Enlarge image

Ukrainian police officers at one of the arrests of suspected Hive hackers

Photo: Europol

An international coalition of investigators has apparently dismantled a global hacker gang in Ukraine. The group is said to have attacked the servers of large companies or organizations in more than 70 countries, causing hundreds of millions of euros in damage, Europol said in The Hague. In the case of one of the suspects, Bitcoin with a euro equivalent in the six-digit range was seized.

According to the information, a total of 21 searches and five arrests had already taken place in Ukraine on November 30, despite the ongoing war. The searches took place in the center and west of the country in the area of Kyiv, Cherkasy, Rivne and Vinnytsia. The alleged leader of the group, a 32-year-old, was also arrested. All of the accused are said to belong to a network that is held responsible for so-called ransomware attacks.

In such attacks, the hackers penetrate the systems of companies and authorities, encrypt their data and only release it after paying a ransom. Europol accuses the gang of attacking its victims with malware. According to the investigators, the hackers were particularly targeting large companies: According to them, various forms of malware were used, such as the ransomware programs Hive, LockerGoga, Dharma or MegaCortex.

14 destinations in Germany alone

In Germany alone, the group is accused of attacks on 14 targets, including both companies and authorities. This was stated by a spokesman for the Stuttgart public prosecutor's office, which was involved in the action, in response to a SPIEGEL inquiry.

The Hive ransomware, for example, has been linked to a successful attack on MediaMarktSaturn in November 2021, among other things. At the time, the company's data was encrypted, after which the extortionists allegedly demanded a ransom of $50 million. At times, some of the company's digital systems did not work.

According to Europol, the current investigations go back to an initiative by France in 2019. In 2021, there were first arrests and searches. An important impetus for the current success was provided by investigations by the Reutlingen police headquarters that became public in January 2023. At that time, technical infrastructure could be smashed and a darknet site of Hive could be shut down. According to a spokesman for the Stuttgart public prosecutor's office, it was possible to obtain chats and data from the hackers and thus ultimately identify the suspects.

Basically, investigators suspect that many ransomware extortionists operate out of Russia. As a message to the cybercrime scene, the shutdown banner on Hive's darknet site was probably published in Russian in January. (Read more about the blackmailers' scam here.)

However, investigators have not been able to get to the cybercriminals in Russia at least since Putin's attack on Ukraine. Ukrainian law enforcement, on the other hand, is working with international investigators and helping to track cybercriminals in their country, as the current case shows.