A Visual Journey Through Computer Setups Revealed by Recent Cybercrime Raids – realhackhistory
A VISUAL JOURNEY THROUGH COMPUTER SETUPS REVEALED BY RECENT CYBERCRIME RAIDS
Emotet – Photo courtesy of National Police of Ukraine, January 2021
First an admission by me, I’m not a hardware nerd. I know my way around PCs, can swap out parts as needed and can tell a MacBook from a Chrome Book but if you are expecting an exacting breakdown of the computers or tech we’re going to be looking at here you may be disappointed.
Now that that’s out of the way, I’m fascinated by seeing the behind the scenes of big cybercrime operations, and especially interested in seeing the work spaces of the people involved and the equipment they are working with. Most of these people raided seem to be working from home, and sometimes sharing a living space with other gang member suspects.
This blog will be a round up of photos from police raids of ransomware and phishing operations from the last 3 or 4 years, earliest first. Let’s get started.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
We are starting so strong here, with photos from the emotet raids by Ukrainian police in January of 2021, my goodness.
I often show these photos to people in infosec to show how much can be done with so little. There’s so much going on in these photos, it’s a real spartan workshop meets student party apartment vibe.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
Looking at the photo above I feel like I can almost hear the whirring of that fan and feel the weird PC case dust on my fingertips.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
Boxes of pills, a neglected vacuum cleaner and some old refurbished PCs, the photo above has it all, emotet are the winners for unexpectedly barebones working conditions and equipment.
cl0p – Photo courtesy of National Police of Ukraine, June 2021
Quite a contrast from emotet to this. In June of 2021 Ukrainian police moved on 6 suspects who they believed were associated with the cl0p ransomware gang, what you can see above is a still image captured from a longer video I link below. The suspected cl0p members arrested have a professional setup, what looks like well organised workspaces and newish Apple phones and computers.
cl0p – Photo courtesy of National Police of Ukraine, June 2021
Here’s the full video of raids released by Ukrainian police at the time:
“With the help of the malicious “Clop” ransomware, the perpetrators encrypted the data stored on the information carriers of companies in the Republic of Korea and the USA. In the future, money was demanded for the restoration of access.”
Unknown ransomware operator – photo courtesy of Interpol, September 2021
In September of 2021 the Ukrainian police, FBI, Interpol and Europol raided what it described as “two prolific ransomware operators known for their extortionate ransom demands”.
This photo is what really piqued my curiosity about the working setups of ransomware operators, this guy has an RGB case, a keyboard, a microphone with acoustic muffling and, and this is something I think about more than I should, 4 inexplicably blurred Capri-Sun lined up on top of the PC case. Why are they blurred, why are they there, it is all so mysterious.
Unknown ransomware operator – Photo courtesy of National Police of Ukraine, September 2021
Another photo of the same setup above, with the corner of a Capri-Sun dangerously visible.
Europol also released post raid photos of seized equipment, including the Capri-Sun PC
Unknown ransomware operators – photo courtesy of Europol, September 2021
This gives us a better look at an assortment of phones, MacBooks, PCs, tablets and hard drives seized.
LockerGoga, MegaCortex, Dharma affiliates – photo courtesy of Norwegian police, October 2021
This is less a photo of a workspace and more just police forensics team making use of available space I suspect, but we have a MacBook here.
In October of 2021 Europol announced the arrest of 12 individuals believed linked to ransomware attacks against victims in 71 countries.
According to law enforcement report those arrested had deployed ransomware strains such as LockerGoga, MegaCortex, and Dharma, as well as malware like Trickbot.
From what I can tell this video from the Ukrainian police is related to those raids. It gives a better view of phones, Wi-Fi routers, MacBooks and tablets seized.
“Using ransomware-type software, the perpetrators launched attacks on more than 50 companies in Europe and America. It was possible to stop the criminal activities of the group during an international police operation.”
REvil – Photo courtesy of Europol, November 2021
This one is tantalising, a photo of a raid by Romanian police on affiliates of Sodinokibi/REvil on November 4th 2021, no way to know if the laptop (not a MacBook for once) on the left belongs to one of the suspects or the authorities present.
That’s all we get though.
GandCrab – Photo courtesy of Kuwait Interior Ministry, November 2021
In November of 2021 Interpol apparently tipped off the Kuwaiti authorities as part of “Operation Gold Dust” and that resulted in the arrest of the man you see above, photographed along with his computers, for being a GandCrab affiliate.
I hate that they made the kid pose like this for this photo, mildly amusing that they even included his headphones for the photo op though.
REvil – Photo courtesy of FSB, January 2022
In January of 2022 Russia suddenly decided to raid a number of suspected members of infamous ransomware group REvil, for reasons I don’t pretend to fully understand. Still though, we get a look at the Windows laptop above that has a desktop littered with files that looks all too familiar to someone who has to strongly resist disorganization like myself.
No segways or exotic pets on display here.
REvil – Photo courtesy of FSB, January 2022
You know those Russian apartment blocks stay hot when people are barefoot in January.
REvil – Photo courtesy of FSB, January 2022
The FSB even included what must have been open tabs or active logins to cryptocurrency sites. Obviously all of these prosecutions have since totally fallen apart as Russia has isolated itself from international lawfulness and invaded Ukraine.
You can see a video of the raids that the above still images are taken from below:
Unknown phishing gang – Unknown ransomware operator – Photo courtesy of National Police of Ukraine, January 2022
In January of 2022 Ukrainian police working in conjunction with international law enforcement agencies swooped in on an unspecified suspected phishing and extortion gang that included a husband and wife duo.
Looks like a kitchen table located in a patio setup here? Doesn’t look like the police moved the equipment there. Have to admire the strength of a marriage that can withstand the potential strain of shared business interests.
DoppelPaymer – photo courtesy of Europol, February 2023
Europol raided suspected Doppelpaymer affiliates earlier this year in February, and from that we get this working from the kitchen table shot of a MacBook and what looks like browser or file access history.
I would have loved to see more photos from this raid, but alas.
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
Finally we have some photos from a raid in Poland related to “Operation Cookie Monster“, following the takedown of cybercrime hub Genesis Market. This seems like a pretty professional setup, we have a desk, various PCs, laptops and the ever present MacBook. I also see what looks like a USB to ethernet adapter, I too have suffered from poor Wi-Fi.
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
We also have the expected collection of phones, tablets and what looks like duped debit or credit cards blurred out?
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
And that’s it, should I go back further than 2020? Did I miss any notable arrests that had accompanying photos? Hit me up on Twitter or Mastodon.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
First an admission by me, I’m not a hardware nerd. I know my way around PCs, can swap out parts as needed and can tell a MacBook from a Chrome Book but if you are expecting an exacting breakdown of the computers or tech we’re going to be looking at here you may be disappointed.
Now that that’s out of the way, I’m fascinated by seeing the behind the scenes of big cybercrime operations, and especially interested in seeing the work spaces of the people involved and the equipment they are working with. Most of these people raided seem to be working from home, and sometimes sharing a living space with other gang member suspects.
This blog will be a round up of photos from police raids of ransomware and phishing operations from the last 3 or 4 years, earliest first. Let’s get started.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
We are starting so strong here, with photos from the emotet raids by Ukrainian police in January of 2021, my goodness.
I often show these photos to people in infosec to show how much can be done with so little. There’s so much going on in these photos, it’s a real spartan workshop meets student party apartment vibe.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
Looking at the photo above I feel like I can almost hear the whirring of that fan and feel the weird PC case dust on my fingertips.
Emotet – Photo courtesy of National Police of Ukraine, January 2021
Boxes of pills, a neglected vacuum cleaner and some old refurbished PCs, the photo above has it all, emotet are the winners for unexpectedly barebones working conditions and equipment.
cl0p – Photo courtesy of National Police of Ukraine, June 2021
Quite a contrast from emotet to this. In June of 2021 Ukrainian police moved on 6 suspects who they believed were associated with the cl0p ransomware gang, what you can see above is a still image captured from a longer video I link below. The suspected cl0p members arrested have a professional setup, what looks like well organised workspaces and newish Apple phones and computers.
cl0p – Photo courtesy of National Police of Ukraine, June 2021
Here’s the full video of raids released by Ukrainian police at the time:
“With the help of the malicious “Clop” ransomware, the perpetrators encrypted the data stored on the information carriers of companies in the Republic of Korea and the USA. In the future, money was demanded for the restoration of access.”
Unknown ransomware operator – photo courtesy of Interpol, September 2021
In September of 2021 the Ukrainian police, FBI, Interpol and Europol raided what it described as “two prolific ransomware operators known for their extortionate ransom demands”.
This photo is what really piqued my curiosity about the working setups of ransomware operators, this guy has an RGB case, a keyboard, a microphone with acoustic muffling and, and this is something I think about more than I should, 4 inexplicably blurred Capri-Sun lined up on top of the PC case. Why are they blurred, why are they there, it is all so mysterious.
Unknown ransomware operator – Photo courtesy of National Police of Ukraine, September 2021
Another photo of the same setup above, with the corner of a Capri-Sun dangerously visible.
Europol also released post raid photos of seized equipment, including the Capri-Sun PC
Unknown ransomware operators – photo courtesy of Europol, September 2021
This gives us a better look at an assortment of phones, MacBooks, PCs, tablets and hard drives seized.
LockerGoga, MegaCortex, Dharma affiliates – photo courtesy of Norwegian police, October 2021
This is less a photo of a workspace and more just police forensics team making use of available space I suspect, but we have a MacBook here.
In October of 2021 Europol announced the arrest of 12 individuals believed linked to ransomware attacks against victims in 71 countries.
According to law enforcement report those arrested had deployed ransomware strains such as LockerGoga, MegaCortex, and Dharma, as well as malware like Trickbot.
From what I can tell this video from the Ukrainian police is related to those raids. It gives a better view of phones, Wi-Fi routers, MacBooks and tablets seized.
“Using ransomware-type software, the perpetrators launched attacks on more than 50 companies in Europe and America. It was possible to stop the criminal activities of the group during an international police operation.”
REvil – Photo courtesy of Europol, November 2021
This one is tantalising, a photo of a raid by Romanian police on affiliates of Sodinokibi/REvil on November 4th 2021, no way to know if the laptop (not a MacBook for once) on the left belongs to one of the suspects or the authorities present.
That’s all we get though.
GandCrab – Photo courtesy of Kuwait Interior Ministry, November 2021
In November of 2021 Interpol apparently tipped off the Kuwaiti authorities as part of “Operation Gold Dust” and that resulted in the arrest of the man you see above, photographed along with his computers, for being a GandCrab affiliate.
I hate that they made the kid pose like this for this photo, mildly amusing that they even included his headphones for the photo op though.
REvil – Photo courtesy of FSB, January 2022
In January of 2022 Russia suddenly decided to raid a number of suspected members of infamous ransomware group REvil, for reasons I don’t pretend to fully understand. Still though, we get a look at the Windows laptop above that has a desktop littered with files that looks all too familiar to someone who has to strongly resist disorganization like myself.
No segways or exotic pets on display here.
REvil – Photo courtesy of FSB, January 2022
You know those Russian apartment blocks stay hot when people are barefoot in January.
REvil – Photo courtesy of FSB, January 2022
The FSB even included what must have been open tabs or active logins to cryptocurrency sites. Obviously all of these prosecutions have since totally fallen apart as Russia has isolated itself from international lawfulness and invaded Ukraine.
You can see a video of the raids that the above still images are taken from below:
Unknown phishing gang – Unknown ransomware operator – Photo courtesy of National Police of Ukraine, January 2022
In January of 2022 Ukrainian police working in conjunction with international law enforcement agencies swooped in on an unspecified suspected phishing and extortion gang that included a husband and wife duo.
Looks like a kitchen table located in a patio setup here? Doesn’t look like the police moved the equipment there. Have to admire the strength of a marriage that can withstand the potential strain of shared business interests.
DoppelPaymer – photo courtesy of Europol, February 2023
Europol raided suspected Doppelpaymer affiliates earlier this year in February, and from that we get this working from the kitchen table shot of a MacBook and what looks like browser or file access history.
I would have loved to see more photos from this raid, but alas.
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
Finally we have some photos from a raid in Poland related to “Operation Cookie Monster“, following the takedown of cybercrime hub Genesis Market. This seems like a pretty professional setup, we have a desk, various PCs, laptops and the ever present MacBook. I also see what looks like a USB to ethernet adapter, I too have suffered from poor Wi-Fi.
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
We also have the expected collection of phones, tablets and what looks like duped debit or credit cards blurred out?
Genesis Market – Photo courtesy of Polish police CBZC, April 2023
And that’s it, should I go back further than 2020? Did I miss any notable arrests that had accompanying photos? Hit me up on Twitter or Mastodon.
