A Couple Faces Up To 13 Years In Belgian Prison For CryLock Ransomware Attacks
Read also: Global police action busts major malware operations, CryLock and Robbinhood ransomware operators charged, and more.
Thursday, May 29, 2025
A couple faces up to 13 years in Belgian prison for CryLock ransomware attacks
Belgian federal prosecutors are seeking prison sentences of 13 and 10 years for a Russian couple accused of orchestrating a massive ransomware campaign using the CryLock malware. The pair allegedly infected over 400,000 computers worldwide, earning more than €3 million in ransoms.
The main suspect, a 40-year-old Russian man identified as V.S., is believed to have developed the CryLock ransomware. Prosecutors say he used it to remotely infect thousands of computers, encrypt their data, and demand payment for decryption. Investigators also allege that he sold modified versions of the ransomware to other criminal groups, taking a cut of their profits, and managed a cryptocurrency wallet where the ransom payments were funneled, worth at least €53 million in bitcoin.
His partner, a 44-year-old woman known as E.T., or “Olga,” is accused of promoting the ransomware to potential clients and negotiating ransom payments with victims. Prosecutors revealed that E.T. herself was reportedly a victim of a cyber-attack in 2015 before connecting with V.S. and later becoming his partner in both life and cybercrime.
The couple was arrested in Spain in 2023 and extradited to Belgium to stand trial. During the raid on their home, police seized 16 servers allegedly used in the cyber-attacks.
Spain arrests alleged members of criminal gang behind cyber-attacks on critical infrastructure
Spanish National Police, in coordination with international law enforcement agencies, have dismantled a highly organized and technologically advanced cybercriminal network as part of a major operation dubbed “Borraska.” The crackdown led to the arrest of four individuals — two in Madrid, one in Córdoba, and one in Andorra — who were allegedly part of a sophisticated organization responsible for a series of sustained cyberattacks on critical infrastructure and public institutions.
The network had developed a complex technological infrastructure that allowed it to operate covertly, including a custom-engineered digital platform designed to store and monetize personal and institutional data, distributed cloud servers, end-to-end encryption, advanced identity obfuscation techniques, and the use of cryptocurrency for anonymous financial transactions. The group’s targets included government entities, energy providers, transport networks, telecommunications systems, and educational platforms across multiple countries.
Spanish police were able to recover and dismantle critical parts of the group’s cloud-based infrastructure, including primary servers used to manage and disseminate the stolen data. Among the vast troves of illicitly obtained information were personal records affecting millions of individuals, including sensitive details such as educational histories, civil registry data, veterinary records, public transit card usage, telecommunications metadata, and utility billing information.
Authorities believe that many of the compromised organizations and data sources may have been unaware that their systems had been breached or that their data was being secretly harvested and monetized. The investigation remains ongoing.
Global police action busts major malware operations. Qakbot, DanaBot devs charged in the US
The US Department of Justice unsealed charges against Rustam Rafailevich Gallyamov, a Russian national accused of leading the development and deployment of Qakbot, malware used for over a decade to infect thousands of computers. Qakbot facilitated the spread of ransomware and created botnets of compromised devices. Prosecutors are also seeking the forfeiture of over $24 million in seized assets related to the scheme.
In a separate action, prosecutors in Los Angeles charged 16 individuals with involvement in the DanaBot malware operation, which infected over 300,000 computers worldwide and caused at least $50 million in damage. DanaBot, first detected in 2018, evolved from banking credential theft to broader cybercrime capabilities.
These actions are part of Operation Endgame, a global law enforcement initiative targeting cybercriminal infrastructure and actors. Between May 19 and 22, authorities took down 300 servers and neutralized 650 domains, issued 20 international arrest warrants, and seized €3.5 million in cryptocurrency, raising the operation’s total seizures to over €21.2 million.
Malware strains disrupted include Bumblebee, Lactrodectus, QakBot, Hijackloader, DanaBot, TrickBot, and Warmcookie, which are commonly used by ransomware-as-a-service (RaaS) operations.
Developer admits his role in the Robbinhood ransomware scheme
Sina Gholinejad, a 37-year-old Iranian national, has pleaded guilty in a US federal court to charges connected to a ransomware and extortion campaign that disrupted a range of public and private sector organizations across the United States. The scheme, which utilized the Robbinhood ransomware variant, targeted city governments, major corporations, and healthcare providers, inflicting substantial financial and operational damage.
According to federal prosecutors, Gholinejad played a central role in the execution of the ransomware attacks, which began in early 2019. Gholinejad and unnamed co-conspirators systematically breached the computer networks of various institutions. Once inside, they exfiltrated sensitive information and deployed the Robbinhood ransomware to encrypt files. The attackers then issued ransom demands in exchange for decryption keys.
One of the most notable victims, the city of Baltimore, is said to have suffered over $19 million in damages. Essential services were paralyzed for months, including systems responsible for property tax payments, water billing, and other critical municipal functions.
Gholinejad has pleaded guilty to one count of computer fraud and abuse, as well as one count of conspiracy to commit wire fraud. He now faces a potential sentence of up to 30 years in federal prison. His sentencing hearing is scheduled for August.
Hacker apprehended in Thailand for infecting ATMs with malware
A Bulgarian national, Ivan Valchev, 50, was arrested by Thailand’s Cybercrime police for allegedly installing data-trapping devices in 13 ATMs across Bangkok and Nonthaburi. Valchev reportedly tampered with the machines by replacing data cables with modified ones containing SIM cards, aiming to inject a “jackpot” virus that disrupted ATM operations and blocked customer withdrawals. He was apprehended at a luxury residence in Nonthaburi under a court-issued arrest warrant. Authorities also seized computers, data cables, and electronic equipment during the raid.
Meanwhile, Australian authorities have charged two Romanian nationals over an alleged $800,000 card-skimming scheme involving tampered ATMs across Australia. Police allege the men used skimming devices to steal bank card data, which they then used to clone cards and defraud victims. If convicted, they face up to 20 years in prison for proceeds of crime and up to three years for related offenses.
In a separate operation, the Nigerian police have arrested 20 suspects involved in hacking the 2025 Computer-Based Test (CBT) examinations conducted by the Joint Admissions and Matriculation Board (JAMB). The suspects are part of a syndicate of over 100 individuals who target computer servers of examination bodies like JAMB and NECO.
According to local media, the group confessed to sabotaging the CBT system to undermine public trust in the exams and discourage future use by NECO and WAEC. The scheme aimed to manipulate scores for “special candidates” who paid between ₦700,000 (~$440,000) and ₦2 million (~$1.2 million).
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.