| CyberScoop
cyberscoop.com
Written by Matt Kapko
November 7, 2025
Aleksei Olegovich Volkov served as an initial access broker and was involved in attacks on seven U.S. businesses from July 2021 through November 2022.
A25-year-old Russian national pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty up to 53 years in prison.
Aleksei Olegovich Volkov, also known as “chubaka.kor,” served as the initial access broker for the Yanluowang ransomware group while living in Russia from July 2021 through November 2022, according to court records. Prosecutors accuse Volkov and unnamed co-conspirators of attacking seven U.S. businesses during that period, including two that paid a combined $1.5 million in ransoms.
The victims, which included an engineering firm and a bank, said executives received harassing phone calls and their networks were hit with distributed denial of service attacks after their data was stolen and encrypted by Yanluowang ransomware operators.
Cisco wasn’t named in the court filings for Volkov’s case, but the enterprise networking and security vendor said it was impacted by an attack attributed to Yanluowang ransomware in May 2022. Cisco linked the attack to an initial access broker who had ties to UNC2447, Lapsus$ and Yanluowang ransomware operators.
Volkov identified targets, exploited vulnerabilities in their systems, and shared access with co-conspirators for a flat fee or percentage of the ransom paid by the victim, according to prosecutors.
Some of Volkov’s alleged victims were unable to function normally without access to their data and had to temporarily shut down operations in the wake of the attacks. Prosecutors said the total amount demanded in ransoms from all seven victims was $24 million.
The FBI said it traced cryptocurrency transactions related to the payments to accounts reportedly owned by Volkov and a co-conspirator, “CC-1,” who was residing in Indianapolis at the time.
Blockchain analysis allowed the FBI to confirm Volkov’s identity and uncover multiple accounts they used to communicate with co-conspirators about ransomware attacks, payments and splitting illicit proceeds from their criminal activities, according to court records.
Volkov, who is also identified as Aleskey Olegovich Volkov in the unsealed indictment, was arrested Jan. 18, 2024, in Rome, where they were living at the time. Volkov was later extradited to the United States and remains in custody in Indiana.
Volkov previously filed an intention to plead guilty in April in the U.S. District Court for the Eastern District of Pennsylvania and agreed to have their case transferred to the U.S. District Court for the Southern District of Indiana.
Volkov pleaded guilty to six charges Oct. 29, including unlawful transfer of a means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud and conspiracy to commit money laundering. Court Watch was the first to report on Volkov’s guilty plea.
The plea agreement, which was filed Monday, did not include an agreed upon sentence, but Volkov is required to pay a combined restitution of nearly $9.2 million to the seven victims. Volkov’s attorney did not respond to a request for comment.
| CyberScoop
cyberscoop.com
Written by Matt Kapko
November 13, 2025
The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.
he Washington Post said it, too, was impacted by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors.
The company was first alerted to the attack and launched an investigation when a “bad actor” contacted the media company Sept. 29 claiming they gained access to the company’s Oracle applications, according to a data breach notification it filed in Maine Wednesday. The Washington Post later determined the attacker had access to its Oracle environment from July 10 to Aug. 22.
The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Other confirmed victims include Envoy Air and GlobalLogic.
The Washington Post said it confirmed the extent of data stolen during the attack on Oct. 27, noting that personal information on 9,720 people, including names, bank account numbers and routing numbers, and Social Security numbers were exposed. The company didn’t explain why it took almost a month to determine the amount of data stolen and has not responded to multiple requests for comment.
Oracle disclosed and issued a patch for the zero-day vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. Mandiant, responding to the immediate fallout from the attacks, said Clop exploited multiple vulnerabilities, including the zero-day to access and steal large amounts of data from Oracle E-Business Suite customer environments.
Oracle, its customers and third-party researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails from members of Clop demanding payment in late September. Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, previously told CyberScoop ransom demands reached up to $50 million.
Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment.
The ransomware group has intruded multiple technology vendors’ systems before, allowing it to steal data and extort many downstream customers. Clop specializes in exploiting vulnerabilities in file-transfer services and achieved mass exploitation in 2023 when it infiltrated MOVEit environments, ultimately exposing data from more than 2,300 organizations.
thephuketnews.com
By The Phuket News
Friday 14 November 2025 10:13 AM
PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.
The Cyber Crime Investigation Bureau (CCIB) confirmed the arrest on Wednesday (Nov 12), following a coordinated investigation with the FBI, Phuket Immigration, Region 8 Crime Suppression Division, Phuket Provincial Police, the Tourist Police Bureau, the Police Forensic Science Office, and the Office of the Attorney General.
Local Phuket agencies have not posted any reports of the arrest.
According to the CCIB report, Thai authorities were alerted to Lukashev’s presence after CCIB Commissioner Pol Lt Gen Surapol Prembut received intelligence from the FBI that a “world-class hacker” – previously linked to cyberattacks on government institutions in Europe and the US – had entered Thailand and was hiding in Phuket.
The man arrived at Phuket International Airport on Oct 30, 2025, and checked into a hotel in Thalang, said the report. Of note, Thalang District covers the entire north half of the island and includes areas such as Bang Tao and Cherng Talay.
An investigation team from Phuket Immigration tracked his movements before coordinating with prosecutors to issue an arrest warrant under the Extradition Act of 2008, said the CCIB report.
A Criminal Court search warrant was then executed at the hotel, where officers seized laptops, mobile phones and “digital wallets” for forensic examination.
FBI agents were present as observers. The suspect has been formally charged as a person requested for extradition by the United States and has been handed over to the Office of the Attorney General for the formal extradition process, the report noted.
Since then UK media outlet ‘The Sun US’ reported that Thai police have likely detained GRU officer Aleksey Lukashev, linking him to two high-profile operations: the hacking of Hillary Clinton’s 2016 presidential campaign and the GRU operation surrounding the Skripal Novichok poisonings
The report notes that blurred images from the arrest show a strong resemblance to the FBI’s wanted notice for Lukashev, and that FBI personnel were present in Phuket during the operation.
Lukashev, a senior lieutenant in Russia’s GRU Unit 26165 (also known as APT28 or ‘Fancy Bear’), is accused of:
hacking computers belonging to US political organisations during the 2016 election
phishing the email account of Hillary Clinton’s campaign chairman John Podesta
involvement in cyber activity linked to the Skripal case
conducting attacks on government bodies across Europe and the US
Lukashev appears on the FBI’s Most Wanted list and is under UK sanctions.
Overnight, Russia-based investigative outlet ‘The Insider’ independently reported that only one GRU hacker on the FBI’s wanted list matches the age released by Thai police – Aleksey Viktorovich Lukashev.
According to The Insider:
Lukashev, born in Murmansk, is wanted in the US for conspiracy to commit computer intrusions, identity theft, domain fraud, and money laundering.
He used multiple aliases, including ‘Den Katenberg’ and ‘Yuliana Martynova’.
A US federal court issued a warrant for his arrest in 2018.
The hacker group he worked with, APT28/Fancy Bear, has been linked to attacks on the White House, NATO, the IOC, WADA, the German Bundestag, and ministries across Europe.
The same group also targeted Russian opposition figures, NGOs and journalists, including reporters from The Insider.
OPERATION 293
As part of the wider ‘Operation 293’, Thai cyber police also reported seizing digital assets linked to the suspect.
Investigators said malware linked to the man had stolen authentication keys and crypto trading credentials from Thai victims. More than B14 million in cryptocurrency was recovered and returned in cooperation with Tether and Thai exchange Bitkub. At least six Thai victims were identified with total losses exceeding 100,000 USDT.
CCIB in its report stressed that the arrest was made under Thailand’s extradition law rather than through immigration offences or visa cancellation.
The suspect remains in custody and has not been publicly named as the investigation is ongoing.
The CCIB in its report said the case marked a significant step in expanding operational cooperation with the FBI in the global fight against transnational cybercrime.
PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.
Friday 14 November 2025 10:13 AM
- Ars Technica
arstechnica.com
Dan Goodin – 14 nov. 2025 13:20
The results of AI-assisted hacking aren’t as impressive as many might have us believe.
Researchers from Anthropic said they recently observed the “first reported AI-orchestrated cyber espionage campaign” after detecting China-state hackers using the company’s Claude AI tool in a campaign aimed at dozens of targets. Outside researchers are much more measured in describing the significance of the discovery.
Anthropic published the reports on Thursday here and here. In September, the reports said, Anthropic discovered a “highly sophisticated espionage campaign,” carried out by a Chinese state-sponsored group, that used Claude Code to automate up to 90 percent of the work. Human intervention was required “only sporadically (perhaps 4-6 critical decision points per hacking campaign).” Anthropic said the hackers had employed AI agentic capabilities to an “unprecedented” extent.
“This campaign has substantial implications for cybersecurity in the age of AI ‘agents’—systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention,” Anthropic said. “Agents are valuable for everyday work and productivity—but in the wrong hands, they can substantially increase the viability of large-scale cyberattacks.”
“Ass-kissing, stonewalling, and acid trips”
Outside researchers weren’t convinced the discovery was the watershed moment the Anthropic posts made it out to be. They questioned why these sorts of advances are often attributed to malicious hackers when white-hat hackers and developers of legitimate software keep reporting only incremental gains from their use of AI.
“I continue to refuse to believe that attackers are somehow able to get these models to jump through hoops that nobody else can,” Dan Tentler, executive founder of Phobos Group and a researcher with expertise in complex security breaches, told Ars. “Why do the models give these attackers what they want 90% of the time but the rest of us have to deal with ass-kissing, stonewalling, and acid trips?”
Researchers don’t deny that AI tools can improve workflow and shorten the time required for certain tasks, such as triage, log analysis, and reverse engineering. But the ability for AI to automate a complex chain of tasks with such minimal human interaction remains elusive. Many researchers compare advances from AI in cyberattacks to those provided by hacking tools such as Metasploit or SEToolkit, which have been in use for decades. There’s no doubt that these tools are useful, but their advent didn’t meaningfully increase hackers’ capabilities or the severity of the attacks they produced.
Another reason the results aren’t as impressive as they’re made out to be: The threat actors—which Anthropic tracks as GTG-1002—targeted at least 30 organizations, including major technology corporations and government agencies. Of those, only a “small number” of the attacks succeeded. That, in turn, raises questions. Even assuming so much human interaction was eliminated from the process, what good is that when the success rate is so low? Would the number of successes have increased if the attackers had used more traditional, human-involved methods?
According to Anthropic’s account, the hackers used Claude to orchestrate attacks using readily available open source software and frameworks. These tools have existed for years and are already easy for defenders to detect. Anthropic didn’t detail the specific techniques, tooling, or exploitation that occurred in the attacks, but so far, there’s no indication that the use of AI made them more potent or stealthy than more traditional techniques.
“The threat actors aren’t inventing something new here,” independent researcher Kevin Beaumont said.
Even Anthropic noted “an important limitation” in its findings:
Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information. This AI hallucination in offensive security contexts presented challenges for the actor’s operational effectiveness, requiring careful validation of all claimed results. This remains an obstacle to fully autonomous cyberattacks.
How (Anthropic says) the attack unfolded
Anthropic said GTG-1002 developed an autonomous attack framework that used Claude as an orchestration mechanism that largely eliminated the need for human involvement. This orchestration system broke complex multi-stage attacks into smaller technical tasks such as vulnerability scanning, credential validation, data extraction, and lateral movement.
“The architecture incorporated Claude’s technical capabilities as an execution engine within a larger automated system, where the AI performed specific technical actions based on the human operators’ instructions while the orchestration logic maintained attack state, managed phase transitions, and aggregated results across multiple sessions,” Anthropic said. “This approach allowed the threat actor to achieve operational scale typically associated with nation-state campaigns while maintaining minimal direct involvement, as the framework autonomously progressed through reconnaissance, initial access, persistence, and data exfiltration phases by sequencing Claude’s responses and adapting subsequent requests based on discovered information.”
The attacks followed a five-phase structure that increased AI autonomy through each one.
The life cycle of the cyberattack, showing the move from human-led targeting to largely AI-driven attacks using various tools, often via the Model Context Protocol (MCP). At various points during the attack, the AI returns to its human operator for review and further direction. Credit: Anthropic
The attackers were able to bypass Claude guardrails in part by breaking tasks into small steps that, in isolation, the AI tool didn’t interpret as malicious. In other cases, the attackers couched their inquiries in the context of security professionals trying to use Claude to improve defenses.
As noted last week, AI-developed malware has a long way to go before it poses a real-world threat. There’s no reason to doubt that AI-assisted cyberattacks may one day produce more potent attacks. But the data so far indicates that threat actors—like most others using AI—are seeing mixed results that aren’t nearly as impressive as those in the AI industry claim
bbc.com
Joe Tidy
Cyber correspondent, BBC World Service
One of the world's most prominent cyber-criminals speaks to the BBC in an exclusive interview.
After years of reading about "Tank" and months of planning a visit to him in a Colorado prison, I hear the door click open before I see him walk into the room.
I stand up ready to give this former cyber-crime kingpin a professional hello. But, like a cheeky cartoon character, he pokes his head around a pillar with a giant grin on his face and winks.
Tank, whose real name is Vyacheslav Penchukov, climbed to the top of the cyber-underworld not so much with technical wizardry, but with criminal charm.
"I am a friendly guy, I make friends easily," the 39-year-old Ukrainian says, with a broad smile.
Having friends in high places is said to be one of the reasons Penchukov managed to evade police for so long. He spent nearly 10 years on the FBI's Most Wanted list and was a leader of two separate gangs in two distinct periods of cyber-crime history.
It is rare to speak to such a high-level cyber-criminal who has left so many victims behind him; Penchukov spoke to us for six hours over two days as part of the ongoing podcast series Cyber Hack: Evil Corp.
The exclusive interview - Penchukov's first ever - reveals the inner workings of these prolific cyber-gangs, the mindset of some of the individuals behind them and never-before-known details about hackers still at large - including the alleged leader of the sanctioned Russian group, Evil Corp.
It took more than 15 years for authorities to finally arrest Penchukov in a dramatic operation in Switzerland in 2022.
"There were snipers on the roof and the police put me on the ground and handcuffed me and put a bag on my head on the street in front of my kids. They were scared," he recalls with annoyance.
He is still bitter about how he was arrested, arguing that it was over the top. His thousands of victims around the world would strongly disagree with him: Penchukov and the gangs he either led or was a part of stole tens of millions of pounds from them.
In the late 2000s, he and the infamous Jabber Zeus crew used revolutionary cyber-crime tech to steal directly from the bank accounts of small businesses, local authorities and even charities. Victims saw their savings wiped out and balance sheets upended. In the UK alone, there were more than 600 victims, who lost more than £4m ($5.2m) in just three months.
Between 2018 and 2022, Penchukov set his sights higher, joining the thriving ransomware ecosystem with gangs that targeted international corporations and even a hospital.
Englewood Correctional Facility, where Penchukov is being held, would not let us take any recording equipment inside the prison, so a producer and I make notes during the interview as we are watched over by a guard nearby.
The first thing that stands out about Penchukov is that, although he is eager to be released, he seems in high spirits and is clearly making the most of his time in prison. He tells me he plays a lot of sport, is learning French and English - a well-thumbed Russian-English dictionary stays by his side throughout our interview - and is racking up high-school diplomas. He must be smart, I suggest. "Not smart enough - I'm in prison," he jokes.
Englewood is a low-security prison with good facilities. The low-rise but sprawling building sits in the foothills of the Rocky Mountains in Colorado. The dusty grass verges surrounding the prison are teeming with noisy prairie dogs scurrying into their burrows whenever disturbed by prison vehicles coming and going.
It is a long way from Donetsk, Ukraine, where he ran his first cyber-crime gang after falling into hacking through games cheat forums, where he would look for cheats for his favourite video games like Fifa 99 and Counterstrike.
He became the leader of the prolific Jabber Zeus crew - so named because of their use of the revolutionary Zeus malware and their favourite communication platform, Jabber.
Penchukov worked with a small group of hackers that included Maksim Yakubets - a Russian who would go on to be sanctioned by the US government, accused of leading the infamous cyber-group Evil Corp.
Penchukov says that throughout the late 2000s, the Jabber Zeus crew would work out of an office in the centre of Donetsk, putting in six to seven-hour days stealing money from victims overseas. Penchukov would often end his day with a DJ set in the city, playing under the name DJ Slava Rich.
Cyber-crime in those days was "easy money", he says. The banks had no idea how to stop it and police in the US, Ukraine and the UK could not keep up.
In his early 20s, he was making so much money he bought himself "new cars like they were new clothes". He had six in total - "all expensive German ones".
But police got a breakthrough when they managed to eavesdrop on the criminals' text chats in Jabber and discovered the true identity of Tank using details he had given away about the birth of his daughter.
The net closed in on the Jabber Zeus crew, and an FBI-led operation called Trident Breach saw arrests in Ukraine and the UK. But Penchukov slipped through the net thanks to a tip-off from someone he will not name. And thanks to one of his fast cars.
"I had an Audi S8 with a 500-horsepower Lamborghini engine so when I saw the cops flashing lights in my rear view mirror, I jumped the red light and lost them easily. It gave me a chance to test the full power of my car," he says.
He laid low with a friend for a while, but when the FBI left Ukraine, the local authorities seemed to lose interest in him.
So Penchukov kept under the radar and, he says, went straight. He started a company buying and selling coal, but the FBI was still on the trail.
"I was on holiday in Crimea when I got a message from a friend who saw that I had been put on the FBI Most Wanted list. I thought I had got away with it all - then I realised I have a new problem," he says, an obvious understatement.
His lawyer at the time was calm, though, and advised him not to worry: as long as he did not travel outside of Ukraine or Russia, US police could not do much.
The Ukrainian authorities did eventually come knocking - but not to arrest him.
Penchukov had been outed as a wealthy hacker wanted by the West and he alleges that almost every day, officials would come and shake him down for money.
His coal-selling business was going well until Russia's invasion of Crimea in 2014. President Putin's so-called "Little Green Men" - Russian soldiers in unmarked uniforms - ruined his business and missiles struck his apartment in Donetsk, damaging his daughter's bedroom.
Penchukov says that it was business troubles and the constant payouts to Ukrainian officials that led him to once again fire up his laptop and get back into the cyber-crime life.
"I just decided it was the fastest way to make money to pay them," he says.
His journey charts the evolution of modern cyber-crime - from quick and easy bank account theft to ransomware, today's most pernicious and damaging type of cyber-attack used in high-profile hacks this year, including on UK High Street stalwart Marks & Spencer.
He says ransomware was harder work but the money was good. "Cyber-security had improved a lot, but we were able to make about $200,000 a month. Much higher profits."
In a revealing anecdote, he remembers rumours that started about a crew being paid $20m (£15.3m) from a hospital that had been crippled by ransomware.
Penchukov says the news fired up the hundreds of hackers in the criminal forums who all then went after US medical institutions to repeat the pay day. These hacker communities have a "herd mentality", he says: "People don't care about the medical side of things - all they see is 20 millions being paid."
Penchukov rebuilt his connections and skills to become one of the top affiliates of ransomware services, including Maze, Egregor and the prolific group Conti.
When asked if these criminal groups worked with Russian security services - a regular accusation from the West - Penchukov shrugs and says: "Of course." He says that some ransomware gang members sometimes talked about speaking to "their handlers" in the Russian security services, like the FSB.
The BBC wrote to the Russian Embassy in London, asking if the Russian government or its intelligence agencies engaged with cyber criminals to aid cyber espionage, but received no reply.
Penchukov soon rose to the top again and became a leader of IcedID - a gang that infected more than 150,000 computers with malicious software and led to various types of cyber-attack, including ransomware. Penchukov was in charge of a team of hackers who would sift through the infected computers to work out how best to make money from them.
One victim they infected with ransomware in 2020 was the University of Vermont Medical Center in the US. According to US prosecutors, this led to the loss of more than $30m (£23m) and left the medical centre unable to provide many critical patient services for more than two weeks.
Although no-one died, prosecutors say the attack, which disabled 5,000 hospital computers, created a risk of death or serious injury to patients. Penchukov denies he actually did it, claiming he only admitted to it in order to reduce his sentence.
Overall, Penchukov, who has since changed his surname to Andreev, feels the two nine-year sentences he is serving concurrently are too much for what he did (he is hoping to get out much sooner). He has also been ordered to pay $54m (£41.4m) in restitution to victims.
His view as a young hacker who started in cyber-crime as a teenager is that Western companies and people could afford to lose money and that everything was covered by insurance anyway.
But when I speak to one of his early victims from the Jabber Zeus days, it is clear his attacks did have a harmful impact on innocent people.
Lieber's Luggage, a family-run business in Albuquerque, New Mexico, had $12,000 (£9,200) stolen in one swipe by the gang. Owner Leslee still recalls the shock years later.
"It was just disbelief and horror when the bank called because we had no idea what had happened, and the bank clearly didn't have any idea," she says.
While a modest sum, it was devastating for the business, as the money was used for paying rent, buying merchandise and paying staff.
They did not have any savings to fall back on and, to make matters worse, Leslee's elderly mother was in charge of the company accounts and she blamed herself until the theft was uncovered.
"We had all of those feelings, the anger, the frustration, the fear," she says.
When I ask them what they would like to say to the hackers responsible, they think it is futile to try to change the minds of these callous criminals.
"There's nothing that we could say that would affect him," Leslee says.
"I wouldn't give him the time of day," her husband Frank adds.
Penchukov says he did not think about the victims, and he does not seem to do so much now, either. The only sign of remorse in our conversation was when he talked about a ransomware attack on a disabled children's charity.
His only real regret seems to be that he became too trusting with his fellow hackers, which ultimately led to him and many other criminals being caught.
"You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," he says.
"Paranoia is a constant friend of hackers," he says. But success leads to mistakes.
"If you do cyber-crime long enough you lose your edge," he says, wistfully.
As if to highlight the disloyal nature of the cyber underworld, Penchukov says he deliberately avoided any further contact with his one-time Jabber Zeus collaborator and friend Maksim Yakubets after the Russian was outed and sanctioned in 2019 by Western authorities.
Penchukov says that he noticed a distinct change in the hacker community as people shunned working with Yakubets and many of his alleged Evil Corp associates.
Previously Penchukov and "Aqua", as Yakubets was known, had hung out in Moscow drinking and eating in luxury restaurants. "He had bodyguards, which I thought was strange - almost like he wanted to show off his wealth or something," he says.
Being ostracised from the cyber crime world did not deter Evil Corp though and last year, the UK's National Crime Agency accused other members of the Yakubets family of being involved in the decade-long crime spree, sanctioning 16 members of the organisation in total.
But unlike Penchukov, the chances of police collaring him or others in the gang seem low. With a $5m bounty out for information leading to his arrest, Yakubets and his alleged co-conspirators are unlikely to repeat Penchukov's mistake of leaving their country.
