A Russian national, Aleksey Olegovich Volkov, who operated under the aliases “chubaka.kor” and “nets,” has signed a plea agreement admitting to his role as an initial access broker (IAB) for the Yanluowang ransomware organization. Volkov’s method involved illegally breaching the networks of corporate entities and then selling this unauthorized access to the ransomware group. This access allowed the group to deploy their ransomware, encrypt the victims’ crucial data, and subsequently issue ransom demands ranging from $300,000 to $15 million, to be paid in Bitcoin. Volkov is linked to network intrusions affecting at least eight U.S. companies across several states, including firms in Pennsylvania, California, Michigan, Illinois, Georgia, and Ohio.
FBI investigators successfully obtained search warrants for a server tied to Volkov’s operation, which yielded substantial evidence. This included chat logs detailing the criminal enterprise, credentials for victim networks, and the actual stolen data. Furthermore, evidence was recovered concerning the Yanluowang email accounts used by the group for ransom negotiations. The investigators successfully established Volkov’s identity by tracing his phone number and Russian passport through various digital means. These included Apple iCloud data linked to the account alekseyvolkov4574@icloud[.]com, records from cryptocurrency exchanges, and various social media accounts, such as a Twitter profile linked to the email qwerty4574@mail[.]ru.
The recovered chat logs were pivotal, providing clear documentation of Volkov’s coordination with a co-conspirator known as “CC-1.” The discussions revealed an agreement where Volkov would supply network credentials to CC-1 in exchange for a percentage of the resulting ransom payments. Following these successful attacks, Volkov did, in fact, collect a portion of the ransom money. Blockchain analysis confirmed this, tracing parts of the total $1.5 million in paid ransoms—including payments of $94,259 and $162,220 from two separate Yanluowang incidents—directly to Bitcoin addresses that Volkov had provided to CC-1 during their encrypted exchanges.
During their review of documents from Volkov’s Apple account, investigators uncovered additional, critical information. They found a screenshot of a chat between the defendant and a user identified as “LockBit.” This finding, documented in an affidavit signed by FBI Special Agent Jeffrey Hunter, suggests a potential relationship or link between Volkov and the extremely well-known and dangerous LockBit ransomware gang, indicating his involvement may have extended beyond the Yanluowang operation. Volkov was arrested in Italy in January 2024 and subsequently extradited to the United States to face justice.
Volkov is now confronting a substantial maximum sentence of 53 years in federal prison. The charges he faces are numerous and serious, including conspiracy to commit computer fraud, conspiracy to commit money laundering, unlawful transfer of a means of identification, access device fraud, trafficking in access information, and aggravated identity theft. As part of his plea agreement, he is also mandated to pay a massive sum of $9,167,198.19 in restitution to the individuals and companies victimized by the Yanluowang attacks he facilitated. The Yanluowang operation itself, which first emerged in October 2021, is known for its highly targeted global attacks.
Reference:
