Russia arrests one of its own – a cybercrime suspect on FBI’s most wanted list

December 2, 2024 TH Author

An alleged former affiliate of the LockBit and Babuk ransomware operations, who also just happens to be one of the most wanted cybercriminals in the US, is now reportedly in handcuffs.

The US indicted Mikhail Pavlovich Matveev back in 2023, offering a $10 million reward for information that could lead to his arrest, but in a highly unusual move, it was actually Russian law enforcement that seem closer to bringing the man to justice, according to local media reports.

This shouldn’t be confused with Russia sacrificing one of its own to an established enemy – that would be truly groundbreaking. Rather, the Kaliningrad Interior Ministry and the prosecutor’s office nabbed the man they believe to be cybercriminal mastermind “Wazawaka” aka “Boriscelcin” on charges connected to ransomware activities.

The charges relate to a January investigation and the Russian prosecutor’s office claimed Matveev had developed a ransomware program to use against commercial organizations. At this time, he was still an affiliate of both the LockBit and Babuk programs.

“At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor has been sent to the Central District Court of the city of Kaliningrad for consideration on the merits,” said Russia’s Ministry of Internal Affairs.

The reports coming out of Russia do not cover the specific alleged offenses of Matveev. It’s unclear why the domestic authorities have chosen now as the time to pursue his arrest when he’s been an FBI suspect for some infamous cybercriminal activity for years.

The US pinned myriad attacks on Matveev when it announced his indictment alleging he’d spread ransomware in hospitals, schools, nonprofits, and law enforcement agencies across the country and beyond.

He was also linked to the shuttered Hive ransomware operation, and the Justice Department said the three operations in which he was allegedly involved were complicit in at least 2,800 attacks that generated more than $200 million in total.

Generally speaking, Russia doesn’t prosecute its own cybercriminals. There are plenty of suspected online criminals roaming freely around the country, mainly because they do not target Russian or allied organizations. At least, that’s the widely held belief.

“Technically cybercrime is illegal in Russia, but there is a longstanding understanding that as long as hackers do not target entities in Russia or the Commonwealth of Independent States, they can get away with it,” Stephen Robinson, senior threat intelligence analyst at WithSecure, told The Register.

As long as the crooks’ targets align with Putin’s politics – enemies only – then Russia typically turns a blind eye. Although that’s not always the case.

As recently as October 2024, Russia made the surprising move to sentence four known members of the REvil ransomware crew, which disbanded in 2021. If the group was targeting Russian organizations, or entities in allied nations, it hasn’t been publicized. The same goes for Matveev.

REvil was the prominent ransomware operation of its time. The LockBit of 2021. It was responsible for one of the most notorious cyberattacks of all time, the supply chain attack on Kaseya, as well as skewering meat producer JBS Foods roughly a month earlier.

Russian news media reported that the REvil arrests were made after President Joe Biden asked Putin via phone call to stop the members’ antics.

There is nothing to suggest anything similar has happened in this case and Robinson said it’s unlikely that Russia would commit to collaboration on the matter with the US in any kind of ongoing capacity.

The reasons for Matveev’s arrest can only stem from speculation at this stage. He may or may not have targeted organizations within Russia, and the US may or may not have requested the arrest like they did with REvil.

Matveev is also believed to have close ties to the EvilCorp crime group, which itself has close affiliations with certain corners of the Kremlin. Given that Russian state bodies are reportedly often in competition with one another, it’s possible one of the not-so-friendly departments to EvilCorp wanted a scalp.

However, Robinson offered up another theory. The rising cost of Russia’s war in Ukraine has led it to seek new sources of funds from those who have financially benefited so greatly from its somewhat permissive attitude towards cybercriminality.

“Russian individuals, organizations, and even the state itself are all feeling the cost of the invasion of Ukraine and of international sanctions, so the simplest possible explanation is that this is some kind of money grab,” he told us.

“Ransomware groups have demanded billions of dollars in ransoms, not to mention all of the other frauds and scams that come out of Russia. Most of the assets of these criminals are likely to be in cryptocurrency, which means they are not only somewhat sanction-proof, but they have also nearly tripled in value in the last year.

“Earlier this year when Dmitry Khoroshev, aka LockbitSupp, was sanctioned by the UK, US, and Australia as being the administrator of the LockBit ransomware group, we joked that he better have paid his taxes, otherwise just like Al Capone the authorities would be after him.

Robinson added: “This same speculation applies to Matveev – was he not paying his ‘taxes’? Whether in this case that means bribes to the right people, or simply taxes on those huge earnings, which Russia now desperately needs to keep the lights on and to prosecute its invasion of Ukraine.” ®