{ "id": "ee456985-9231-44ec-9ce7-0548942b38a0", "created_at": "2026-04-06T03:37:09.539696Z", "updated_at": "2026-04-10T13:11:47.141213Z", "deleted_at": null, "sha1_hash": "cd0352d15e820e9951af82c0a6bb38644f20645f", "title": "US seizes $6 million from REvil ransomware, arrest Kaseya hacker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 769672, "plain_text": "US seizes $6 million from REvil ransomware, arrest Kaseya hacker\r\nBy Ionut Ilascu\r\nPublished: 2021-11-08 · Archived: 2026-04-06 03:18:33 UTC\r\nThe United States Department of Justice today has announced charges against a REvil ransomware affiliate responsible for\r\nthe attack against the Kaseya MSP platform on July 2nd and seizing more than $6 million from another REvil partner.\r\nThe suspect is 22-year old Ukrainian national Yaroslav Vasinskyi, arrested for cybercriminal activity on October 8 at the\r\nbehest of the U.S. when trying to enter Poland from his native country.\r\nVasinskyi is known by several aliases (Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22). He\r\nis one of the seven REvil ransomware affiliates that have been apprehended so far, in ample international efforts to combat\r\nthe ransomware threat.\r\nhttps://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nRansom demands of over 760 million\r\nWhile the news of Vasinskyi getting arrested did not go unnoticed, the exact reason was unclear until his indictment and\r\narrest warrant were unsealed on November 5.\r\nIn a press conference today, the DoJ announced the charges against Vasinskyi, underlining his involvement in the Kaseya\r\nattack that impacted around 1,500 businesses worldwide.\r\nREvil ransomware, also known as Sodinokibi, is the successor of GandCrab and had an initial test run in April 2019 in an\r\nattack that exploited a vulnerability in WebLogic Server.\r\nAccording to the indictment, Vasinskyi is a long-time affiliate of the REvil ransomware operation, being part of it since at\r\nleast March 1st, 2019, and deployed about 2,500 attacks against businesses worldwide.\r\nThe investigation revealed that Vasinskyi’s ransom demands amounted to $767 million but victims paid only $2.3 million.\r\nThe operator is believed to have deployed ransomware on the networks of at least nine companies in the U.S.\r\nIn contrast, the entire REvil ransomware operation received more than $200 million since it started activity and encrypted at\r\nleast 175,000 computers.\r\nOf all the companies attacked, the one on Kaseya managed service provider (MSP) was the biggest, the ransom demand\r\nbeing $70 million to decrypt all the systems.\r\nThis incident acted as a catalyst for the U.S. to start an ample operation against the ransomware threat in cooperation with\r\nlaw enforcement across the world.\r\nThe U.S. is now requesting Vasinskyi's extradition and has unsealed the charges against him.\r\nSeizing ransomware money\r\nThe DoJ also announced that law enforcement seized $6.1 million from another REvil ransomware affiliate, Russian\r\nnational Yevgeniy Polyanin, who is currently at large.\r\nPreviously, the U.S. has recovered $4.4 million of the ransomware payment that Colonial Pipeline paid to the DarkSide\r\nransomware gang following an attack that lead to temporary gas shortages.\r\nPolyanin (a.k.a. LK4D4, Damnating, damn2Life, Noolleds, Antunpitre, Affiliate 23) is believed to have perpetrated about\r\n3,000 ransomware attacks against various organizations, including multiple U.S. government entities and private-sector\r\ncompanies, extorting around $13 million from victims.\r\nAccording to the indictment, Polyanin accessed and encrypted the networks of 13 government entities in Texas around\r\nAugust 16, 2019.\r\nIf the date sounds familiar it's because that's when 22 local governments had their systems locked in a REvil ransomware\r\nattack that leveraged flaws in software from an MSP.\r\nWhile the hackers asked for a collective ransom of $2.5 million, one of the largest at the time, they got nothing as a\r\ncoordinated state and federal response recovered the systems.\r\nAs part of the strategy to counter the ransomware threat, the U.S. Department of Treasury today announced sanctions against\r\nboth Polyanin and Vasinskyi, blocking all property and interests in their property falling under the U.S. jurisdiction.\r\n\"Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. In addition,\r\nfinancial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and\r\nindividuals may expose themselves to sanctions or be subject to an enforcement action\" - U.S. Treasury\r\nThe charges against Polyanin are the same as for Vasinskyi:\r\nhttps://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nPage 3 of 5\n\nconspiracy to commit fraud and related activity in connection with computers (one count for each defendant)\r\nintentional damage to a protected computer (nine counts for Vasinskyi, 12 for Polyanin)\r\nconspiracy to commit money laundering (one count for each defendant)\r\nIn about five months, the DoJ's efforts have resulted in arresting seven affiliates of the REvil ransomware operation.\r\nOn November 4, authorities in Romania arrested two alleged REvil ransomware partners. A GandCrab affiliate was arrested\r\non the same day in Kuwait. The other three individuals were apprehended in February, April, and October.\r\n\"The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the\r\narrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international,\r\nU.S. government and especially our private sector partners,\" - FBI Director Christopher Wray\r\nApprehending these REvil affiliates was possible through coordinated efforts from investigators and prosecutors from\r\nseveral jurisdictions:\r\n- Romania's National Police and the Directorate for Investigating Organised Crime and Terrorism\r\n- Canada’s Royal Canadian Mounted Police\r\n- France’s Court of Paris and BL2C (anti-cybercrime unit police)\r\n- Dutch National Police\r\n- Poland’s National Prosecutor’s Office, Border Guard, Internal Security Agency, and Ministry of Justice\r\n- the governments of Norway and Australia\r\nUpdate [November 8, 14:50 EST]: Added more information from Polyanin's indictment and the DoJ press release.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nPage 4 of 5\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nhttps://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker/" ], "report_names": [ "us-seizes-6-million-from-revil-ransomware-arrest-kaseya-hacker" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446629, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd0352d15e820e9951af82c0a6bb38644f20645f.pdf", "text": "https://archive.orkl.eu/cd0352d15e820e9951af82c0a6bb38644f20645f.txt", "img": "https://archive.orkl.eu/cd0352d15e820e9951af82c0a6bb38644f20645f.jpg" } }