Sentence confirmed for Alexander Vinnik! This Thursday, June 24, the Paris Court of Appeal sentenced this Russian, nicknamed Mr. Bitcoin, to five years in prison for his role in the laundering of Locky’s ransoms, this ransomware which had raged in 2016. A decision similar to that pronounced at first instance, in December 2020. His lawyers immediately announced that they were going to appeal on points of law.
Unsurprisingly, the judgment of the Court of Appeal complies with the requisitions of the Advocate General. Last May, this magistrate dropped in the open the charges relating to cybercrime, extortion and criminal association, for lack of evidence. The magistrate Jérôme Marilly then painted the portrait of an Alexander Vinnik simple provider of money laundering services for the operators of Locky ransomware. Taking note of the decision of the criminal court, which had released Alexander Vinnik on these prosecutions.
A historic first – this is the first time that a person has been tried in France for his involvement in ransomware, a criminal phenomenon that has become one of the first computer threats – this unprecedented case is rich in lessons. First, it shows that international judicial cooperation makes it possible to obtain results. Alexander Vinnik was arrested in July 2017 in Greece during his vacation at the request of the US judicial authorities. Who then transmitted via Europol the information necessary to advance the French investigation, then at a standstill.
The great dirty money washer of the 2010s would have laundered several billion dollars
The future judicial of Mr. Bitcoin, also requested by the Russian justice, must now be written in the United States. Across the Atlantic, he is suspected of having been at the head of the cryptocurrency exchange platform BTC-e. The great dirty money washer of the 2010s would have laundered several billion dollars.
In the background, the judicial outcome of the case in France illustrates, however, the difficulties of judicial investigations into ransomware. The investigations into Locky, split into two parts, money laundering and the ransomware infrastructure, have indeed yielded mixed results. Where the gendarmerie investigators had succeeded in tracing the financial flows from the blockchain to the BTC-e platform, their counterparts at the Paris police headquarters encountered dead ends.
The difficulties detailed during the appeal trial by the police commander in charge of the file at the information technology fraud investigation squad. In 2016, with Locky, the investigators are banking on a new technique to avoid being caught in a hurry. For a previous investigation into Cryptowall, the police felt they were wasting their time trying, from the victims, to find the trace of the command and control servers.
“It was one of the first versions of a RaaS, in the form of an affiliation”
Having thus learned, after information published by the Fortinet company, that two Locky servers were located in France, the police immediately requested the opening of an investigation. So even before having knowledge of a victim. The first monitoring of the two suspicious, inactive servers, gave nothing. Then, thanks to German investigations, the French police officers understand that the server is only a simple gateway mounted to hinder the discovery of the final server.
“The duration of a command and control server is generally a day and a half,” the head of the investigation, Aurélien D., reminded the bar. As soon as the operators felt they had left a trace , they were bringing down their infrastructure. »Compromised servers, such as that of a driving school that had not been updated. Finally, the investigators will not be able to seize the control panel, the evidence which failed to confuse the operators of Locky.
However, the police manage to get a fairly fine-grained knowledge of the cybercriminal group. “It was one of the first versions of ransomware-as-a-service, in the form of an affiliation”, explains Aurélien D. For Befti, it is a small group of trust with only eight places, including three for creators. The police also believe that there was only one payment infrastructure.
“Cybercriminals have evolved their software, the same way MacOS went from Capitan to Sierra”
“The one who was in command of Locky was not necessarily a great technician, but he relied on other people”, continues the police officer. And to note, of the many encryption extensions that have followed, “that cybercriminals, even if they are not ISO 9001, have evolved their software, in the same way that MacOS goes from Capitan to Sierra”. “Excluding crime, it would be a very organized IT company,” concludes the investigator. And powerful enough to escape the regulator.