Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man
Armenia detains Russian tourist mistakenly identified as REvil ransomware operator Aleksandr Ermakov.
Summary
Armenian authorities detained Aleksandr Yuryevich Ermakov, a Russian tourist, on June 28 based on a U.S. extradition warrant intended for Aleksandr Gennadievich Ermakov, a sanctioned REvil ransomware operator linked to the Medibank breach. Ermakov's lawyers claim U.S. authorities confused the two men due to missing patronymic information in official documentation, and argue standard verification methods like fingerprints or full passport data were never used. The detained man is a former prison-service lawyer from Omsk who does not speak English and is being held on a 30-day Interpol detention order.
Full text
Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker, Lawyers Say Wrong Man Swati KhandelwalJul 17, 2026Ransomware / Law Enforcement Armenia has held a Russian tourist named Aleksandr Ermakov in a detention center since June 28, on a U.S. extradition request for a REvil ransomware suspect named Aleksandr Ermakov. His wife, Maria Yurova, told REN TV that border officers pulled him out of the departure hall at Yerevan's Zvartnots airport, held up a phone with a photo of him off his VKontakte page, and walked him into a side room. His lawyers say Washington has the wrong man. The Ermakov the U.S. wants is Aleksandr Gennadievich Ermakov, sanctioned by Australia, the US, and the UK in January 2024 for stealing 9.7 million records from Medibank Private, one of Australia's largest private health insurers, and dumping some on the dark web. He is also serving a two-year Russian sentence that bars him from leaving the country, according to TASS and to case files two Russian outlets say they have read. The man in the Armenian cell, his lawyers say, is Aleksandr Yuryevich Ermakov, from Omsk, a former prison-service lawyer who does not speak English. Ermakov is accused of taking part in Sodinokibi/REvil attacks from roughly April 2019 to July 12, 2021, with more than 1,000 victims among private companies, law enforcement, government offices, schools, and hospitals, some in the Northern District of Texas. That comes from the US charging document, which RIA Novosti says it holds. The Interpol notice built on it, which Izvestia says it has, goes further: one of the platform's administrators, with a take of over $13.7 million. Channel Five dates the warrant to that district's federal court, June 26, two days before the arrest. Medibank was hacked in October 2022, fifteen months after that window closes, and the US has never announced a charge against Ermakov over it. Treasury's designation put him at REvil's edge, an actor "believed to be linked" to the gang. The notice puts him at its center. That court has seen REvil before: DOJ charged Yevgeniy Polyanin there in 2021 over Sodinokibi/REvil attacks on Texas businesses and government entities on or about August 16, 2019. Russian passports carry a patronymic, and it is the field that tells one Aleksandr Ermakov from the next. Australia's consolidated list has it: Aleksandr Gennadievich Ermakov, born 16 May 1990. The UK's entry has it. OFAC's does not. The SDN record runs: ERMAKOV, Aleksandr, Moscow, DOB 16 May 1990, male, one Yandex address, four handles (blade_runner, GistaveDore, GustaveDore, JimJones). Given name, surname, nothing in between. What the Interpol notice itself carries is not public. Dylan Rajavi, one of the detained man's lawyers, told Izvestia the defense's working theory is that the U.S. paperwork carried a given name and a surname, no more, and an automated check did the rest. He also said there are standard ways to settle who someone is, fingerprints or full passport data, and that neither has been produced. "There is only an arrest warrant," he said. That is the defense's account, not a finding. Armenian authorities have said nothing, the Justice Department has announced no charges, and none of the Russian outlets holding the documents says how it got them. Nor are there as many outlets as they look: Izvestia, REN TV, and Channel Five all sit under National Media Group, and Izvestia's newsroom has supplied the news for the other two since 2017. The man is being held on a 30-day Interpol detention order while Moscow asks Yerevan for consular access. Where the Name Came From Australia's signals directorate and federal police spent 18 months on Operation Aquila before naming him. And the chain from the sanctioned Ermakov to SugarLocker does not run through Russian state media. Once Australia published the nicknames, Intel 471 went back through years of collected forum data. SHTAZI and shtaziIT were among Ermakov's handles, it reported, and his alias JimJones had spent 2019 and 2020 on the Exploit forum hawking malware development and a dev shop called Shtazi-IT. A month later, Russian police said they had rolled up the SugarLocker ransomware crew operating behind Shtazi-IT, with @GustaveDore sitting in the contact field of its developer job ads. A US vendor and Russia's interior ministry reached the same shopfront from opposite ends. In October 2024, a Moscow court gave Ermakov two years of restriction of freedom under Article 273(2), Russia's malware statute, for co-writing SugarLocker and selling it to a buyer with a Tor control panel attached. Case material seen by Izvestia says he pleaded guilty, and the case ran through Russia's summary procedure. "Ermakov was sentenced to 2 years of restriction of freedom," a law enforcement source told state agency TASS on Thursday. The term has not run out. Armenia's court still has to decide whether to put the other Ermakov on a plane to Dallas, and his brother told RIA on Friday the family expects it to go through. Two and a half years of sanctions, an 18-month intelligence operation, and a new U.S. warrant have, between them, put exactly one Aleksandr Ermakov in a cell, and his lawyers say it is the wrong one. The Ermakov warrant name is at home, reporting once a month to the prison service that the man in the cell spent his career working for. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE cyber law, Cybercrime, dark web, data breach, Government security, Healthcare Security, law enforcement, Malware, ransomware, Threat Intelligence ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- malware — REvil/Sodinokibi