French authorities have detained a Russian national in Paris, suspected of aiding the Hive ransomware gang in laundering ransom payments. The arrest follows a joint international effort in January to dismantle the Hive network, a significant cyber threat. The suspect was linked to digital wallets receiving millions of dollars from suspicious sources, leading to the seizure of €570,000 in cryptocurrency assets. This move is part of ongoing efforts to combat ransomware, with previous operations targeting Hive’s infrastructure, resulting in the prevention of $130 million in ransom payments and the disclosure of decryption keys.
The arrest in Paris was made by the Judicial Police after tracing the suspect’s involvement in money laundering related to cyber attacks orchestrated by the Hive ransomware gang. The French Anti-Cybercrime Office (OFAC) identified the individual through his activity on social networks and linked him to digital wallets that received substantial funds from suspicious origins. Simultaneously, a collaborative effort with Europol, Eurojust, and Cypriot authorities led to the search of the suspect’s residence in Cyprus, providing valuable investigative leads. The suspect, a 40-year-old resident of Cyprus, was referred to the specialized prosecutor’s office of the Paris judicial court on December 9, 2023.
The arrest follows the January seizure of Hive ransomware’s Tor websites in an international law enforcement operation, where the FBI infiltrated the gang’s servers. This action enabled the FBI to obtain crucial information about Hive’s attacks, issue decryption keys to victims, and prevent approximately $130 million in ransom payments. The takedown revealed communication records, malware details, and information on Hive affiliates. Subsequently, the U.S. State Department has offered a reward of up to $10 million for information linking the Hive ransomware group or other threat actors to foreign governments. In November, the FBI disclosed that Hive had extorted around $100 million from over 1,500 companies since June 2021.
Despite the law enforcement crackdown on Hive, a new ransomware-as-a-service (RaaS) operation named Hunters International has emerged, utilizing code associated with the Hive ransomware. Security researchers discovered significant code overlaps, leading to the assumption that the old Hive gang has rebranded. However, Hunters International denies this, stating they are a new ransomware service that acquired the encryptor source code from Hive’s developers. The group emphasizes a focus on data theft rather than encryption, using stolen data to pressure victims into paying ransoms.
