Member of Russian Ransomware Gang Responsible for Laundering $70 Million Is Jailed in Portland

Denis Mihaqlovic Dubnikov, 29, was arrested by the FBI after being extradited from the Netherlands.

ARRIVALS: Denis Mihaqlovic Dubnikov was extradited from the Netherlands this week.

A Russian member of a cryptocurrency laundering ring is now in jail in downtown Portland. The money was collected from ransomware victims in Oregon and around the globe, federal prosecutors say.

Denis Mihaqlovic Dubnikov, 29, was arrested by the FBI after being extradited from the Netherlands earlier this week. He appeared in court for the first time this morning.

Dubnikov allegedly laundered $400,000 in proceeds from ransomware attacks, according to an indictment filed by the United States Attorney’s Office. The case was filed over two years ago but unsealed today following Dubnikov’s arrest.

He and 12 other defendants, whose names are redacted in the indictment, allegedly used a form of software called Ryuk to amass at least $70 million in ransoms. Dubnkov is the first member of the gang to be caught.

Over a period of 24 hours in 2020, Ryuk attacks hit six hospitals across the country, including Sky Lakes Medical Center in Klamath Falls, according to the Washington Post.

Federal law enforcement agencies immediately issued a report explaining how the technology works and strongly urged hospitals not to pay the ransoms.

Sky Lakes complied and refused to pay. It eventually recovered data from over 600 servers with the assistance of a California cybersecurity company.

The hospital’s computer systems were down for 23 days.

“Patients never knew,” says Tom Hottman, the hospital’s public information officer. But it was a nightmare for staff. Doctors had limited access to email or patient health records, and test results came back slow.

Here’s how the attack happened: On Oct. 26, 2020, a Sky Lakes employee was tricked into clicking a malicious link in an email advertising a company bonus, according to an analyst for the hospital quoted on the trade news website HealthITSecurity.

The link downloaded the ransomware software, which jumped through the hospital’s network, encrypting data as it went, until hospital administrators shut the computer system down.

Then, they may have received a ransom note similar to one that was transcribed in Dubnikov’s indictment.

“You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks,” the note reads, and threatens to delete all data on the infected systems unless a ransom in bitcoin is sent to the hackers’ account.

Many Ryuk victims do just that. Dubnikov’s indictment lays out what happens next.

The money is sent to a private “wallet” held by one of the hackers. It’s then split into smaller amounts and sent to other wallets controlled by other members of the group.

Then, in a series of “circular transfers,” the crypto is sent back and forth between other cryptocurrencies such as Tether and then converted into fiat currencies like Chinese Renminbi, according to the federal investigators.

The money then ends up in foreign bank accounts controlled by the hackers.

A spokesman for the U.S. Department of Justice declined to say whether Dubnikov was linked to the Sky Lakes attack.

Dubnikov’s attorney, David Angeli, declined to comment.

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.