Russian national with alleged Hive ransomware ties arrested in Paris

Jason Macuray
A Russian national suspected of possessing thousands of dollars stolen from the French victims of Hive ransomware was arrested in Paris last week.

A Russian national suspected of possessing thousands of dollars stolen from the French victims of Hive ransomware was arrested in Paris last week.

While searching his phone, the police seized more than €570,000 (over $615,000) in cryptocurrency assets that he allegedly helped steal. According to police, the suspect served as a “banker” for Hive affiliates, helping them manage stolen funds.

Little was publicized about the suspect except that he is a Russian national, around 40 years old, and lives in Cyprus, according to reporting from French newspaper Le Figaro.

The criminal was identified “thanks to his activity on social networks” and was subsequently arrested and placed in police custody, according to Nicolas Guidoux, a French official responsible for fighting cybercrime at the Ministry of the Interior.

The international police also searched the suspect’s home in a Cypriot seaside resort and obtained “important” evidence for further investigation.

Before its infrastructure was shut down in January, Hive was used to compromise and encrypt data and computer systems of large tech and oil companies, as well as hospitals in Europe and the U.S. Since 2021, it targeted over 1,500 companies worldwide, who lost more than $100 million in ransom payments.

In France, Hive had nearly 60 victims, including the National School of Civil Aviation and several local government services and town halls.

Hive worked as “ransomware-as-a-service” with attacks executed by “affiliates” but the ransomware was created, maintained, and updated by its developers. When the victims paid, the ransom was then split between affiliates, who received 80%, and developers who received 20%.

During the operation against Hive in January, law enforcement identified the ransomware’s decryption keys and shared them with many victims, helping them regain access to their data without paying the cybercriminals. This effort helped save $130 million in ransom payments.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

More than 45,000 affected by cyberattack on Idaho nuclear research lab

Next Post

Russian foreign intelligence service spotted exploiting JetBrains vulnerability

Related Posts

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It
Read More