{
	"id": "1801b2b7-07d7-4d3a-9ce2-3488dad34cc1",
	"created_at": "2026-04-06T01:29:43.550951Z",
	"updated_at": "2026-04-10T03:21:08.762299Z",
	"deleted_at": null,
	"sha1_hash": "d13339462f415d9c5faf5be32f07b5eef3d000cd",
	"title": "Wazawaka Goes Waka Waka",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 728464,
	"plain_text": "Wazawaka Goes Waka Waka\r\nPublished: 2022-02-14 · Archived: 2026-04-06 00:52:55 UTC\r\nIn January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware\r\ncriminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile\r\ncolleagues, creating a Twitter account to drop exploit code for a widely-used virtual private networking (VPN) appliance,\r\nand publishing bizarre selfie videos taunting security researchers and journalists.\r\nWazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger.\r\nIn last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to\r\na 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half\r\nof Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate\r\nprogram, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.”\r\nThe same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,”\r\na possible reference to the now-defunct Maze Ransomware gang.\r\nThe background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a\r\nswipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice\r\nDepartment called the “largest known data breach conspiracy ever prosecuted.”\r\nThe @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three\r\nvideos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook).\r\nThe man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin\r\nCimpanu (also at The Record), and a security researcher from Cisco Talos.\r\nAt the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly\r\npresents as evidence that he is indeed Wazawaka.\r\nThe story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it\r\nhimself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers\r\nappear oddly crooked.\r\nhttps://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nPage 1 of 5\n\n“Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well\r\nin the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.”\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day,\r\nthe @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched\r\nsecurity hole in SonicWall VPN appliances (CVE-2021-20028).\r\nWhen KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other\r\nimportant nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash\r\npersonality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New\r\nYear’s Eve 2020.\r\nThe other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just\r\ncouldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is\r\nan attempt to remedy that.\r\nOn Aug. 26, 2020, a new user named Biba99 registered on the English language cybercrime forum RaidForums. But the\r\nBiba99 account didn’t post to RaidForums until Dec. 31, 2020, when they announced the creation of the Babuk ransomware\r\naffiliate program.\r\nOn January 1, 2021, a new user “Babuk” registered on the crime forum Verified, using the email address\r\nteresacox19963@gmail.com, and the instant message address “admin@babuk.im.” “We run an affiliate program,” Babuk\r\nexplained in their introductory post on Verified.\r\nA variety of clues suggest Boriselcin was the individual acting as spokesperson for Babuk. Boriselcin talked openly on the\r\nforums about working with Babuk, and fought with other members of the ransomware gang about publishing access to data\r\nstolen from victim organizations.\r\nAccording to analysts at cyber intelligence firm Flashpoint, between January and the end of March 2021, Babuk continued\r\nto post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming\r\nblog and to multiple cybercrime forums, an unusual approach.\r\nThis matches the ethos and activity of Wazawaka’s posts on the crime forums over the past two years. As I wrote in January:\r\n“Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for\r\nransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian\r\ncybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime\r\nhttps://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nPage 2 of 5\n\nforum XSS, Wazawaka’s alias ‘Uhodiransomwar’ can be seen posting download links to databases from\r\ncompanies that have refused to negotiate after five days.”\r\nAround Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Department, demanding $4 million in virtual\r\ncurrency in exchange for a promise not to publish the police department’s internal data.\r\nFlashpoint says that on April 30, Babuk announced they were shuttering the affiliate program and its encryption services,\r\nand that they would now focus on data theft and extortion instead. On May 3, the group posted two additional victims of\r\ntheir data theft enterprise, showing they are still in operation.\r\nOn May 11, 2021, Babuk declared negotiations with the MPD had reached an impasse, and leaked 250 gigabytes worth of\r\nMPD data.\r\nOn May 14, 2021, Boriselcin announced on XSS his intention to post a writeup on how they hacked the DC Police\r\n(Boriselcin claims it was via the organization’s VPN).\r\nOn May 17, Babuk posted about an upcoming new ransomware leaks site that will serve as a “huge platform for\r\nindependent leaks,” — i.e., a community that would publish data stolen by no-name ransomware groups that don’t already\r\nhave their own leaks/victim shaming platforms.\r\nOn May 31, 2021, Babuk’s website began redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums\r\nsaying he’s willing to buy zero-day vulnerabilities in corporate VPN products. Biba99 posts his unique user ID for Tox, a\r\npeer-to-peer instant messaging service.\r\nOn July 13, 2021, Payload[.]bin was renamed to RAMP, which according to Orange stands for “Ransom Anon Market\r\nPlace.” Flashpoint says RAMP was created “directly in response to several large Dark Web forums banning ransomware\r\ncollectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.” [links added]\r\n“Babuk noted that this new platform will not have rules or ‘bosses,'” Flashpoint observed in a report on the group. “This\r\nreaction distinguishes Babuk from other ransomware collectives, many of which changed their rules following the attack to\r\nattract less attention from law enforcement.”\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nThe RAMP forum opening was announced by the user “TetyaSluha. That nickname soon switched to “Orange,” who\r\nappears to have registered on RAMP with the email address “teresacox19963@gmail.com.” Recall that this is the same\r\nemail address used by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99.\r\nhttps://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nPage 3 of 5\n\nIn a post on RAMP Aug. 18, 2021, in which Orange is attempting to recruit penetration testers, he claimed the same Tox ID\r\nthat Biba99 used on RaidForums.\r\nOn Aug. 22, Orange announced a new ransomware affiliate program called “Groove,” which claimed to be an aggressive,\r\nfinancially motivated criminal organization dealing in industrial espionage for the previous two years.\r\nIn November 2021, Groove’s blog disappeared, and Boriselcin posted a long article to the XSS crime forum explaining that\r\nGroove was little more than a pet project to mess with the media and security industries.\r\nOn Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a reliable, working exploit for CVE-2021-\r\n20028, the same exploit that @fuck_maze would later release to Twitter on Jan. 25, 2022.\r\nAsked for comment on this research, cyber intelligence firm Intel 471 confirmed that its analysts reached the same\r\nconclusion.\r\n“We identified the user as the Russian national Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was\r\nwidely known in the underground community as the actor using the Wazawaka handle, a.k.a. Alfredpetr, andry1976,\r\narestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen,\r\nmrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote.\r\nAs usual, I put together a rough mind map on how all these data points indicate a connection between Wazawaka, Orange,\r\nand Boriselcin.\r\nA mind map connecting Wazawaka to the RAMP forum administrator “Orange” and the founder of the Babuk ransomware\r\ngang.\r\nAs noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including\r\nLockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to\r\nSeptember 2020.\r\nWazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at\r\nColonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since\r\noffered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.\r\nhttps://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nPage 4 of 5\n\nSource: https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nhttps://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/"
	],
	"report_names": [
		"wazawaka-goes-waka-waka"
	],
	"threat_actors": [],
	"ts_created_at": 1775438983,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d13339462f415d9c5faf5be32f07b5eef3d000cd.pdf",
		"text": "https://archive.orkl.eu/d13339462f415d9c5faf5be32f07b5eef3d000cd.txt",
		"img": "https://archive.orkl.eu/d13339462f415d9c5faf5be32f07b5eef3d000cd.jpg"
	}
}