German Authorities Track Down REvil Ransomware Group Core Member

Last updated October 28, 2021

One of the REvil ransomware gang's core members behind the REvil ransomware group, one of the most successful and notorious ransomware groups in recent years, was reportedly identified by German prosecutors in the person of a millionaire hacker living in Russia who flaunts a luxurious life online. The suspect's real identity was not revealed yet, but the media in Germany call him "Nikolay K."

The individual German and EU authorities worked together and linked Nikolay’s cryptocurrency transactions to Bitcoin ransom payments associated with the GandCrab ransomware group after the attacks targeting a software developer in spring 2019 that exposed the Stuttgart State Theater.

The suspect presented himself on social networks as a crypto trader and paraded luxury items and vacations - after all, REvil is known to ask for steep payments, with the last one being $70 million. However, he did not think to mask his identity, which investigators managed to link with his veiled crypto transactions.

They found his email registered on 60 websites and a phone number linked with his Telegram account. Among seemingly legit crypto transactions, they found €400,000 ($467,000) sent a Bitcoin address mentioned there.

The Federal Criminal Police Office (BKA) and LKA Baden-Württemberg investigators also suggested this could be the same mastermind behind the notorious REvil malware and its supposed predecessor Gandcrab. Right now, the BKA and the Stuttgart public prosecutor's office are not issuing statements regarding official extradition since that can happen only if he travels to a country that extradited to Germany, so an arrest is unlikely.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: