In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev<\/strong> as \u201cWazawaka<\/strong>,\u201d a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.<\/p>\n An FBI wanted poster for Matveev.<\/p>\n<\/div>\n Matveev, a.k.a. \u201cWazawaka\u201d and \u201cBoriselcin<\/strong>\u201d worked with at least three different ransomware gangs that extorted hundreds of millions of dollars from companies, schools, hospitals and government agencies, U.S. prosecutors allege.<\/p>\n Russia\u2019s interior ministry last week issued a statement<\/a> saying a 32-year-old hacker had been charged with violating domestic laws against the creation and use of malicious software. The announcement didn\u2019t name the accused, but the Russian state news agency RIA Novosti<\/em> cited<\/a> anonymous sources saying the man detained is Matveev.<\/p>\n Matveev did not respond to requests for comment. Daryna Antoniuk<\/strong> at TheRecord<\/em> reports<\/a> that a security researcher said on Sunday they had contacted Wazawaka, who confirmed being charged and said he\u2019d paid two fines, had his cryptocurrency confiscated, and is currently out on bail pending trial.<\/p>\n Matveev\u2019s hacker identities were remarkably open and talkative on numerous cybercrime forums. Shortly after being identified as Wazawaka by KrebsOnSecurity in 2022<\/a>, Matveev published multiple selfie videos on Twitter\/X<\/a> where he acknowledged using the Wazawaka moniker and mentioned several security researchers by name (including this author). More recently, Matveev\u2019s X profile (@ransomboris) posted<\/a> a picture of a t-shirt that features the U.S. government\u2019s \u201cWanted\u201d poster for him.<\/p>\n An image tweeted by Matveev showing the Justice Department\u2019s wanted poster for him on a t-shirt. image: x.com\/vxunderground<\/p>\n<\/div>\n The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra.<\/p>\n \u201cDon\u2019t shit where you live, travel local, and don\u2019t go abroad,\u201d Wazawaka wrote in January 2021 on the Russian-language cybercrime forum Exploit. \u201cMother Russia will help you. Love your country, and you will always get away with everything.\u201d<\/span><\/p>\n Still, Wazawaka may not have always stuck to that rule. At several points throughout his career, Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars.<\/p>\n Cyber intelligence firm Intel 471<\/a> said Matveev\u2019s arrest raises more questions than answers, and that Russia\u2019s motivation here likely goes beyond what\u2019s happening on the surface.<\/p>\n \u201cIt\u2019s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,\u201d Intel 471 wrote in an analysis published Dec. 2. \u201cThe country\u2019s ingrained, institutional corruption dictates that if dues aren\u2019t paid, trouble will come knocking. But it\u2019s usually a problem money can fix.<\/p>\n Intel 471 says while Russia\u2019s court system is opaque, Matveev will likely be open about the proceedings, particularly if he pays a toll and is granted passage to continue his destructive actions.<\/p>\n \u201cUnfortunately, none of this would mark meaningful progress against ransomware,\u201d they concluded.<\/p>\n Although Russia traditionally hasn\u2019t put a lot of effort into going after cybercriminals within its borders, it has brought a series of charges against alleged ransomware actors this year. In January, four men tied to the REvil ransomware group were sentenced to lengthy prison terms. The men were among 14 suspected REvil members rounded up by Russia<\/a> in the weeks before Russia invaded Ukraine in 2022.<\/p>\n Earlier this year, Russian authorities arrested at least two men for allegedly operating the short-lived Sugarlocker<\/strong>\u00a0ransomware program in 2021. Aleksandr Ermakov<\/strong> and Mikhail Shefel<\/strong> (now legally Mikhail Lenin<\/strong>) ran a security consulting business called Shtazi-IT<\/strong><\/a>. Shortly before his arrest, Ermakov became the first ever cybercriminal sanctioned by Australia, which alleged he stole and leaked data on nearly 10 million customers of the Australian health giant Medibank.<\/p>\n In December 2023, KrebsOnSecurity identified Lenin as \u201cRescator<\/strong>,\u201d<\/a> the nickname used by the cybercriminal responsible for selling more than 100 million payment cards stolen from customers of Target and Home Depot in 2013 and 2014. Last month, Shefel admitted in an interview with KrebsOnSecurity<\/a> that he was Rescator, and claimed his arrest in the Sugarlocker case was payback for reporting the son of his former boss to the police.<\/p>\n Ermakov was sentenced to two years probation. But on the same day my interview with Lenin was published here, a Moscow court declared him insane, and ordered him to undergo compulsory medical treatment, The Record\u2019s Antoniuk notes.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2023\/05\/fbiwanted-matveev.png?resize=748%2C734&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/12\/matveev-wanted-tshirt.png?resize=587%2C815&ssl=1\")
<\/p>\n