Ryuk Ransomware

A Russian national on February 7, 2023, pleaded guilty in the U.S. to money laundering charges and for attempting to conceal the source of funds obtained in connection with Ryuk ransomware attacks.

Denis Mihaqlovic Dubnikov, 30, was arrested in Amsterdam in November 2021 before he was extradited from the Netherlands in August 2022. He is awaiting sentencing on April 11, 2023.

"Between at least August 2018 and August 2021, Dubnikov and his co-conspirators laundered the proceeds of Ryuk ransomware attacks on individuals and organizations throughout the United States and abroad," the Department of Justice (DoJ) said.

Dubnikov and his accomplices are said to have engaged in various criminal schemes designed to obscure the trail of the ill-gotten proceeds.


According to DoJ, a chunk of the 250 Bitcoin ransom paid by a U.S. company in July 2019 after a Ryuk attack was sent to Dubnikov in exchange for about $400,000. The crypto was subsequently converted to Tether and transferred to a co-conspirator, who then exchanged it for the Chinese Renminbi.

In all, the parties involved in the criminal enterprise are estimated to have laundered at least $150 million in ransom payments.

Dubnikov is also the co-founder of Coyote Crypto and Eggchange, with the latter headquartered in Federation Tower East (or Vostok), a supertall skyscraper known to harbor several cryptocurrency businesses with ties to money laundering associated with ransomware operations.

According to Chainalysis, Eggchange received over $34 million worth of cryptocurrency from darknet markets, scams, fraud shops, and ransomware operators between 2019 and 2021.

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

Ryuk, which first emerged on the threat landscape in 2018, is attributed to a threat actor tracked as Wizard Spider and has compromised governments, academia, healthcare, manufacturing, and technology organizations worldwide.

Often delivered through first-stage malware such as TrickBot or BazarBackdoor, Ryuk is also a predecessor to the Conti ransomware, which shuttered its operations in May 2022 and splintered into smaller units.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.