South Korean cops arrest GandCrab suspect

The suspect allegedly made some $10,500 from ransomware attacks.
South Korea
The logo of the South Korean National Police Agency (JUNG YEON-JE/AFP via Getty Images)

South Korea’s National Police Agency said Tuesday that it had arrested a suspect involved in the distribution of thousands of emails laced with GandCrab, a once-prolific strain of ransomware.

The suspect, whom South Korean authorities did not name, is accused of setting up internet domains to distribute the malicious code and netting some $10,500 from the ransomware attacks.

The police statement described an investigation spanning two years and 10 countries, culminating in the suspect’s arrest on Feb. 25. Those police resources overcame the suspect’s efforts to cover their tracks by using IP addresses from different countries, police said. The investigation began when South Korean officials spotted malicious emails impersonating the police to distribute the ransomware.

South Korean outlet Yonhap News reported that the suspect was 20 years old.


At its height, GandCrab was one of the most commonly used strains of ransomware, infecting over a half a million victims from 2018 to February 2019, according  to Europol. Security firm Bitdefender, working with European and U.S. law enforcement agencies, developed a decryption tool to help victims recover from GandCrab infections.

GandCrab operated on a “ransomware-as-a-service” model in which the developers leased out their tools to other criminals. GandCrab’s operatives claimed in mid-2019 that they were shutting down that service model. But researchers say that GandCrab’s authors continued to have a hand in ransomware infections in 2019.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts