups was the subject of two indictments unsealed by the Justice Department today. U.S. prosecutors say Mikhail\r\nPavolovich Matveev, a.k.a. “Wazawaka” and “Boriselcin” worked with three different ransomware gangs that extorted\r\nhundreds of millions of dollars from companies, schools, hospitals and government agencies.\r\nAn FBI wanted poster for Matveev.\r\nIndictments returned in New Jersey and the District of Columbia allege that Matveev was involved in a conspiracy to\r\ndistribute ransomware from three different strains or affiliate groups, including Babuk, Hive and LockBit.\r\nThe indictments allege that on June 25, 2020, Matveev and his LockBit co-conspirators deployed LockBit ransomware\r\nagainst a law enforcement agency in Passaic County, New Jersey. Prosecutors say that on May 27, 2022, Matveev conspired\r\nhttps://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/\r\nPage 1 of 3\n\nwith Hive to ransom a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. And on\r\nApril 26, 2021, Matveev and his Babuk gang allegedly deployed ransomware against the Metropolitan Police Department in\r\nWashington, D.C.\r\nMeanwhile, the U.S. Department of Treasury has added Matveev to its list of persons with whom it is illegal to transact\r\nfinancially. Also, the U.S. State Department is offering a $10 million reward for the capture and/or prosecution of Matveev,\r\nalthough he is unlikely to face either as long as he continues to reside in Russia.\r\nIn a January 2021 discussion on a top Russian cybercrime forum, Matveev’s alleged alter ego Wazawaka said he had no\r\nplans to leave the protection of “Mother Russia,” and that traveling abroad was not an option for him.\r\n“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”\r\nIn January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from\r\nWazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 33-year-old\r\nMikhail Matveev from Abaza, RU (the FBI says his date of birth is Aug. 17, 1992).\r\nA month after that story ran, a man who appeared identical to the social media photos for Matveev began posting on Twitter\r\na series of bizarre selfie videos in which he lashed out at security journalists and researchers (including this author), while\r\nusing the same Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance.\r\n“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well\r\nin the US,” Matveev said in one of the videos. “By the way, it is my voice in the background, I just love myself a lot.”\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nProsecutors allege Matveev used a dizzying stream of monikers on the cybercrime forums, including “Boriselcin,” a\r\ntalkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that\r\nsurfaced on New Year’s Eve 2020.\r\nPrevious reporting here revealed that Matveev’s alter egos included “Orange,” the founder of the RAMP ransomware\r\nforum. RAMP stands for “Ransom Anon Market Place, and analysts at the security firm Flashpoint say the forum was\r\ncreated “directly in response to several large Dark Web forums banning ransomware collectives on their site following the\r\nColonial Pipeline attack by ransomware group ‘DarkSide.”\r\nAs noted in last year’s investigations into Matveev, his alleged cybercriminal handles all were driven by a uniquely\r\ncommunitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the\r\nvictim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder.\r\nhttps://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/\r\nPage 2 of 3\n\nIn thread after thread on the crime forum XSS, Matveev’s alleged alias “Uhodiransomwar” could be seen posting\r\ndownload links to databases from companies that have refused to negotiate after five days.\r\nMatveev is charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and\r\nintentionally damaging protected computers. If convicted, he faces more than 20 years in prison.\r\nFurther reading:\r\nWho is the Network Access Broker “Wazawaka?”\r\nWazawaka Goes Waka Waka\r\nThe New Jersey indictment against Matveev (PDF)\r\nThe indictment from the U.S. attorney’s office in Washington, D.C. (PDF)\r\nSource: https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/\r\nhttps://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/"
	],
	"report_names": [
		"russian-hacker-wazawaka-indicted-for-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775791330,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb0cee33d1249079a4af0e4d634d5f91480ff70d.pdf",
		"text": "https://archive.orkl.eu/cb0cee33d1249079a4af0e4d634d5f91480ff70d.txt",
		"img": "https://archive.orkl.eu/cb0cee33d1249079a4af0e4d634d5f91480ff70d.jpg"
	}
}