Successful collaboration between the RCMP and the FBI leads to guilty plea and forfeiture of over $34 Million in assets

Gatineau, Quebec – On January 7, 2022, Sebastien Vachon Desjardins was charged with numerous criminal offences in relation to his activity as part of the Netwalker Ransomware Group. As a result of an extensive investigation, in collaboration with the Federal Bureau of Investigation (FBI), the RCMP charged Mr. Vachon Desjardins with the following:

Mischief in relation to computer data, contrary to Section 430(5)(a) of the Criminal Code

Unauthorized use of a computer, contrary to Section 342.1(1)(a) of the Criminal Code

Extortion, contrary to Section 346(1.1)(b) of the Criminal Code

Participating in a criminal organization, contrary to Section 467.11(1)(a) of the Criminal Code

(RCMP Photo 1 of 3) Canadian currency seized by the RCMP during the investigation. The RCMP also seized numerous computing devices and 719 Bitcoin.
(RCMP Photo 1 of 3) Canadian currency seized by the RCMP during the investigation. The RCMP also seized numerous computing devices and 719 Bitcoin.
(RCMP Photo 2 of 3) Canadian currency seized by the RCMP during the investigation.
(RCMP Photo 2 of 3) Canadian currency seized by the RCMP during the investigation.
(RCMP Photo 3 of 3) Computing devices used by Mr. Vachon Desjardins in the ransomware scheme to target Canadian companies.
(RCMP Photo 3 of 3) Computing devices used by Mr. Vachon Desjardins in the ransomware scheme to target Canadian companies.

The RCMP investigation began in August 2020, when the RCMP received information and a request from the FBI to assist in the identification of a suspect in their NetWalker ransomware investigation. The FBI provided the RCMP with significant evidence, allowing them to begin an independent investigation into the suspect for any criminal activity that may have been conducted against Canadian businesses, institutions or government agencies.

As a result, on January 27, 2021, officers from the RCMP O Division Cybercrime unit, with the assistance of the Gatineau Police Service and officers from the RCMP’s National Division and C Division, conducted a search warrant on the residence of Mr. Vachon Desjardins in Gatineau, Quebec. Numerous computing and storage devices, 719 Bitcoin (worth approximately $35,000,000 CAD) and $790,000 in Canadian currency were seized as a result of the search of the residence. This is believed to be the largest seizure of cryptocurrency (in value) in Canada to date.

Investigators seized more than 20 Terabytes of data from Mr. Vachon Desjardins’ computing and storage devices. Investigators conducted analysis of this data and located evidence associated to Canadian businesses and institutions. The investigation identified 17 Canadian companies targeted by Mr. Vachon Desjardins.

On January 31, 2022, Mr. Vachon Desjardins appeared by video link in a Brampton, Ontario court before Justice G. Paul Renwick and pled guilty to the following charges;

Mischief in relation to computer data, contrary to Section 430(1.1)(1) of the Criminal Code

Extortion, contrary to Section 346(1) of the Criminal Code

Participating in a criminal organization, contrary to Section 467.11(1) of the Criminal Code

As a result, Justice G. Paul Renwick sentenced Vachon Desjardins to 7 years in jail and ordered the forfeiture of 680 Bitcoin, the majority of the seized computing devices and $742,840 in Canadian currency. Justice G. Paul Renwick also ordered the restitution of over $2,600,000 in Canadian currency to businesses that were affected by Mr. Vachon Desjardins’ criminal activity.

The RCMP would like to recognize the following organizations for their assistance in this investigation: Ministry of the Attorney General of Ontario (MAG), the Sûreté du Québec, the Ontario Provincial Police (OPP), Gatineau Police Service, National Cybercrime Coordination Unit (NC3), the Federal Bureau of Investigation (FBI) and the United States Department of Justice.

At the request of the United States, the Canadian Minister of Justice ordered Mr. Vachon Desjardins’ extradition to the United States (Florida) in relation to his Netwalker criminal activities conducted on

U.S.-based businesses and institutions.

Quotes

“Cybercrime continues to be a growing threat globally and Cybercriminals are not bound by any borders. Our success in holding Cyber-criminals accountable is largely dependent on our ability to collaborate meaningfully with our partner law enforcement agencies, both domestically and internationally.” – Inspector Lina Dabit, Officer in Charge, RCMP O Division Cybercrime Unit

“The success of this particular investigation can be attributed to the dedication and hard work of the RCMP Cybercrime Investigative Team and the partner agencies involved.” -Superintendent Kelly Bradshaw, Acting Director General, Federal Policing Criminal Operations – Financial Crime & Cybercrime

RCMP O Division (Ontario)

Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas

Texas, USA – A man charged with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, made his initial appearance and was arraigned today in the Northern District of Texas.

According to an August 2021 indictment, Yaroslav Vasinskyi, 22, accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies.

“When last year I announced charges against members of the Sodinokibi/REvil ransomware group, I made clear that the Justice Department will spare no resource in identifying and bringing to justice transnational cybercriminals who target the American people,” said Attorney General Merrick B. Garland. “That is exactly what we have done. The United States, alongside our international partners, will continue to swiftly identify, locate, and apprehend alleged cybercriminals, capture their illicit profits, and bring them to justice.”

“Just eight months after committing his alleged ransomware attack on Kaseya from overseas, this defendant has arrived in a Dallas courtroom to face justice,” said Deputy Attorney General Lisa O. Monaco. “When we are attacked, we will work with our partners here and abroad to go after cybercriminals, wherever they may be.”

According to the indictment, Vasinskyi was allegedly responsible for the July 2, 2021, ransomware attack against Kaseya. In the alleged attack against Kaseya, Vasinskyi caused the deployment of malicious Sodinokibi/REvil code throughout a Kaseya product that caused the Kaseya production functionality to deploy REvil ransomware to “endpoints” on Kaseya customer networks. After the remote access to Kaseya endpoints was established, the ransomware was executed on those computers, which resulted in the encryption of data on computers of organizations around the world that used Kaseya software.

Through the deployment of Sodinokibi/REvil ransomware, the defendant allegedly left electronic notes in the form of a text file on the victims’ computers. The notes included a web address leading to an open-source privacy network known as Tor, as well as the link to a publicly accessible website address the victims could visit to recover their files. Upon visiting either website, victims were given a ransom demand and provided a virtual currency address to use to pay the ransom. If a victim paid the ransom, the defendant provided the decryption key and the victim then was able to access their files. If a victim did not pay the ransom, the defendant typically posted the victim’s stolen data or claimed they sold the stolen data to third parties, and victims remained unable to access their files.

Vasinskyi is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering. If convicted of all counts, he faces a total penalty of 115 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Vasinskyi, a Ukrainian national with ties to a ransomware group linked to Russia-based actors, was taken into custody in Poland where he remained held by authorities pending proceedings in connection with his requested extradition to the United States, pursuant to the extradition treaty between the United States and the Republic of Poland. Vasinskyi was transported to Dallas by U.S. law enforcement authorities where he arrived on March 3. He made his initial court appearance and was arraigned today in the Northern District of Texas.

The FBI’s Dallas and Jackson Field Offices are leading the investigation. Substantial assistance was provided by the Justice Department’s Office of International Affairs and the National Security Division’s Counterintelligence and Export Control Section.

Assistant U.S. Attorney Tiffany H. Eggers for the Northern District of Texas and Senior Counsel Byron M. Jones of the Criminal Division’s Computer Crime and Intellectual Property Section are prosecuting the case.

The U.S. Attorney’s Office for the Northern District of Texas, the FBI’s Dallas and Jackson Field Offices and the Criminal Division’s Computer Crime and Intellectual Property Section conducted the operation in close cooperation with Europol and Eurojust, which were an integral part of coordination. Investigators and prosecutors from several jurisdictions, including Romania’s National Police and the Directorate for Investigating Organised Crime and Terrorism; Canada’s Royal Canadian Mounted Police; France’s Court of Paris and BL2C (anti-cybercrime unit police); the Dutch National Police; Poland’s National Prosecutor’s Office, Border Guard, Internal Security Agency, and Ministry of Justice; and the governments of Norway and Australia provided valuable assistance.

The U.S. Department of the Treasury Financial Crimes Enforcement Network (FinCEN), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA); Germany’s Public Prosecutor’s Office Stuttgart and State Office of Criminal Investigation of Baden-Wuerttemberg; Switzerland’s Public Prosecutor’s Office II of the Canton of Zürich and Cantonal Police Zürich; the National Police of Ukraine and the Prosecutor General’s Office of Ukraine; the United Kingdom’s National Crime Agency; the U.S. Secret Service; the Texas Department of Information Resources; BitDefender; McAfee; and Microsoft also provided significant assistance.

For more resources on ransomware prevention and response, visit www.StopRansomware.gov.

An indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

USA Department of Justice

Social Media Sharing Centre
Please support us by "sharing".