Mikhail Pavlovich Matveev [1] [2] [3] [4], a Russian national based in St Petersburg [1], has been identified as a key figure in the development and distribution of LockBit [1], Babuk [1] [2] [3] [4], and Hive ransomware variants [1] [2] [3] [4]. This article provides a detailed description of Matveev [1] [2] [3] [4]’s activities and affiliations, as well as the unethical practices employed by the ransomware groups he is associated with.


Matveev, also known as Wazawaka [2] [3], is accused of playing a significant role in the operations of LockBit, Babuk [1] [2] [3] [4], and Hive ransomware variants [1] [2] [3] [4]. He has affiliations with other ransomware groups such as Conti [1], Monti [1] [2], Trigona [1] [2], and NoEscape [1] [2]. Cybersecurity researchers intercepted and collected thousands of communication logs between various threat actors involved in different ransomware variants from April to December 2023 [1], exposing Matveev’s activities [1].

An investigation conducted by Swiss cybersecurity firm PRODAFT revealed Matveev’s involvement in managing the Babuk ransomware gang until early 2022. PRODAFT’s analysis also uncovered unethical practices employed by the group, including threatening to leak sensitive files and retaining files even after ransom payments are made [3].

Matveev leads a team of six penetration testers and has connections to other ransomware groups [3]. The group utilizes various tactics [3], such as gathering information about victims through services like Zoominfo [3] [4], Censys [2] [4], Shodan [2] [4], and FOFA [2] [4], exploiting known security vulnerabilities [2] [4], and using custom and off-the-shelf tools to gain access and elevate privileges [2].

PRODAFT’s analysis also revealed connections between Matveev and Evgeniy Mikhailovich Bogachev [3] [4], a Russian national associated with the GameOver Zeus botnet and Evil Corp [3] [4]. Furthermore, the analysis suggests deeper connections between Matveev [2] [4], Bogachev [2] [3] [4], and Evil Corp [2] [3] [4].

It is worth noting that the ransomware operations of Babuk were renamed PayloadBIN in 2021 [2], possibly to evade US sanctions [2] [4].


The activities of Mikhail Pavlovich Matveev and the ransomware groups he is associated with have significant impacts on individuals, organizations, and society as a whole. The unethical practices employed by these groups, such as threatening to leak sensitive files and retaining files even after ransom payments [3], highlight the need for robust cybersecurity measures and international cooperation to combat such threats.

The connections between Matveev [2] [3] [4], Bogachev [2] [3] [4], and Evil Corp raise concerns about the extent of collaboration and coordination among different ransomware groups. This underscores the importance of ongoing investigations and efforts to dismantle these criminal networks.

Furthermore, the renaming of Babuk’s ransomware operations to PayloadBIN suggests a deliberate attempt to evade sanctions and continue their illicit activities. This highlights the need for continued vigilance and regulatory measures to disrupt and deter ransomware operations.

In conclusion, the identification and exposure of Matveev’s activities provide valuable insights into the operations of ransomware groups and serve as a reminder of the ongoing challenges posed by cybercriminals.


[1] https://cncso.com/kr/how-a-russian-hacker-built-a-ransomware-empire.html
[2] https://www.ultravpn.fr/dans-les-coulisses-de-lempire-ransomware-de-matveev-tactiques-et-equipe/
[3] https://owasp.or.id/2023/12/19/behind-the-scenes-of-matveevs-ransomware-empire-tactics-and-team/
[4] https://thehackernews.com/2023/12/behind-scenes-of-matveevs-ransomware.html