Skip to content
Naked Security Naked Security

Clop ransomware suspects busted in Ukraine, money and motors seized, door hacked open with BFG

Victims in South Korea and the USA, suspects busted in Ukraine.

The 5-minute video is well worth watching.

You don’t need to be fluent in Ukrainian to understand the shouted command: “Open up, Police!”

There’s a moment of indecision, with the camera lingering on the sort of front door that looks a bit more rugged than yours or mine, during which you’re left wondering, “What happens if the suspects simply lie low and refuse to open the door?”

That question is answered when a burly copper steps up with a gasoline-powered cutting tool (what a gamer might called a BFG, short for Big Fearsome Grinder) and pulls enthusiastically on the starting cord to fire it up…

…at which point the door opens outwards, slowly and tentatively, and the raid is ON!

(At another property raid shown in the video, the suspects didn’t open up, and you get to see the BFG used to good effect against a reinforced door.)

According to the Ukrainian police, law enforcement officers conducted 21 searches in the capital and Kyiv region.

The video shows piles of cash being counted, bagged, logged and seized by police officers, along with laptops and desktops (many shown running the latest version of macOS, if you’ve ever wondered what computing devices a discerning alleged ransomware criminal might choose), dozens of mobile phones and several flash motors.

We saw a high-end Tesla, an AMG 63 and other vehicles getting hoisted onto tow-trucks for removal.

We didn’t know whether to expect to see a lot of cash, given that ransomware crooks take payment in cryptocurrency; nevertheless, the total seized was said by the police to be UAH5,000,000, which comes out at about $200,000.

Law enforcement officers from the South Korean police can be seen in the raid, acting in what looked like the capacity of observers, presumably because four Korean companies were listed by the Ukranian police as victims in this case.

US law enforcement was also involved, with the Ukrainian report confirming that “[in] 2021, the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California.”

In other words, international co-operation can lead to suspects in cross-border cybercrimes being arrested and charged locally for attacks conducted against organisations overseas.

Here’s how the raids went down, because we know you want to watch what happened:


I think the Kremlin sacrificed a bit player, to make good news during the President’s meetings.


Great optics when viewed from the west but I’ll be interested to see what happens to the perps in the long run. Please follow this story so we can see the outcome.


My guess is they’ll ultimately be recruited by the Ukrainian government. The US does stuff like that. Bust ’em, then employ them.


Maybe. Maybe not. Running a ransomware-as-a-service biz doesn’t make you into a superhacker that might have the sort of skills that the government might find hard to get otherwise… in the same way that being able to drive well enough to escape once or twice in a car chase doesn’t make you into an elite driver.


I’m impressed; in particular, about using a camera to ensure that procedures and methods aren’t covered up by corrupt officials. I wish we did that. I have been reading some books, describing Italian corruption; and watching our government for the last 4 years.
Aside from that, the police seemed well organized. (but nobody go shot (: )


Paul, I’m not familiar with “flash motors”. Is that a term for a fancy car now?


The word “motor” is British and Commonwealth English that refers not only to the motor (engine) of an automobile but also, by metonymy (the figure of speech by which “suit” means “senior manager”), to the automobile itself.

And “flash”, indeed, means “fancy, especially in a visible way that critics might consider to be showing off.”

It’s by no means a *new* phrase – for all I know it might even be old hat by now – but it means just what you thought. The Ford Sierra RS Cosworth was *definitely* a flash motor – still is if there are any left that haven’t been crashed yet – and that came out 35 years ago.

If the stock engine in the car can reach 500bhp, like a 6.2 litre V8 AMG 63 (I assume the “63” was a marketing thing), then I would definitely say it qualifies as a “flash motor”. At that sort of level, both the engine and the car are fancy, so I guess you have a flash motor fitted with a flash motor.

A “pimped ride” or a “blingmobile” would not, on pimpage alone, qualify as a flash motor. There really needs to be some go along with the show.

(Side fact: apparently the modest-looking-on-paper 200bhp 4-cylinder “Cossie” used a Mustang gearbox, which you might imagine would be more than beefy enough for the job, but the gearbox needed modifications to handle the revvy performance of the RS, and standard gearboxes couldn’t take the pace. A car that can eat its big brother’s transmission is IMO a “flash motor” in all possible senses of the phrase.)


Thank you for the quick education. I liked learning something new, and now you make me miss my 1969 Plymouth VIP with a 383 engine.


At 3:31 an investigator locates a phone in the glove box and hands it to Grey Hoodie, who thumbs † through it in the next shot. I can’t be certain it was in the car unattended and unlocked; there’s an editing cut wherein Grey Hoodie could’ve handed the phone to Suspect Three to unlock it for them.

HOWEVER, assuming it was already unlocked:
Does that qualify as irony? I’m not quite certain.
Either way it’s amusing.

† har


I was surprised that they tried that phone immediately without handing it over to the person in an earlier part of the video who looked to have some sort of phone imaging setup.

OTOH, the person in the passenger seat didn’t do much except see if it the phone was alive. I can imagine why you might take a quick look – if it *is* unlocked, then you probably want to shoot it to the top of the list of phones to analyse, keeping it unlocked in the interim; if it’s turned off, then you probably want to tag it “not to be turned on again until shielded”, in case someone else at one of the other search locations manages to issue a remote wipe command; if it’s locked and you think you have a suspect who has shown signs of co-operating, you probably want to get them to consent to an immediate unlock before they change their mind.

The car was about to be towed away, so I can see why they wouldn’t want to risk letting digital evidence that was inside it “go stale” while the car was on the back of the truck.

There certainly seemed to be plenty of “flash motor” car keys casually lying around on various desks at the places they raided, including several Merc Benz-looking ones (couple of Benzes, including the aforementioned AMG, along with the Tesla, in the tow-away shots).

As some commentators have already pondered: wonder if that Tesla was bought when the company was in its short-lived phase of Bitcoin enthusiasm :-)


I remember a time when most computers were embargoed from being sold in (what was) the USSR.

How times have changed!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!