Mistaken Identity? Russian Tourist Detained in Armenia on US REvil Ransomware Extradition Request
A Russian tourist, Aleksandr Yuryevich Ermakov, has been held in Armenia since late June on a U.S. extradition request, suspected of involvement with the notorious **REvil** ransomware group. However, his lawyers claim a case of mistaken identity, asserting the U.S. is seeking a different individual, **Aleksandr Gennadievich Ermakov**, already sanctioned and serving a sentence in Russia.
Armenian authorities are currently holding Russian tourist **Aleksandr Yuryevich Ermakov** following a U.S. extradition request. He was detained on June 28 at Yerevan's Zvartnots airport, with border officers reportedly identifying him via a photo from his **VKontakte** page.
The U.S. seeks an **Aleksandr Ermakov** for his alleged role in **Sodinokibi/REvil** ransomware attacks between April 2019 and July 2021, which impacted over 1,000 victims globally, including companies, government offices, and hospitals. The U.S. charging document, reportedly seen by **RIA Novosti**, and an **Interpol** notice, seen by **Izvestia**, suggest the individual was a platform administrator with a take exceeding $13.7 million.

### The Case for Mistaken Identity
The lawyers for the detained Ermakov argue that the U.S. has the wrong man. They contend that the individual sought by the U.S. is **Aleksandr Gennadievich Ermakov**, born May 16, 1990, who was sanctioned by Australia, the U.S., and the UK in January 2024 for the theft of 9.7 million records from **Medibank Private**, a major Australian health insurer.
Crucially, **Aleksandr Gennadievich Ermakov** is reportedly already serving a two-year sentence in Russia for malware-related offenses, preventing him from leaving the country. The man in Armenian custody, **Aleksandr Yuryevich Ermakov**, is from Omsk, a former prison-service lawyer, and reportedly does not speak English.
Russian passports include a patronymic, which distinguishes the two individuals. While Australian and UK sanction lists specify "Aleksandr Gennadievich Ermakov," the **OFAC** designation for "Aleksandr Ermakov" (listing DOB May 16, 1990, and aliases like blade_runner, GistaveDore, GustaveDore, JimJones) omits the patronymic.
Dylan Rajavi, a lawyer for the detained man, suggests that U.S. paperwork, possibly lacking the patronymic, may have led to an automated identification error. He also notes that standard verification methods like fingerprints or full passport data have not been provided, with only an arrest warrant presented.
### Origin of the Name and Sanctions
Australia's signals directorate and federal police spent 18 months on "Operation Aquila" before publicly naming **Aleksandr Gennadievich Ermakov**. Intelligence firm **Intel 471** subsequently linked aliases like SHTAZI, shtaziIT, and JimJones to him, identifying his involvement in selling malware development services through a shop called Shtazi-IT.
This trail converged with Russian police operations, which in October 2024, reportedly dismantled the **SugarLocker** ransomware crew, also operating behind Shtazi-IT. A Moscow court later sentenced **Aleksandr Gennadievich Ermakov** to two years of restricted freedom under Russia's malware statute (Article 273(2)) for co-writing and selling **SugarLocker**.
As of now, Armenian authorities have remained silent on the matter, and the U.S. Justice Department has not announced any charges related to the current detention. The man's family expects the extradition to proceed, despite the defense's claims of mistaken identity.
This situation highlights the complexities and potential pitfalls in international cybercrime investigations, particularly when relying solely on names and limited identifying information for high-profile suspects.