The Federal Bureau of Investigation (FBI) has seized 39 BTC worth approximately $2.3 million from a Russian man affiliated to Revil and Gandcrab ransomware gang, according to a court document unsealed Tuesday.
"The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized from Exodus Wallet ("the Defendant Property") that is now located and, in the custody, and management of the Federal Bureau of Investigation ("FBI") Dallas Division, One Justice Way, Dallas Texas," reads the United States' Complaint about Forfeiture.
Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others.
The FBI seized $2.3 million on 3rd August, however, the officials did not disclose how they secured access to the wallet. According to the court document, the wallet contained Revil ransom payments belonging to an affiliate discovered as Aleksandr Sikerin (aka Alexander Sikerin and Oleksandr Sikerin), whose email address is engfog1337@gmail.com.
The name “engfog” in the email address is tied to a well-known Gandcrab and Revil/Sodinokibi affiliate known as “Lalartu,” Bleeping Computer reported.
“Gandcrab and Revil organizations operated as Ransomware-as-a-Service (RaaS), where core operators’ partner with third-party hackers, known as affiliates, the news outlet noted, adding that ransom payments are split between the affiliate and core operators. The operators usually earn between 20% and 30% of the ransom,” reads the court document.
The Justice Department this month announced the seizure of $6.1 million from Yevgeniy Polyanin, a Russian “charged with deploying Sodinokibi/Revil ransomware to attack businesses and government entities in the United States.” Meanwhile, the U.S. government has been increasing its efforts to fight ransomware attacks. The Treasury Department has already sanctioned two cryptocurrency exchanges tied to ransom payments.
Earlier this year in October, REvil was reportedly forced offline by a multi-nation operation — giving the ransomware group a taste of its own medicine after it orchestrated a number of high-profile attacks. The attacks include targeting the Colonial Pipeline which resulted in gas shortage across the U.S., hundreds of supermarkets were forced to close in Sweden after the software firm Kaseya was crippled in a separate incident.