12 Hackers Captured after Tracking the Payment of Ransoms in Bitcoin

The European Union Agency for Law Enforcement Cooperation (Europol) arrested twelve suspected criminals in Ukraine and Switzerland, responsible for 1,800 ransomware attacks or data hijacking in 71 countries. The group requested bitcoin (BTC) for the payment of its ransoms, which helped the police to map the transfers, as part of their intelligence work.

In a note published on its website, Europol lists the captured suspects as “high-value targets”, given that they have been involved in multiple high-profile cases in different jurisdictions. Some of them compromised government website facilities, data centers or servers and then monetized the infection by deploying ransomware.

Ransomware is a virus that blocks access to files on infected computers. Owners are then instructed to pay a certain sum of money, sometimes specifying that it be in bitcoin. This is a ransom to regain access to your files.

The ransomware variants used by the captured suspects are LockerGoga, MegaCortex or Dharma, which are among more than 25 types that have kept researchers on alert in recent years.

As part of the investigative work, the European Union’s police organization was supported by eight countries. Not only were arrests made during the raids, but more than $52,000 in cash wasalso found. Several luxury vehicles and watches were seized, as well as laptops and phones that the criminals apparently used to complete their kidnappings and request ransoms, as detailed in the report.

In their reports, the police do not mention the names of the alleged criminals arrested, nor do they indicate the specific cases in which they would have participated. However, he adds his suspicions that several of the people questioned were using bitcoin mixing services to obfuscate the trail of the ransoms they received.

As described in the glossary of terms of cryptolafinance, mixers or bitcoin mixing services are protocols that divide the amounts to be sent by users into small amounts that go through different directions before unifying again at the final destination. This operation is carried out with the aim of making it difficult to trace capital.

After a ransomware attack, the victim received a message demanding payment in bitcoin in exchange for returning access to the hijacked files or operating system. Some of the suspects possibly laundered the loot by funneling bitcoin payments through blending services before withdrawing criminally obtained funds. The stolen money was often invested in buying resources for the next ransomware attack.

Report from the Dutch police, who also participated in the operation.

Among the intelligence work carried out by the police was the mapping of bitcoin payments received by cybercriminals to detect their location. In this way, they would have discovered the identity of the 12 suspects, including one who participated in the ransomware attack on several companies in the port of Rotterdam. An event that occurred in 2019.