Russia has dismantled ransomware crime group REvil at the request of the United States in an operation in which it has arrested and charged members of the group, domestic intelligence agency FSB says.
The arrests were a rare overt demonstration of cooperation between Russia and the United States at a time of high tension between the two over Ukraine.
The announcement came as Ukraine responded to a massive cyberattack that shut down government websites, although there was no indication of a link between the incidents.
A police and FSB operation searched 25 addresses and arrested 14 people, the FSB said, listing confiscated assets including 426 million rubles ($7.7 million), $600,000, 500,000 euros, computer equipment and 20 luxury cars.
A Moscow court identified two of the men as Roman Muromsky and Andrei Bessonov and held them in custody for two months.
Muromsky could not be reached for comment and his phone was off.
Reuters could not immediately reach Bessonov.
Two Muscovites told Reuters Muromsky was a web developer who helped them with websites for their companies.
Russia has directly informed the US of the steps it has taken against the group, the FSB said.
The US Embassy in Moscow said it could not comment immediately.
“The investigative measures were based on a request from … the United States,” the FSB said.
“Organized criminal organization has ceased to exist and the information infrastructure used for criminal purposes has been neutralized.”
TV channel REN aired footage of agents raiding homes and arresting people, pinning them to the ground and confiscating large stacks of US dollars and Russian rubles.
The members of the group have been charged and could face up to seven years in prison, the FSB said.
A source familiar with the case told Interfax that the group’s members, who have Russian citizenship, would not be extradited to the United States.
The U.S. government announced in November that it was offering a reward of up to $10 million ($14 million) for information leading to the identification or location of individuals holding key positions in the REvil group hold.
The US has been hit with a string of high-profile hacks by ransom-demanding cybercriminals.
A source with direct knowledge of the matter told Reuters in June that REvil is suspected of being behind a ransomware attack on the world’s largest meatpacking company, JBS SA.
The US government has repeatedly accused the Russian state of malicious activity online in the past, officials in Moscow deny.
REvil hasn’t been associated with any major attacks for months.
John Shier, a threat researcher at British cybersecurity firm Sophos, said there was no independent confirmation that the self-proclaimed leaders of the “defunct” group had been arrested.
“Last but not least, it serves as a warning to other criminals that operations from Russia may not be the safe haven they thought it was,” he said.
A former client of Muromsky, who gave only the name Sergei, described him as an ordinary worker who did not appear wealthy.
Sergei runs a shop called Motohansa that sells motorcycle spare parts.
Muromsky created his website and supported it for some time, charging him around 15,000 rubles a month, he said.
“He’s a smart person and I imagine he could if he wanted to (hack) but he charged very little for his services. A few years ago he had a Rover car. This is not an expensive car at all. ‘ said Sergei.
Muromsky is in his 30s and was born in Anapa in southern Russia, he said.
“He worked as a regular programmer.”
Another client, Adam Guzuyev, described Muromsky as “a regular, regular worker” who proved unable to install all the features Guzuyev wanted on his website.
“He earned no more than 60,000 rubles. I can’t say he has brilliant skills,” he said, adding that Muromsky worked on his website for three months.
Australian Associated Press