Ransomware plea puts Russian at risk of 53 years, $9.2M restitution

A Russian national has pleaded guilty to multiple charges connected to his participation in different ransomware attacks targeting individuals and corporations. The defendant, Aleksei Olegovich Volkov, also known as “chubaka.kor, faces a maximum penalty of up to 53 years in prison if he is found guilty.

According to court records, the Russian acted as the initial access broker for the Yanluowang ransomware group while being a resident in Russia from July 2021 to November 2022. Prosecutors accused Volkov and several unnamed co-conspirators of attacking seven United States businesses during that period, adding that at least two of the United States businesses paid a combined $1.5 million in ransoms.

In the court records, prosecutors claimed that victims of the ransomware group included an engineering firm and a bank. They claimed that executives of these firms received harassing phone calls after their networks were hit with distributed denial of service (DDoS) attacks. The Yanluowang ransomware group was fingered for the operation, with the prosecutors noting that they stole data belonging to the firms and encrypted it to extort money.

Russian national pleads guilty to multiple ransomware activities

The court filings for Volkov’s case did not exactly name Cisco, but the enterprise networking and security vendor said it was impacted by an attack that it attributed to Yanluowang ransomware in May 2022. During its investigation, Cisco realized that the credentials of one of its employees were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.

Cisco claimed that the attacker then carried out a series of sophisticated voice phishing attacks under the guise of trusted organizations, attempting to convince the victim to accept multi-factor authentication push notifications initiated by the attacker. After succeeding, the attacker then got access to the VPN in the context of the targeted user. In its report, Cisco claimed that the attack had links to an initial access broker with ties to several ransomware groups, including UNC2447, Lapsus$, and Yanluowang.

Prosecutors claimed that the Russian was charged with identifying targets, exploiting vulnerabilities in their systems, and sharing access with co-conspirators for a flat fee or a percentage of the ransom payments made by the victims. Some of the Russian’s victims were unable to function properly without access to some of the data stolen and had to partially halt their operations or shut down permanently in the wake of the attacks, causing hindrance to users.

Volkov awaits sentencing amid agreement to pay $9.2 million

Prosecutors also claimed the group got $24 million from all seven ransomware victims. The FBI also traced cryptocurrency transactions related to the payments to accounts that were maintained by the Russian and another co-conspirator, CC-1, who they claimed resided in Indianapolis at the time. The FBI was able to confirm Volkov’s identity using blockchain analysis. They were also able to uncover multiple accounts used for communication within the group.

In their communication, the group talked about ransomware attacks, payments, and splitting proceeds from their criminal activities. In the unsealed indictment, the Russian was arrested in January 2024 in Rome, where he had been living, and was later extradited to the United States and remains in custody in Indiana. Volkov previously filed an intention to plead guilty in April and agreed to have his case moved to Indiana.

The Russian pleaded guilty to six charges, including unlawful transfer of a means of identification, trafficking in access information, access device fraud, conspiracy to commit computer fraud, aggravated identity theft, and conspiracy to commit money laundering. The plea agreement will also see Volkov pay a combined restitution of about $9.2 million to the seven victims.

Get seen where it counts. Advertise in Cryptopolitan Research and reach crypto’s sharpest investors and builders.