REvil’s darknet sites went offline after unknown actors seized control of their payment portal and a data-leaks blog on October 17.
A threat actor linked to the operators, going by the handle 0_neday, posted on the hacker forum XSS about the takeover of REvil’s onion domains.
“Since 12:00 MSK on October 17, someone brought up the hidden services for the landing page and blog with the same keys as ours, my concerns were confirmed,” wrote 0_neday.
To run a hidden Tor service, you must generate a pair of public and private keys. The private key should be accessible only to trusted administrators, since its owner could run the same .onion service on their own server.
Later, 0_neday reported that the group’s server had been compromised, and the attack organizer was targeting REvil specifically. The hacker decided to halt all operations and offered affiliates to contact him via Tox to obtain decryption keys, so they could continue extorting victims on their own.
As of writing, it is not known who exactly was behind the compromise of the hackers’ onion domains, though experts do not rule out involvement by the FBI or other law enforcement agencies.
Another possible explanation could be an attempt by a REvil representative, known by the handles Unknown or UNKN, to regain control of the sites. After restarting the ransomware’s operations, he disappeared and, according to rumors, was arrested, but what happened to him remains unclear.
Experts consider REvil, also known as Sodinokibi, to be one of the world’s largest hacker groups. According to US authorities, cybercriminals carried out at least 15 attacks per month. In 2020, the extortionists’ earnings exceeded $100 million.
On the night of July 13, 2021, REvil’s darknet sites suddenly went offline. Among them was Happy Blog, used to publish victim data, as well as sites for discussing the ransom amount and receiving payments.
In September, REvil operators, with the help of backups launched sites and began seeking potential partners.
Read ForkLog’s bitcoin news on our Telegram — cryptocurrency news, rates and analysis.