HackMyIP
← Back to News
2026-07-17 The Hacker News

Wrong Man Detained? Armenia Holds Russian Tourist in REvil Extradition Case

RansomwareThreat IntelIncident Response

Armenian border officers at Yerevan's Zvartnots airport pulled Russian tourist Aleksandr Ermakov from the departure hall on June 28, 2026, detaining him on a U.S. extradition request tied to the REvil (Sodinokibi) ransomware group. His wife, Maria Yurova, told REN TV that officers showed her husband a photo pulled from his VKontakte profile before leading him to a side room and transferring him to a detention facility. The U.S. wants Aleksandr Gennadievich Ermakov, an Australian-, U.S.-, and UK-sanctioned actor linked to the October 2022 Medibank Private breach that exposed 9.7 million health insurance records. Readers tracking exposure from that incident can verify their status using an email breach checker. The detained man's lawyers say Washington has the wrong person: their client is Aleksandr Yuryevich Ermakov from Omsk, a former prison-service lawyer who does not speak English, while the sanctioned target is already serving a two-year Russian sentence that bars him from leaving the country.

The U.S. charging document, dated June 26 in the Northern District of Texas, accuses an Aleksandr Ermakov of participating in REvil attacks from approximately April 2019 through July 12, 2021, victimizing more than 1,000 private companies, government offices, schools, hospitals, and law enforcement entities, some operating in northern Texas. An Interpol notice built on that indictment goes further, alleging one of REvil's platform administrators with a take exceeding $13.7 million. The same Texas court charged fellow REvil operator Yevgeniy Polyanin in 2021 over Sodinokibi attacks on regional businesses. Investigators tied the sanctioned Ermakov to REvil through handles including blade_runner, GustaveDore, and JimJones, plus a Yandex email address now catalogued in OFAC's SDN records.

The case hinges on Russia's patronymic naming convention, the middle field on a domestic passport that distinguishes one Aleksandr Ermakov from another. Australia's consolidated sanctions list spells it out: Aleksandr Gennadievich Ermakov, born 16 May 1990. The UK entry matches. OFAC's SDN record, however, lists only given name and surname with no patronymic, alongside a Moscow address and the four online aliases. Defense attorney Dylan Rajavi told Izvestia that the U.S. paperwork likely carried just a given name and surname, allowing an automated match to flag his client at the border. He added that standard identification methods such as fingerprint comparison or full passport data have not been produced. "There is only an arrest warrant," Rajavi said. With cross-border investigations increasingly relying on digital identifiers rather than biometric confirmation, this case underscores the risk of false positives. Security teams monitoring actor infrastructure can cross-reference linked domains via a WHOIS lookup, while anyone concerned about identity-level tracking across borders can run a browser fingerprint test to see how uniquely their device may be profiled online.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

Email Breach Check →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is a data breach? →Credential stuffing attacks →How to check for an email breach →