Russian national with alleged Hive ransomware ties arrested in Paris

A Russian national suspected of possessing thousands of dollars stolen from the French victims of Hive ransomware was arrested in Paris last week.

While searching his phone, the police seized more than €570,000 (over $615,000) in cryptocurrency assets that he allegedly helped steal. According to police, the suspect served as a “banker” for Hive affiliates, helping them manage stolen funds.

Little was publicized about the suspect except that he is a Russian national, around 40 years old, and lives in Cyprus, according to reporting from French newspaper Le Figaro.

The criminal was identified "thanks to his activity on social networks" and was subsequently arrested and placed in police custody, according to Nicolas Guidoux, a French official responsible for fighting cybercrime at the Ministry of the Interior.

The international police also searched the suspect’s home in a Cypriot seaside resort and obtained "important" evidence for further investigation.

Before its infrastructure was shut down in January, Hive was used to compromise and encrypt data and computer systems of large tech and oil companies, as well as hospitals in Europe and the U.S. Since 2021, it targeted over 1,500 companies worldwide, who lost more than $100 million in ransom payments.

In France, Hive had nearly 60 victims, including the National School of Civil Aviation and several local government services and town halls.

Hive worked as “ransomware-as-a-service” with attacks executed by “affiliates” but the ransomware was created, maintained, and updated by its developers. When the victims paid, the ransom was then split between affiliates, who received 80%, and developers who received 20%.

During the operation against Hive in January, law enforcement identified the ransomware's decryption keys and shared them with many victims, helping them regain access to their data without paying the cybercriminals. This effort helped save $130 million in ransom payments.