The US authorities accused six Russians of hacker attacks commissioned by the Russian authorities. They used bitcoins to pay for servers and domain names.
According to an indictment published by the US Attorney's Office, Russian pro-government hackers used bitcoins to pay for the infrastructure needed for attacks, servers and domain names. The lawsuit lists the names of six Russians allegedly working for pro-government hacker groups. The targets of their attacks were political campaigns in other countries such as Ukraine, Georgia, France, and the 2018 Winter Olympics. These six men, per the indictment, were involved in a number of high-profile cyberattacks with targets including the Ukrainian energy system and Ukrainian Ministry of Finance, as well as they were responsible for phishing attacks on the election headquarters of Emmanuel Macron during his election campaign in 2017, non-profit organizations and private companies in Georgia in 2018 and 2019.
According to the lawsuit, the hackers are associated with the Russian military unit 74455, subordinate to the Main Intelligence Directorate (GRU).
The indictment contains the following names: Yuriy Andrienko, Sergey Detistov, Pavel Frolov, Anatoliy Kovalev, Artem Ochichenko, Petr Pliskin. All of them were officers of the GRU, the US prosecutor's office believes.
The prosecutor's office also claims that it is Russian hackers who are responsible for the NotPetya attack in 2017, which caused billions of dollars in damage to many organizations around the world. NotPetya is a version of the bitcoin ransomware Petya. Unlike Petya, NotPetya does no suppose the ability to decrypt and recover data after paying the ransom.
According to the lawsuit, the defendants paid for servers and domain names with cryptocurrencies and often purchased services from resellers, rather than directly from hosting sites, which included companies registered in the United States. For conspiracy purposes, they used many accounts registered under fictitious names.
According to Bellingcat's investigation, the three of the six indicted hackers registered their vehicles to the same address in Moscow, Svobody 21В [referring the the Russian “в”, the third letter of the alphabet, not the English “b”]. Conducting a wider search by an address on the same leaked Moscow vehicle registration database, Bellingcat found dozens of other people — all born between 1978 and 1998 — who registered their vehicles to the same Svobody 21 address. In some cases, the address mentioned looked like Svobody 21 В Ч or Svobody 21 ВЧ. This abbreviation likely refers to the Russian abbreviation for “military unit” — в/ч (войсковая часть or voyskovaya chast’).