The accused Russian citizen and REvil affiliate has been last traced to an address in St. Petersburg.
REvil has been operating since April 2019
Photo Credit: Pexels/ Sora Shimazaki
US law enforcement seized 39.9 Bitcoins from an Exodus wallet, worth approximately $2.3 million (roughly Rs. 17.3 crore) from a Russian citizen suspected of being associated with infamous hacker group REvil, known for their ransomware attacks. The Federal Bureau of Investigation (FBI) in a complaint unsealed last week states that the wallet contained REvil ransom payments belonging to an affiliate identified as Aleksandr Sikerin, who has been found employing ransomware viruses to break into databases of American infrastructure facilities.
The complaint, first seen by Bleeping Computer, reveals that Sikerin — who is affiliated with REvil — was responsible for the ransomware attacks that generated about $200 million (roughly Rs. 1,504.76 crore) in payments from victims between April 2019 and June 2021. The cryptocurrency wallet that is now under the FBI's control is "traceable to ransomware attacks committed by Sikerin"
Sikerin, meanwhile, whose last-known address has been traced to the Russian city of Saint Petersburg, has been charged with multiple counts of conspiracy and money laundering. That said, law enforcement officials believe Sikerin is just an affiliate in the vast network of REvil gang.
Ransomware gang affiliates are responsible for frontline hacking work and stealing the data from victims' machines. They usually earn 70-80 percent of the ransom.
REvil, also known as Sodinokibi or Sodin, has been one of the most notorious ransomware groups of over the past couple of years. The group targets company networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs).
While the FBI does not indicate the online alias of the threat actor in its complaint, those over at Bleeping Computer have looked into the email address mentioned in it and found that the name 'engfog' is tied to a REvil affiliate known as 'Lalartu' aka Aleksandr Sikerin — who has named in the complaint.
The news break nearly a month after the US Justice Department charged a Ukraine national and a Russian in one of the worst ransomware attacks against American targets as per court filings.
An indictment back then accused Ukrainian Yaroslav Vasinskyi, who was arrested in Poland last month, of breaking into Florida software provider Kaseya over the July 4 weekend. From there, he and accomplices simultaneously distributed REvil ransomware to as many as 1,500 Kaseya customers, encrypting their data and forcing some to shut down for days, it said.
Vasinskyi is charged with breaking into the victim companies and installing encryption software, developed by the core REvil group. REvil directly handled the ransom negotiations and split the profits with affiliates like Vasinskyi.
REvil, also involved in an attack against top global meatpacker JBS SA, was intercepted in a joint operation, where authorities recovered $6 million (roughly Rs. 45.17 crore) in ransom payments.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.