The video shows a white yacht swaying in the blue waters of the Mediterranean Sea. Young people frolic on the deck, laugh, drink and jump into the water. It's an expensive pleasure: Renting a yacht costs 1,300 euros per day. This video was shared on social networks by Ekaterina K.*, in whose account such videos about rest often appear. This video was shot in Antalya, on the southern coast of Turkey, but others were made from a five-star hotel in Dubai, from the Crimean Peninsula or even from the Maldives.
Her husband Nikolai K. often appears in the videos and photos she publishes. It looks like he prefers Gucci T-shirts, luxury BMW sports cars and large sunglasses. For the past few months, he has also worn a Vanguard Encrypto watch on his wrist - a type of luxury watch with an engraved bitcoin address code on its dial and its cost reaches 70,000 euros. Nikolai K.'s personal account is closed, but his motto is open to everyone and clearly shows his faith in cryptocurrencies such as bitcoin, with which he earns his money.
In this case, however, a more accurate term may be "extortion". According to a report conducted jointly by the German public broadcasting company Bayerischer Rundfunk and ZEIT ONLINE, Nikolai K. is part of a group of online ransomware who earn many millions of euros on their crimes and almost never come across. Nikolai K. is one of the extremely rare cases when it was possible to identify a criminal who committed an almost perfect crime.
Investigators from the Baden-Württemberg State Criminal Police Department (LKA) are convinced that Nikolai K. is part of the main group of criminals who use ransom software called REvil. With this extortion software, this major group, along with other accomplices, attacked companies and institutions around the Western world and raised huge amounts of money.
There are no companies too big or too small to be attacked
In recent years, criminal groups using ransomware have become a real plague. No company, no city administration, no organization is too large or too small to be attacked and, at worst, completely paralyzed. Criminals secretly infiltrate foreign computer networks, copy all data and then encrypt the system. Computers that are part of this system become useless. City administrations cannot do their work, medical institutions and law firms go bankrupt, factories stop, and hospitals cannot access patient medical records. Those who pay ransomware are sent a key to access the data - if they are lucky. Those who do not pay risk that their confidential information will be published or hacked access to their networks will be sold to other criminals.
There are several varieties of this type of redemption software. REvil, also known as Sodinokibi, is one of the most dangerous and is responsible for multibillion-dollar damage worldwide. The Federal Office for Information Security of Germany (BSI) classifies REvil as one of the most dangerous programs in this area. In Germany, it was used in 2019 to attack DRK Trägergesellschaft Süd-West, an IT company serving medical offices and hospitals. Several clinics in the western German state of Rhineland-Palatinate and in the southwestern state of the Saarland were forced to shut down their computer systems and switch to emergency operation.
It is not known who was the first to develop the code for REvil. But there is a main group that sells it to everyone who wants to use it for extortion activities. The developers have created a profitable rental model: Criminals can negotiate with the group to use software for a fee in cryptocurrency - this model is called "ransomware as a service". And Nikolai K. seems to be among those to whom such criminal rental payments are paid.
Reporters from Bayerischer Rundfunk and ZEIT ONLINE spent several months tracking digital footprints on social networks, anonymous Telegram channels and in the world of cryptocurrencies. Journalists managed to establish that bitcoin was transferred from accounts related to criminal structures in at least six cases to an address that most likely belongs to Nikolai K.
If you Google the name he uses on social networks, you will find the email address used to register various websites. These sites are associated with several Russian mobile phone numbers. And one of these mobile numbers leads to the Telegram account where Bitcoin's address was published. More than 400,000 euros in Bitcoins were transferred to this regard. Experts from a company specializing in the evaluation of bitcoin payments and assisting investigators in such analysis say that this money is most likely a product of extortion.
It was such bitcoin transactions that originally brought LKA Baden-Württemberg to Nikolai K. Investigators are studying the attack on the Staatstheatre in Stuttgart in 2019, which used an earlier version of REvil called Gandcrab. The theater's computers were turned off for a few days, and employees were forced to sell handwritten tickets. It is believed that in the end Staatstheatre paid a ransom - 15,000 euros in cryptocurrency - and LKA followed the traces left by this payment. They led to Nikolai K. At that time, the hacker group was still known internationally as Gandcrab, but investigators and information security experts believe that the same group is now responsible for REvil.
Ransomware as a service
Despite the intensification of international efforts, the authorities rarely manage to find the perpetrators of attacks using ransom programs. And when they succeed, they mostly catch small fish, so-called affiliates, as was the case in two recent cases in Ukraine and Canada. These branches rent malware from a real criminal group and then transfer part of the ransom extorted in exchange. Larger fish, people like Nikolai K., have so far largely remained in the shadows, mainly because they are often in countries that are not very ready to cooperate when it comes to investigation and extradition. The case of Nikolai K. also shows how difficult it is to arrest and prosecute those behind such extortion operations.
Nikolai K. lives with his wife in a southern Russian city, in a house with a swimming pool. BMW with a capacity of more than 600 horsepower is parked on the driveway. The only legal business that can be found in connection with his name is a small bar in a newly built residential quarter in the city. Photos and videos show just a furnished bar focused on sports betting - not exactly the institution that brings a lot of money. And certainly not the one that could finance the lifestyle shown by the couple on social networks.
LKA investigators from Stuttgart closely monitor social networks in the hope of finding out when Nikolai K. will go on vacation to a country that has a cooperation agreement with Germany and in which he may be arrested. An arrest warrant has already been prepared. But Nikolai K. apparently no longer travels outside the country and seems to have spent his last vacation in Crimea.
However, the REvil case may be one of the few cases of online extortion in which, at least, the structure of the gang is clarified and the identity of the performers is established. Not only German investigators came to the trail of the group. According to Reuters, the FBI in the United States is also investigating the activities of the group and probably infiltrated it. One of the leaders of the group, speaking on the Internet under the pseudonym 0_neday, indirectly confirmed this. "The Server was hacked and they were looking for me," 0_neday wrote on the forum for criminal offers. "Good luck to everyone; I'm leaving."
Additional political pressure
It is likely that Nikolai K. also learned about the investigation. Officially, LKA in Baden-Württemburg and the responsible prosecutor's office of the land refused to comment on the ongoing investigation. But some of those involved in this case believe that it is important to talk about the success of the investigation. And to demonstrate that German departments are also competent in this field - at least as a signal to criminals that they will not evade responsibility. "It's disturbing, acts as a deterrent and may force a criminal to say in the future: "No, I won't contact it," says one of the participants in the investigation.
Some of the investigators are also disappointed by the lack of cooperation from other countries and believe that more political pressure is needed to finally change the situation. "If someone stole such amounts of money by robbing banks, the pressure would be much stronger. But the danger is not realized," says one of the officials.
The need for more active action is not disputed by the German Ministry of the Interior, which is responsible for the Federal Criminal Police Office and the German Cyber Strategy. They say that the threats to cybercrime are now perceived as seriously as the fight against terrorism.
The U.S. is already trying to put pressure on countries hiding ransomware. During a conversation with Russian President Vladimir Putin, U.S. President Joe Biden insisted on reaching an agreement on this issue. And it seems that some progress has been made. In any case, the Russian media reported that both sides intend to cooperate more closely in the future, when it comes to such cyber ransomware. But it will probably take some time before LKA in Baden-Württemberg sees the advantages. And until then, Nikolai K. and his wife can continue to spend nights in luxury hotels.
*All names have been changed.
Report by Hakan Tanriverdi and Max Cirer from Bavarian Radio