Operation GoldDust Arrests REvil Affiliates and Disrupts Ransomware Network
Romanian authorities arrested two suspected Sodinokibi/REvil affiliates as part of Operation GoldDust, a multinational law-enforcement campaign targeting operators tied to both REvil and GandCrab. Europol said the suspects were linked to roughly 5,000 infections and about €500,000 in ransom payments, while the broader group of arrested affiliates was suspected of around 7,000 infections and demands exceeding €200 million. Since February 2021, authorities in 17 countries, working with Europol, Eurojust, and INTERPOL, had arrested seven suspects connected to the two ransomware families, including a REvil affiliate associated with the Kaseya supply-chain attack and other suspects detained in South Korea and Kuwait.
The arrests followed wider pressure on REvil’s ransomware-as-a-service operation after its infrastructure was disrupted and its public-facing sites went offline. Reporting indicated the gang shut down after U.S. Cyber Command hijacked one of its sites and the operators realized they had been compromised, adding to the strain from coordinated international investigations. Europol said private-sector partners including Bitdefender, KPN, and McAfee Enterprise supported the operation with technical analysis and decryptors distributed through No More Ransom, enabling more than 50,000 decryptions, helping over 1,400 companies recover from REvil infections, and preventing losses worth hundreds of millions of euros.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Europol announces Operation GoldDust results against REvil affiliates
On 2021-11-08, Europol publicly announced that five affiliates to Sodinokibi/REvil had been 'unplugged' through Operation GoldDust. The agency said the arrested affiliates were suspected of around 7,000 infections and had demanded more than €200 million in ransom.
Authorities arrest REvil affiliate tied to the Kaseya attack
During the 2021 Operation GoldDust effort, law enforcement arrested a REvil affiliate connected to the Kaseya supply-chain ransomware attack. Europol cited this as one of the notable arrests made before November 2021.
Romanian authorities arrest two suspected REvil affiliates
On 2021-11-04, Romanian authorities arrested two suspects accused of cyber-attacks involving Sodinokibi/REvil. Europol said the pair were allegedly responsible for about 5,000 infections and roughly €500,000 in ransom payments.
Additional REvil/GandCrab affiliates arrested in South Korea and Kuwait
Before November 2021, authorities also arrested multiple ransomware affiliates in South Korea and Kuwait as part of the broader multinational crackdown. Europol said these arrests contributed to a total of seven suspects detained since February 2021.
Cyber Command hijacks REvil infrastructure, contributing to gang shutdown
The Washington Post reported that U.S. Cyber Command hijacked a REvil site, and the gang subsequently shut down after realizing it had itself been compromised. This marked a major disruption of the ransomware group's operations.
Operation GoldDust begins targeting REvil and GandCrab affiliates
By February 2021, international law enforcement under Operation GoldDust had begun coordinated action against affiliates of the REvil and GandCrab ransomware operations. Europol said arrests linked to the two ransomware families started from this period onward.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Five affiliates to Sodinokibi/REvil unplugged | Europol
web.archive.org
Open sourceFive affiliates to Sodinokibi/REvil unplugged - Suspected of about 7 000 infections, the arrested affiliates asked for more than 200 million euros in ransom | Europol
europol.europa.eu
Open sourceA ransomware gang shut down after Cybercom hijacked its site and it discovered it had been hacked - The Washington Post
washingtonpost.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (**BKA**) identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as `UNKN`/`UNKNOWN`, the alleged leader and public face of the **GandCrab** and **REvil** ransomware operations, and named **Anatoly Sergeevitsch Kravchuk**, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to **130 attacks in Germany**, including about **25 cases** that generated roughly **€1.9 million** in ransom payments and caused more than **€35 million** in economic damage. German investigators described GandCrab and REvil as highly organized **ransomware-as-a-service** enterprises that helped popularize **double extortion** and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including **JBS** and **Kaseya**, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's **FSB** in 2022.
Apr 6, 2026
DOJ Charges REvil Operators Over Kaseya Supply-Chain Ransomware Attack
U.S. authorities charged alleged **Sodinokibi/REvil** operators Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia over ransomware attacks that included the compromise of Kaseya's remote management software, an intrusion that cascaded to managed service providers and their customers worldwide. The Kaseya incident was reported to have affected as many as **1,500 organizations**, with attackers allegedly encrypting systems, leaving ransom notes, and directing victims to Tor-based or public payment sites to obtain decryption keys; victims that did not pay were allegedly threatened with the publication or sale of stolen data. The Justice Department said Vasinskyi was arrested in Poland, later extradited to the United States, and arraigned in Texas on charges including conspiracy to commit computer fraud, damage to protected computers, and money laundering conspiracy. In parallel, U.S. authorities seized **$6.1 million** in alleged ransom proceeds tied to Polyanin, part of a broader multinational enforcement effort involving the FBI, Europol, Eurojust, and law enforcement partners across Europe and other allied countries to disrupt the REvil ransomware operation linked to the Kaseya attack.
May 25, 2026
REvil Arrests Disrupted the Gang but Failed to Stop Its Reemergence
Law enforcement action against **REvil** dismantled key parts of one of the most prolific cybercriminal operations, leading to arrests tied to the ransomware gang’s infrastructure and operators. The takedown marked a significant blow against a group long associated with high-impact extortion campaigns, affiliate-driven ransomware activity, and attacks that disrupted organizations across multiple sectors. Despite those arrests, REvil’s reemergence showed how resilient major ransomware ecosystems remain after headline enforcement actions. The group’s return underscored the persistence of its criminal model, in which branding, tooling, and affiliate relationships can survive leadership disruption, allowing extortion operations to resume even after authorities seize infrastructure and detain suspected members.
May 25, 2026