DOJ Charges REvil Operators Over Kaseya Supply-Chain Ransomware Attack
U.S. authorities charged alleged Sodinokibi/REvil operators Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia over ransomware attacks that included the compromise of Kaseya's remote management software, an intrusion that cascaded to managed service providers and their customers worldwide. The Kaseya incident was reported to have affected as many as 1,500 organizations, with attackers allegedly encrypting systems, leaving ransom notes, and directing victims to Tor-based or public payment sites to obtain decryption keys; victims that did not pay were allegedly threatened with the publication or sale of stolen data.
The Justice Department said Vasinskyi was arrested in Poland, later extradited to the United States, and arraigned in Texas on charges including conspiracy to commit computer fraud, damage to protected computers, and money laundering conspiracy. In parallel, U.S. authorities seized $6.1 million in alleged ransom proceeds tied to Polyanin, part of a broader multinational enforcement effort involving the FBI, Europol, Eurojust, and law enforcement partners across Europe and other allied countries to disrupt the REvil ransomware operation linked to the Kaseya attack.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Vasinskyi appears in Texas court on Kaseya-linked charges
On 2022-03-09, the DOJ announced that Vasinskyi had appeared in the Northern District of Texas to face charges including conspiracy to commit computer fraud, damage to protected computers, and money laundering conspiracy. Prosecutors said he was tied to multiple ransomware incidents, including the Kaseya attack.
Vasinskyi is extradited to the United States
On 2022-03-03, Vasinskyi was transported to Dallas after being extradited from Poland to face U.S. charges related to REvil ransomware attacks, including the July 2021 Kaseya attack. The extradition followed international law enforcement cooperation.
DOJ charges REvil suspects and seizes $6.1 million
On 2021-11-08, the U.S. Department of Justice announced charges against Yaroslav Vasinskyi and Yevgeniy Polyanin for REvil ransomware activity tied to attacks on U.S. businesses and government entities, including Kaseya. The DOJ also announced the seizure of $6.1 million allegedly traceable to ransom payments received by Polyanin.
Polish authorities arrest Yaroslav Vasinskyi
On 2021-10-08, alleged REvil affiliate Yaroslav Vasinskyi was arrested in Poland in connection with multiple ransomware attacks, including the Kaseya incident. He remained in custody pending extradition to the United States.
Reports say up to 1,500 organizations were compromised
By July 6, 2021, reporting indicated that the Kaseya ransomware attack had affected as many as 1,500 organizations. This marked a major escalation in the understood scale of the incident.
REvil exploits Kaseya software in global ransomware attack
In July 2021, attackers linked to the Sodinokibi/REvil ransomware operation used a Kaseya product to spread ransomware to customer endpoints and encrypt data at organizations worldwide. The attack became one of the incidents later cited in U.S. criminal charges against alleged REvil operators.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Office of Public Affairs | Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas | United States Department of Justice
justice.gov
Open sourceUkrainian REvil affiliate charged with Ransomware Attack on Kaseya
securityaffairs.com
Open sourceJustice Department seizes $6 million as part of crackdown on hackers linked to Kaseya attack
thehill.com
Open sourceOffice of Public Affairs | Ukrainian Arrested and Charged with Ransomware Attack on Kaseya | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced **Yaroslav Vasinskyi** (`Rabotnik`), a Ukrainian affiliate of the **Sodinokibi/REvil** ransomware operation, to **13 years and 7 months** in prison for his role in more than **2,500 attacks** that collectively sought over **$700 million** in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than **$16 million** in restitution. U.S. authorities said related forfeiture actions recovered assets including **39.89138522 Bitcoin** and **$6.1 million**, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution. In a separate but related enforcement action, **Deniss Zolotarjovs**, a Latvian national tied to the **Karakurt** extortion operation and linked by investigators to the broader **Conti** ecosystem, was sentenced to **102 months** in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than **54 companies worldwide**, including victims whose stolen records included sensitive medical information, and generated losses exceeding **$56 million** across 13 victims with roughly **$13 million** more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
May 25, 2026
Operation GoldDust Arrests REvil Affiliates and Disrupts Ransomware Network
Romanian authorities arrested two suspected **Sodinokibi/REvil** affiliates as part of **Operation GoldDust**, a multinational law-enforcement campaign targeting operators tied to both REvil and **GandCrab**. Europol said the suspects were linked to roughly **5,000 infections** and about **€500,000** in ransom payments, while the broader group of arrested affiliates was suspected of around **7,000 infections** and demands exceeding **€200 million**. Since February 2021, authorities in 17 countries, working with **Europol**, **Eurojust**, and **INTERPOL**, had arrested seven suspects connected to the two ransomware families, including a REvil affiliate associated with the **Kaseya** supply-chain attack and other suspects detained in South Korea and Kuwait. The arrests followed wider pressure on REvil’s ransomware-as-a-service operation after its infrastructure was disrupted and its public-facing sites went offline. Reporting indicated the gang shut down after **U.S. Cyber Command** hijacked one of its sites and the operators realized they had been compromised, adding to the strain from coordinated international investigations. Europol said private-sector partners including **Bitdefender**, **KPN**, and **McAfee Enterprise** supported the operation with technical analysis and decryptors distributed through **No More Ransom**, enabling more than **50,000 decryptions**, helping over **1,400 companies** recover from REvil infections, and preventing losses worth hundreds of millions of euros.
May 25, 2026
Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (**BKA**) identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as `UNKN`/`UNKNOWN`, the alleged leader and public face of the **GandCrab** and **REvil** ransomware operations, and named **Anatoly Sergeevitsch Kravchuk**, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to **130 attacks in Germany**, including about **25 cases** that generated roughly **€1.9 million** in ransom payments and caused more than **€35 million** in economic damage. German investigators described GandCrab and REvil as highly organized **ransomware-as-a-service** enterprises that helped popularize **double extortion** and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including **JBS** and **Kaseya**, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's **FSB** in 2022.
Apr 6, 2026