69: Wazawaka: ‘Most Wanted’ and, he says, undeterred

[MUSIC]

DINA TEMPLE-RASTON: The FBI’s Most Wanted list is the stuff of legend. Back in the old days, it
included gangsters like Al Capone or bank robbers like John Dillinger. Even Bonnie and Clyde,
the murderous lovers who went on a three-year crime spree in the 1930s, before they were
eventually gunned down in their car by law enforcement.

UNIDENTIFIED MAN: Here is Clyde Barrow and Bonnie Parker, who died as they lived, by the
gun.

[MUSIC]

TEMPLE-RASTON: To get that most wanted-public-enemy Number One designation, the person
needs to be a danger to society. And the FBI has to make a calculation: whether all the publicity
that comes with the FBI’s Most Wanted will help the Bureau bring them to justice.

What may be less well known is that the FBI has a bunch of different kinds of Most Wanted lists.
There’s one for fugitives, one for kidnappers, and somewhat recently, one for the world’s most
wanted hackers. People who have wreaked havoc from behind a keyboard.

UNIDENTIFIED MAN: The actors named in this indictment were members of a hacking group
operating in China.

UNIDENTIFIED MAN: Involved hacking into computers of hospitals, municipalities, public

institutions and businesses in the United States and…

TEMPLE-RASTON: And the people on the FBI’s cyber most wanted seem to fall into a couple of
categories. Iranian hackers with first names like Amir and Ahmad. North Koreans with last
names like Park and Kim. And Chinese hackers, many of whom appear to be in military uniform.

And the newest inductee? He’s Russian. His first name is Misha, but he’s better known by his
screen names: Wazawaka or Boris Elcin or M1x. And he was put on the list just a few weeks ago.

CLIP: We are following new developments this morning, an apparent hack affecting DC police’s
computer network.

1
CLIP: Health care providers, school systems, all targets of a Russian national.

CLIP: The Justice Department is putting a bounty on his head.

TEMPLE-RASTON: He’s worked with some of the most notorious cybercriminals in the world.
And the Department of Justice claims the groups he works with have raked in hundreds of
millions of dollars by stealing data and holding it for ransom. And we tracked down this most
wanted hacker, thought to be living in Russia, and convinced him to talk. He has a lot to say
about his inclusion on that FBI list.

[MIKHAIL MATVEEV SPEAKING IN RUSSIAN]

MIKHAIL MATVEEV: I just want to say this, the money that DOJ attributes to me, I have never
seen such amount. I don’t have this money. Where did they get those numbers from? I’m
interested.

[MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about all things
cyber and intelligence. Today, a conversation with one of America’s most wanted. Stay with us.

[MUSIC]

[BREAK]

TEMPLE-RASTON: The FBI’s cyber most wanted started about ten years ago. And the criteria to
be included is pretty straightforward. It depends on the seriousness of the hacking crimes, the
kinds of attacks they’ve committed in the past, whether they continue to pose a serious threat.

Misha seems to have made the cut largely because of the people he hangs out with. He’s been
an affiliate, which is kind of like a contractor, to three infamous ransomware hacking crews:
Namely Lockbit, Babuk and Hive. Though when we asked him about them, he started out not
wanting to talk about it. We spoke to him through a translator.

[MIKHAIL MATVEEV SPEAKING IN RUSSIAN]

MATVEEV: I’ve discussed this many times and there is no reason to repeat it.

2
TEMPLE-RASTON: But then, he went on to discuss them at great length. He says a lot of people
have accused him of running some of these ransomware gangs, but actually, that’s not right
he says, he just works with them.

MATVEEV: Journalists exaggerate more than make mistakes. But there are mistakes, for
example, Hive and Lockbit they made me look like a co-owner of this.

TEMPLE-RASTON: Which he says he isn’t.

[MUSIC]

TEMPLE-RASTON: But even if he isn’t running these groups, because he’s worked with so many
of them, he has a wealth of information about how they operate. For example, he thinks the
best-run ransomware operation is a Russian-language one called Conti.

MATVEEV: Conti was very well structured.

[MUSIC]

TEMPLE-RASTON: You’ve probably heard about some of their attacks. Conti targeted the Costa
Rican government last year and stole some 850 gigabytes of data from the Finance Ministry.

BUSINESS OF TECH: Late today, we learned that Costa Rica has declared a state of emergency
after a ransomware attack.

TELETICA: El Grupo Conti electrónicos.

TEMPLE-RASTON: The group made a ransom demand and then just locked up the financial
ministry’s systems for weeks. They doubled their ransom demand from $10 million to $20
million dollars. Conti can do things like that, Misha said, because they are so well-run.

MATVEEV: It was run like a real-world business and they profited from that. Lockbit or REvil
claimed other’s work and boasted about other people’s work, that’s why they lost their way.
You will not find anything bad written about Conti, they keep all their business promises, the
product is well built.

TEMPLE-RASTON: Conti broke up shortly after the Russian invasion of Ukraine. Its leaders said
they were going to support Russia in the war. And then in response someone leaked their chats

3
and revealed a bunch of their internal operations and secrets. After that, Conti appeared to just
just shut down, walk away, but Misha says that’s not true, Conti is still around.

MATVEEV: They still exist, but we don’t see them. The way the market is set up now you don’t
see real groups, you only see the hype.

TEMPLE-RASTON: The danger of someone like Misha, who isn’t running a hacking operation but
is only too happy to lend a hand to those that do, is that he doesn’t care much who gets
targeted. It could be the government of Costa Rica one day and a small working class town in
the U.S. the next. Just ask Prospect Park, New Jersey.

WALTER RICHMOND: It's a small town. We're about just under, we're like a square mile.

TEMPLE-RASTON: This is Walter Richmond, he’s the officer in charge in Prospect Park.

RICHMOND: We border the city of Patterson, which is one of the major cities in New Jersey. Um,
actually many of our streets we share with Patterson. Half of the street will be ours, half of it
will be the city of Patterson's.

TEMPLE-RASTON: And this little town, back in the summer of 2020 was attacked by the Lockbit
gang. Walter was one of the first to realize what Misha and his buddies had allegedly done.

RICHMOND: I came in in the morning and our police clerk had alerted us that she couldn't
access any of the files. She was trying to scan and do her clerical duties and she couldn't access
any of the files.

TEMPLE-RASTON: So he went over to her computer and his heart sank.

RICHMOND: I noticed that all of our files on our server were of the Lockbit variant. They were
changed. So we obviously have Word documents, usually your normal PDF style documents,
Excel, things like that, et cetera. But they were all now Lockbit as the file type.

TEMPLE-RASTON: So like the extension on the file, instead of saying txt or whatever it was, it
would say Lockbit.

RICHMOND: Yes. So the extension of the files were all changed to Lockbit.

4
TEMPLE-RASTON: Walter called the company that was running the city’s IT operations and
asked what he should do.

RICHMOND: He immediately said, you know, do not log into any computers. Tell everyone to not
touch any of their, you know, desktops or laptops in their vehicles, the police cars.

TEMPLE-RASTON: But here’s the strange thing: Walter said there was no ransom note.

RICHMOND: No one reached out requesting a ransom or any, you know, the usual type of you
know activity.

TEMPLE-RASTON: Attacks like these can be terrifying. A city like Prospect Park wouldn’t expect
to be a target of someone as notorious as Misha. But in an indictment released the day Misha
became a cyber Most Wanted, the Justice Department claimed that he played a role in the
Prospect Park attack. They said he was part of a conspiracy to lock up their computers.

TEMPLE-RASTON: Why do you think he went after you guys?

RICHMOND: I'm not sure. That’s a really good question.

TEMPLE-RASTON: Cybersecurity experts will tell you that hackers are targeting places like
Prospect Park because they’re low hanging fruit. Cities typically don’t have lots of money to
spend on IT security teams. Misha, for his part, told us he wasn’t involved.

MATVEEV: It was not me, it was other people, I just uploaded the data because I thought I
needed to upload it.

TEMPLE-RASTON: The information was available, he said, so he just grabbed it to prove that
they had really had the data.

MATVEEV: You see, a lot of western cybersecurity companies think that there’s a lot of
ransomware groups lie. I uploaded the data to prove that it really had been stolen, and it
wasn’t a hoax.

TEMPLE-RASTON: While the Prospect Park attack was relatively small ball. Misha’s work with all
these groups has authorities worried that he will eventually be involved in a big one, a
ransomware attack that stops a city in its tracks. Some version of what happened in Dallas
earlier this month.

5
ANNOUNCER: More fallout tonight from a ransomware attack on the city of Dallas. The cyber
attack has now closed the municipal courts building and renewed concerns about the possible
leak of city employees’ personal data.

TEMPLE-RASTON: It is unclear whether the ransomware group that locked up the Dallas city
system, a crew called Royal actually stole the city’s data, but the mere fact that they have
locked up some of the Dallas computer systems has had real world consequences.

Dallas officials say there will be no hearings, no trials, and no jury duty until they’re back online.
They say that’ll be at the end of the month. So the courts have been closed for weeks.
The concern is that attacks with this kind of impact become the new norm and that people like
Misha could help make more attacks like that happen. Which helps explain why the FBI is
pulling out all the stops in its hunt for him. But actually we found someone who was able to
locate Misha, even identify him, and he’s been interacting with him for years now.

Stay with us.

[BREAK]

TEMPLE-RASTON: Azim Khodjibaev started tracking Misha a few years ago. He’s a senior analyst
at a threat intelligence firm called Cisco Talos.

AZIM KHODJIBAEV: So one of my research skills, if you will, is to really deep dive into the human
presence on the internet for individuals.

TEMPLE-RASTON: And it turns out Misha had inadvertently left little digital footprints on the
web – things that he’d probably forgotten about – and Azim discovered them.

KHODJIBAEV: They made a small mistake in posting their both username and name in a very
random forum post a very long time ago.

TEMPLE-RASTON: Azim put that little piece of information together with other things he’d
found.

KHODJIBAEV: And then ultimately that same name was matched to a resume. That indicated
and matched a lot of this person's activities.

6
TEMPLE-RASTON: So when Misha reached out to him, Azim responded by saying he knew who
he was.

KHODJIBAEV: He did not deny it. His response was actually very jovial and inquisitive as to how I
found out. But because of that, it was, uh, in my experience, one of the biggest icebreakers I've
ever had.

TEMPLE-RASTON: Actually your relationship with him was sort of born out of begrudged mutual
respect?

KHODJIBAEV: Uh, yes. And uh, it continues to be that way it seems. Um, he has recently gone
from a very negative attitude towards me to being somewhat cordial and even nice at times,
complimenting me one way or the other which I found that personally to be a little weird.

[MUSIC]

TEMPLE-RASTON: A producer on our team spent weeks chasing Misha and he eventually
convinced him to talk with us, just a few days after he was added to the FBI’s most wanted
hacker list. And Misha seemed to be taking his new notoriety in stride.

[MIKHAIL MATVEEV SPEAKING IN RUSSIAN]

MATVEEV: I was not surprised. I understood it was going to happen.

TEMPLE-RASTON: We worked out a system where we’d text him questions in Russian and then
he’d respond to us with voice memos. And we didn’t exactly have his full attention: it sounded
like he was running errands while he was talking to us.

[RIHANNA MUSIC]

TEMPLE-RASTON: Like at one point we could hear Rihanna music playing in the background.

[RIHANNA MUSIC]

[MIKHAIL MATVEEV SPEAKING IN RUSSIAN]

TEMPLE-RASTON: At another moment we could hear motorcycles rumbling past, like he was on
the street walking home. And that’s the weird thing about Misha, while he’s being hunted by

7
the FBI, he seems to spend a lot of time doing things that make it pretty easy to find him.
Things like sending us those voice memos or posting drunk videos on social media.

[MIKHAIL MATVEEV DRUNK VIDEO]

TEMPLE-RASTON: Which, in addition to showing where he is, shows law enforcement exactly
what he looks like. In fact, one of his pictures on the most wanted list is pulled from one of
those videos. Misha kind of looks like he sounds.

MATVEEV: Aww shit man, and this is my workflow…

TEMPLE-RASTON: He looks like he’s straight out of hacker central casting, like one of those
guys in the bar who makes you instinctively move a couple of stools away just so you can avoid
any drunken interaction. And he’s always calling out cyber security analysts on social media,
goading them. In this clip he’s boasting about all the things they’d learn if only they could just
get their hands on his laptop, which he drunkenly hits with his hand.

MATVEEV: And all data security professionals in the USA. Would you like to see something
outstanding and more interesting that you have ever seen before? That is my working laptop.

TEMPLE-RASTON: But Misha didn’t seem to worry that the FBI might be taking those videos or
our voice memos and piecing them all together to try to locate him.

TEMPLE-RASTON: Are those the kinds of clues that you look for?

KHODJIBAEV: To answer your question, I do look for those kinds of clues all the time.

TEMPLE-RASTON: This is Azim from Cisco Talos again.

KHODJIBAEV: He shares a lot of those kinds of clues one way or the other. I don't particularly
think he cares that he does that.

TEMPLE-RASTON: He’s been pretty open, for example, about where he’s been living.

KHODJIBAEV: In recent videos, I think even within this year perhaps, or within the last year and
a half, um, he has claimed to be residing or traveling to the Russian Enclave of Kaliningrad,
which is surrounded by Poland and Latvia.

8
TEMPLE-RASTON: Which actually isn’t as much of a help for the FBI as it sounds. Russia doesn’t
hand over its cyber criminals, it is actually thought to encourage their overseas hacks. Which
may be why Misha doesn’t seem to care that he’s dropping all of these clues.

He’s given no signs of slowing down now that he’s on the FBI’s most wanted list. In fact, he says
he is cooking up some new plans, which in a way, ironically, have something to do with the FBI.

MATVEEV: I want to show that IT in Russia is still alive and well. You don’t need to go to the U.S.
to make money, you don’t need to go to the U.S. to study. I want to take Russian information
technologies to the next level.

TEMPLE-RASTON: Misha says he wants to help teach Russia’s youth about cybersecurity to
protect them from the prying eyes of the CIA and the FBI.

MATVEEV: I also have this idea of organizing a project to teach children cyber hygiene, to
protect that from attacks of all sorts from CIA, FBI, who recruit our citizens. This is open
information, they are talking about it themselves, no one does that in our country.

TEMPLE-RASTON: You coming after me? He seems to say to the FBI. I’m coming after you.

This is Click Here.

[MUSIC]

TEMPLE-RASTON: Here are some of the top cyber and intelligence headlines of the past week.

A Chinese state-sponsored hacking group reportedly compromised critical infrastructure in

Guam and has also been busy collecting U.S. military intelligence, researchers told our sister
publication, The Record.

According to analysts at Secureworks, the group known as Bronze Silhouette, Microsoft calls it
Volt Typhoon, has apparently been targeting U.S. defense and government networks since
mid-2021.

The researchers said attribution to the group comes despite the great lengths the hackers went
to conceal their connections to China. They said Beijing may have become increasingly sensitive
about being blamed for cyberattacks.

9
Microsoft issued an advisory about the group last week and their dispatch coincided with a Five
Eyes intelligence alliance advisory about Chinese state-sponsored activity being carried out
against critical national infrastructure.

China denied the claims and denounced the joint warning as a “collective disinformation
campaign.” Beijing has repeatedly countered criticisms of its alleged aggressive
cyber-espionage operations by accusing the U.S. of conducting similar activities.
____

TEMPLE-RASTON: In December 2021, a user with a Russian IP address uploaded mysterious

malware to Google's virus scanning service VirusTotal. According to an analysis published by
Mandiant security researchers, this malicious software is designed to disrupt and damage
critical infrastructure systems, including power grids. Mandiant has named the malware Cosmic
Energy and they said it is similar to Industroyer and Industroyer 2, which we’ve talked about
here before.

Mandiant says they believe that Cosmic Energy was originally created to simulate actual attack
scenarios on the Russian energy grid and researchers worry that Russian hackers can
repurpose the malware and direct it toward the critical infrastructure of their adversaries
facilities. Threat actors regularly adapt and make use of red team tools to facilitate real-world
attacks.

____

TEMPLE-RASTON: Researchers from a handful of digital rights organizations have uncovered

what may be the first deployment of Pegasus spyware within the confines of war. The notorious
spying software developed by Israeli company NSO Group targeted Armenian journalists,
activists, government officials, and civilians during the war between Armenia and Azerbaijan in
the disputed region of Nagorno-Karabakh. The two sides fought over the territory for 44 days in
the Fall of 2020.

Researchers said the victims’ work and the timing of the targeting strongly suggest that the
conflict was the reason for singling these people out. They believe that this spyware operation
was carried out by government officials, as NSO Group has previously claimed that their
technology is only sold to governments.
____

CREDITS:

10
Click Here is a production of Recorded Future News. I’m Dina Temple-Raston, the host and
executive producer of the show. Our senior producer and marketing director is Sean Powers,
Will Jarvis is our producer and Sarah Wyman is our writer/reporter. Karen Duffin and Lu
Olkowski are our editors.

Darren Ankrom is our fact checker. Ben Levingston composes all the original music you hear in
the episode and our other music is from Blue Dot Sessions. Special thanks this week to Dmitry
Smilyanets, Alexander Leslie, and Artemii Shchipko for helping us with our interviews in
Russian.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts, and connect with us by email: Click Here at Recorded Future dot com or on our
website at ClickHereshow dot com. I’m Dina Temple-Raston. We’ll be back on Tuesday.

11