The Treasury Department placed economic sanctions on Mikhail Matveev, a Russian national that U.S. prosecutors say has been "a central figure" in multiple major ransomware operations since 2020.
According to a December 2022 indictment and arrest warrant unsealed May 16, Matveev — who goes by the online handle “WazaWaka” — was responsible for identifying and hacking target organizations using Hive, LockBit and Babuk ransomware variants, as well as following up with victims on ransom demands through email. Those three groups have hit a combined 2,800 victims in the U.S. and other countries, pulling in more than $200 million in collective ransom payments.
They’re also all believed to be run by Russian-speaking cybercriminals, and a Treasury Financial Crimes Enforcement Network analysis in 2021 found that three out of every four ransomware attacks were linked to Russian cybercriminal groups or their proxies. The U.S. government and other sources have said that while these groups aren’t direct arms of the Russian government, they maintain an informal, symbiotic relationship with the Kremlin and Russian intelligence agencies.
Matveev was charged with conspiracy to commit fraud, conspiracy to commit computer fraud and intentional damage to a protected computer. The department is offering a reward of up to $10 million for information leading to his arrest.
“The United States will not tolerate ransomware attacks against our people and our institutions,” Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement. “Ransomware actors like Matveev will be held accountable for their crimes, and we will continue to use all available authorities and tools to defend against cyber threats.”
Matveev is not private about his work, and has participated in numerous interviews where he has admitted to taking part in certain hacks. In April 2021, a Babuk ransomware attack hit the Washington Metropolitan Police Department, with the group claiming to have stolen 250 GB of data, including personnel files information on informants and other sensitive documents.
In a 2022 interview with Dmitry Smilyanets, an analyst with private threat intelligence firm Recorded Future, Matveev said the attack was executed by an affiliate, but that he made the decision to upload the department’s data to a leak site after ransom negotiations broke down. He said the affiliate program was discontinued shortly thereafter.
“Negotiations yielded absolutely nothing. The affiliates wanted a certain ransom, and in the end, as we say in Russian, ‘shat their pants and ran’ when it came to uploading the data,” Matveev told Smilyanets. “They refused to accept the $100,000 ransom counteroffer by the MPD. But my take was: ‘If you do not accept the money, I will post this data on the blog.’ To which the affiliates asked me, terrified, not to do this. I told them that the stolen data is the property of the Babuk affiliate program…and started uploading the data to the blog.”
In videos on YouTube last year flagged by independent cybersecurity reporter Brian Krebs, Matveev is also seen threatening to release exploit code for a security vulnerability, cursing Smilyanets, Krebs and other journalists, and displaying one his hands with a missing finger as evidence of his identity.
The Treasury sanctions give authorities the ability to freeze any U.S.-based assets held by Matveev’s and prevents U.S. persons and entities from doing business with him in the future. The designation includes ransom payments, meaning victims who do pay Matveev could find themselves subject to fines or other regulatory action from the U.S. government.