The Mole: Criminal Hacker gang clash

Through its proprietary Threat Intelligence platform, Swascan’s SoC team has detected an interesting development in the continuously evolving cyber war scenarios in the international Cyber Crime landscape.

Spokesmen for LockBit and REvil accused the operator of the Dark Web Ramp forum of being an informer employed by the Russian law enforcement agencies.


In the increasingly complex geopolitical scenario of Ukraine and Russia, the Criminal Hackers are taking the lead.

In the space of a few weeks, Kiev has been subjected to numerous attacks targeting more than 60 government agencies, in an apparent attempt to create havoc and an even deeper climate of tension.

It has long been suspected that these attacks are carried out by criminal hacker groups linked to the Kremlin. Highly specialised and competent cybercriminals who divide their attentions between targeted attacks for profit – and thus constantly monitored by Swascan Threat Intelligence – and digital incursions that serve Moscow’s geopolitical objectives. All under the umbrella of complete immunity from the Russian authorities, the nation from which almost all of them operate and were operating.

This total immunity guaranteed by the Kremlin seems, however, to have been shattered by a recent series of arrests by the FSB, which completely cut off the backbone of one of the most prolific criminal hacker groups.

REvil, an organisation (or gang) of criminal hackers famous for the attack against the American company Kaseya, was in fact the target of a series of arrests that led to the conviction of 14 people in the first half of January this year. The arrests came after strong diplomatic pressure from the Biden government.

But this act, perhaps intended to defuse the tension between the two countries, already high over Crimea issues, has ignited a public war of words in the forums where representatives of these criminal hacker gangs operate.

The implications of Swascan’s OSINT analysis

A few hours after the arrests, in fact, the spokesman of the Lockbit gang – known for having attacked the French Ministry of Justice and the transalpine armaments giant Thales – publicly accused on the forum the spokesman of another forum – RAMP – known as KAJIT of being in fact in the service of the police and of having caused the fall of the notorious REVIL group. A sort of double game in an already very complex scenario.

LockBit’s J’Accuse from the day after REvil’s arrest

In the following conversation, REvil and LockBit discuss RED’s actions. According to the two, the third party had set up a series of ‘traps’ in which he recruited potential criminal hackers by means of decoys and then ‘sold’ the information on these cybercriminals to the Russian authorities.

An excerpt of conversation between REvil and LockBit


The LockBit warning


“Since REvil will probably never get in touch again, I am publishing part of his personal correspondence, without his consent, since he disappeared without a trace, most likely thanks to someone called RED\KAJIT, aka the ramp forum admin, who works for the police against ordinary people who earn their bread through infiltration and intelligence gathering…” explains Criminal Hacker LockBit.

The gang spokesman continued “On the merits of the matter, may I say the following, that you should not be so careless about your safety and anonymity, and hope that the Russian Federation will forever be reluctant to assist in the apprehension of international cyber criminals… “better move to live in another country, like China…”

Very serious accusations that in fact give rise to the theory that the arrest of the various members of the REvil gang may indeed have been the result of an operation triggered by international pressure.

This is a further turn of events involving international players on the geopolitical chessboard. It is difficult to draw conclusions at the moment, but what is certain is the revelation of a possible rift between the various groups operating in Russia.

Regardless, shortly afterwards, KAJIT, the alleged spy, was ‘banned’ from the forum where the accusations were made.

Vulnerability Report Emerson – Dixell XWEB-500 Multiple Vulnerabilities (CVE-2021-45420)
The Russian Doll Mechanism of Online Pharmacies

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.