{"id":7945,"date":"2025-09-02T05:00:00","date_gmt":"2025-09-02T10:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=85764"},"modified":"2025-09-02T05:00:00","modified_gmt":"2025-09-02T10:00:00","slug":"prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/09\/02\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial\/","title":{"rendered":"Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial"},"content":{"rendered":"<p><head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\"> <meta name=\"robots\" content=\"index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1\"> <!-- This site is optimized with the Yoast SEO Premium plugin v24.5 (Yoast SEO v24.5) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ --> <title>Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial | CyberScoop<\/title> <meta name=\"description\" content=\"Ianis Aleksandrovich Antropenko allegedly committed ransomware attacks from 2018 to 2022. He\u2019s been out on bond since his arrest almost a year ago, despite multiple run-ins with police.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/ianis-antropenko-zeppelin-ransomware-russian-cybercrime\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Prolific Russian ransomware operator living in California enjoys rare leniency awaiting trial\"> <meta property=\"og:description\" content=\"Ianis Aleksandrovich Antropenko allegedly committed ransomware attacks from 2018 to 2022. He\u2019s been out on bond since his arrest almost a year ago, despite multiple run-ins with police.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/ianis-antropenko-zeppelin-ransomware-russian-cybercrime\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2025-09-02T10:00:00+00:00\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\"> <!-- \/ Yoast SEO Premium plugin. --> <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1754500264g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1755632305g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1753281318g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/85764\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.8.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=85764\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fianis-antropenko-zeppelin-ransomware-russian-cybercrime%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fianis-antropenko-zeppelin-ransomware-russian-cybercrime%2F&amp;format=xml\"> <!-- Google Tag Manager --> <!-- End Google Tag Manager --> <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-85764 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/ianis-antropenko-zeppelin-ransomware-russian-cybercrime\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.48224852071\">\n<div class=\"single-article__header-content\" readability=\"32\">\n<p> Ianis Aleksandrovich Antropenko allegedly committed ransomware attacks from 2018 to 2022. He\u2019s been out on bond since his arrest almost a year ago, despite multiple run-ins with police. <\/p>\n<p> <!-- Listen to this article section --> <!-- End of audio player --> <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial.jpg?resize=640%2C426&#038;ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg 8256w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"213.49622772621\"><body readability=\"434.82851090214\"><\/p>\n<p>Authorities and threat intelligence analysts alike relish taking ransomware operators off the board. Holding cybercriminals accountable through arrest, imprisonment, or genuine reform creates a powerful deterrent and advances the ultimate goal of a safer internet for everyone.&nbsp;<\/p>\n<p>Getting to that point is a remarkably tough task for defenders. Ransomware attacks are often initiated by people living in countries that aren\u2019t bound by extradition treaties with the United States or don\u2019t cooperate with international law enforcement. When those obstructions aren\u2019t in place, authorities can amass resources to hunt down those responsible for cyberattacks and bring them to justice.<\/p>\n<p>The fight against cybercrime is grueling, and wins don\u2019t typically countervail the losses. For nearly a decade, police have often made high-profile announcements about arresting cybercriminals, keeping them in custody until their court dates and seizing their ill-gotten gains. These acts send a clear message to the public and potential offenders that cybercrime is a serious offense, and authorities are taking swift, visible measures to uphold the law.<\/p>\n<p>Ianis Aleksandrovich Antropenko exemplifies the profile of a modern cybercriminal, yet, unlike many others who have faced strict prosecution for similar offenses, the Justice Department has granted him liberties rarely extended to such suspects.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The 36-year-old Russian national was arrested almost a year ago in California for his alleged involvement in multiple ransomware attacks from at least May 2018 to August 2022. Yet, he was released on bail the day of his arrest and continues to live with few restrictions in Southern California awaiting trial for multiple felonies.<\/p>\n<p>Antropenko is charged with conspiracy to commit computer fraud and abuse, computer fraud and abuse, and conspiracy to commit money laundering. He is accused of using Zeppelin ransomware to attack multiple people, businesses and organizations globally, including victims based in the U.S.<\/p>\n<p>Antropenko pleaded not guilty to the charges in October.<\/p>\n<p>The Justice Department recently announced it <a href=\"https:\/\/www.justice.gov\/usao-ndtx\/pr\/justice-department-announces-seizure-over-28-million-cryptocurrency-cash-and-other\">seized more than $2.8 million in cryptocurrency<\/a>, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. His alleged crimes were publicly revealed for the first time last month when authorities unsealed various court documents.<\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" decoding=\"async\" height=\"800\" width=\"640\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial.png?resize=640%2C800&#038;ssl=1\" alt=\"Photo of Antropenko posted to his public Instagram account March 10, 2023.\" class=\"wp-image-85774\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=240,300 240w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=768,960 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=819,1024 819w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=480,600 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=134,168 134w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=270,337 270w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=540,675 540w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-5.png?resize=674,843 674w\" sizes=\"(max-width: 819px) 100vw, 819px\"><figcaption class=\"wp-element-caption\">Photo of Antropenko posted to his public Instagram account March 10, 2023. (Instagram)<\/figcaption><\/figure>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Antropenko\u2019s arrest and pending trial marks another potential win against ransomware, but many experts told CyberScoop they are stunned he remains free on bail. This rare flash of deferment in a case involving a prolific alleged cybercriminal is even more shocking considering his multiple run-ins with police since his 2024 arrest.<\/p>\n<p>Antropenko violated conditions for his pretrial release at least three times in a four-month period this year, including two arrests in California involving dangerous behavior while under the influence of drugs and alcohol. Authorities haven\u2019t explained why Antropenko was released pending trial, nor why parole officers and a judge repeatedly allowed him to remain out of jail following these infractions.<\/p>\n<p>\u201cOn average, most ransomware actors, if they are brought into custody, are remanded because of a flight risk,\u201d said Cynthia Kaiser, senior vice president of the ransomware research center at Halcyon.<\/p>\n<p>\u201cIt\u2019s rare to have a ransomware actor in U.S. custody,\u201d the former deputy assistant director at the FBI Cyber Division told CyberScoop. \u201cTypically, if the FBI believes that the person is a flight risk it would make the case for bond to be denied.\u201d<\/p>\n<p>Prosecutors in the U.S. District Court for the Northern District of Texas did not flag Antropenko as a flight risk in this case.&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In the past year, other alleged ransomware suspects or cybercriminals \u2014 <a href=\"https:\/\/cyberscoop.com\/scattered-spider-noah-urban-sentence-10-years\/\">Noah Urban<\/a>, <a href=\"https:\/\/cyberscoop.com\/cameron-wagenius-att-snowflake-guilty-plea\/\">Cameron Wagenius<\/a>, <a href=\"https:\/\/cyberscoop.com\/connor-moucka-snowflake-hacker-extradition-us\/\">Connor Moucka<\/a> and <a href=\"https:\/\/cyberscoop.com\/nefilim-ransomware-artem-stryzhak-extradited\/\">Artem Stryzhak<\/a> among them \u2014 were all detained pending trial. Urban, who was sentenced last month to 10 years in prison, and <a href=\"https:\/\/cyberscoop.com\/army-soldier-alleged-cybercriminal-foreign-spies\/\">Wagenius<\/a>, who has pleaded guilty to some charges, were arrested in the United States. Moucka and Stryzhak were arrested elsewhere and extradited to the U.S.<\/p>\n<p>Pretrial treatment of cybercrime suspects hasn\u2019t always adhered to strict norms, especially when the accused\u2019s mental health status was taken into account. Paige Thompson, who was arrested in July 2019 for hacking and stealing data from Capital One and dozens of other organizations for a cryptocurrency mining scheme, was deemed a \u201c<a href=\"https:\/\/cyberscoop.com\/paige-thompson-capital-one-detention-hearing\/\">serious flight risk<\/a>\u201d by prosecutors, but still <a href=\"https:\/\/cyberscoop.com\/capital-one-hacker-free-trial-paige-thompson\/\">released pending trial four months later<\/a>.<\/p>\n<p>A U.S. district judge in Seattle determined Thompson didn\u2019t pose a threat to the community and previously told attorneys he was \u201c<a href=\"https:\/\/cyberscoop.com\/paige-thompson-capital-one-detention-hearing\/\">very concerned<\/a>\u201d that Thompson would not receive adequate mental health treatment from the Bureau of Prisons.&nbsp;<\/p>\n<p>Thompson was found guilty of multiple counts and sentenced in October 2022 to time served and five years of probation, much to the chagrin of prosecutors. A federal appeals court <a href=\"https:\/\/cyberscoop.com\/capital-one-hacker-paige-thompson-sentence-appeals-court\/\">overruled the district court judge\u2019s sentence<\/a> earlier this year, calling the punishment \u201csubstantially unreasonable.\u201d<\/p>\n<p>Yevgeniy Nikulin, a Russian national arrested in October 2016 on charges related to breaching a database containing 117 million passwords from LinkedIn, Dropbox and other services, was extradited to the U.S. from the Czech Republic in 2018 and <a href=\"https:\/\/cyberscoop.com\/yevginiy-nikulin-linkedin-hacker-trial-mental-illness\/\">ruled fit to stand trial<\/a>, despite exhibiting mental illness symptoms throughout his incarceration and trial. He was detained pending trial and <a href=\"https:\/\/cyberscoop.com\/nikulin-sentence-russian-cybercrime-linkedin-hacker\/\">sentenced to 88 months in prison<\/a> in September 2020.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Notwithstanding these variances in previous cases, some experts are struck by other irregularities in Antropenko\u2019s case, including his conditions of release. He is not banned from using the internet or computers, but limited to devices and services disclosed during supervision that are subject to monitoring.<\/p>\n<p>More lenient conditions of release are typically offered in exchange for cooperation, according to threat analysts and a former FBI special agent who specialized in cybersecurity investigations.&nbsp;<\/p>\n<p>\u201cThe investigators that tracked him down will certainly want to know who the bigger fish are, and they\u2019ll want to figure out who else they could take down,\u201d the former FBI special agent, speaking on condition of anonymity, told CyberScoop. \u201cIf he\u2019s willing to cooperate, then normally the federal system will do good things for you.\u201d<\/p>\n<p>Authorities imposed travel restrictions on Antropenko, required him to surrender his passport, banned him from entering a Russian embassy or consulate and are monitoring his location.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-bad-behavior-going-back-years\">Bad behavior going back years<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The federal case against Antropenko accentuates how finite resources can put law enforcement and federal investigators at a disadvantage as they confront a constant crush of cybercrime.&nbsp;<\/p>\n<p>The FBI and prosecutors accuse Antropenko of deploying ransomware and extorting victims by email, and implicate him and his ex-wife, Valeriia Bednarchik, in the laundering of ransomware proceeds. Investigators traced the path of ransom payments, money laundering techniques and services, and determined the seized accounts, cash and vehicles were derived from criminal proceeds.<\/p>\n<p>The FBI said it found at least 48 cryptocurrency addresses referenced in Antropenko\u2019s email account \u2014 china.helper@aol.com, which he registered in May 2018 \u2014 including \u201cemails that received or negotiated ransom payments\u201d and emails about other ransomware attacks.&nbsp;<\/p>\n<p>A cluster of Bitcoin addresses owned by Antropenko \u201chad received a total of approximately 101 Bitcoin\u201d as of Feb. 5, 2024. Out of this amount, 64.6 Bitcoin was sent to the cryptocurrency mixing service ChipMixer, according to the FBI. As of today\u2019s rates, the current value of 101 Bitcoin is almost $10.9 million.<\/p>\n<p>The <a href=\"https:\/\/cyberscoop.com\/police-shut-down-cryptocurrency-mixer-chipmixer\/\">2023 takedown of ChipMixer<\/a>, which was used by criminals to launder more than $3 billion in cryptocurrency starting in 2017, provided crucial evidence for this investigation, according to Ian Gray, VP of intelligence at Flashpoint.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cOnly after law enforcement seized ChipMixer\u2019s infrastructure could investigators trace the funds linked to accounts registered in Antropenko\u2019s name,\u201d he said. \u201cThe sophistication of Bitcoin tracing and clustering techniques also likely contributed to the timing, as law enforcement has adopted software and tools more widely.\u201d<\/p>\n<p>Prosecutors allege that Antropenko and Bednarchik funneled money from computer fraud victims through ChipMixer, then back to their own exchange accounts. Antropenko also allegedly arranged in-person cryptocurrency-to-cash swaps in the U.S., depositing the cash in small sums under $10,000 into his bank account.<\/p>\n<p>FBI investigators traced Antropenko\u2019s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik\u2019s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko\u2019s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.<\/p>\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" height=\"856\" width=\"640\" data-id=\"85777\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-1.png?resize=640%2C856&#038;ssl=1\" alt=\"In the indictment filed against Antropenko, authorities included two images of U.S. cash in a Louis Vuitton shopping bag that investigators said they found on Bednarchik\u2019s iCloud account. Metadata from the photos showed they were taken within 21 seconds of each other on April 10, 2022.\" class=\"wp-image-85777\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png 948w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=224,300 224w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=768,1027 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=766,1024 766w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=449,600 449w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=126,168 126w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=252,337 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=505,675 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-6.png?resize=630,843 630w\" sizes=\"(max-width: 766px) 100vw, 766px\"><figcaption class=\"wp-element-caption\">In the indictment filed against Antropenko, authorities included two images of U.S. cash in a Louis Vuitton shopping bag that investigators said they found on Bednarchik\u2019s iCloud account. Metadata from the photos showed they were taken within 21 seconds of each other on April 10, 2022.<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" loading=\"lazy\" decoding=\"async\" height=\"848\" width=\"640\" data-id=\"85776\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-2.png?resize=640%2C848&#038;ssl=1\" alt=\"The second photo shows approximately half of the cash removed with a note affixed to the remaining cash written in Cyrillic and English. The English portion of the note reads: \u201cI took half 50000$ from 100000$\u201d\" class=\"wp-image-85776\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png 1478w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=226,300 226w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=768,1017 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=773,1024 773w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=1159,1536 1159w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=453,600 453w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=127,168 127w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=254,337 254w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=510,675 510w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-7.png?resize=636,843 636w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\"><figcaption class=\"wp-element-caption\">The second photo shows approximately half of the cash removed with a note affixed to the remaining cash written in Cyrillic and English. The English portion of the note reads: \u201cI took half 50000$ from 100000$\u201d<\/figcaption><\/figure>\n<\/figure>\n<p>Authorities also seized cash and two luxury vehicles from the apartment Antropenko and Bednarchik once shared in Irvine, Calif. This included a Lexus LX 570 that Antropenko purchased for more than $123,000 in November 2022 and a 2022 BMW X6M that Antropenko and Bednarchik purchased for $150,000 in cash in November 2021. Photos of vehicles matching those descriptions are depicted on <a href=\"https:\/\/www.instagram.com\/fzquared\/\">Antropenko\u2019s public Instagram account<\/a>.&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Ransomware operators have been assisted by their spouses in other cases, but their partners\u2019 involvement is typically limited to money laundering, Allan Liska, threat intelligence analyst at Recorded Future, told CyberScoop.<\/p>\n<p>While many ransomware operators and affiliates operate outside of Russia now, it is rare for a Russian national to live in the U.S. while initiating ransomware attacks for as long as Antropenko allegedly did, Liska said.<\/p>\n<p>\u201cIt sounds like he may have had additional information about other people, maybe bigger fish that law enforcement could go after,\u201d he said.<\/p>\n<p>The U.S. District Court for the Northern District of Texas declined to answer questions or provide additional information. The most recent attorney on record for Antropenko did not respond to a request for comment.&nbsp;<\/p>\n<p>Antropenko didn\u2019t just inflict damages on his cybercrime victims, as alleged by prosecutors. His volatility erupted around those closest to him, according to Bednarchik, who accused him of domestic violence in temporary restraining orders she filed against Antropenko in April and May 2022.&nbsp;<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Bednarchik has been identified as Antropenko\u2019s unnamed co-conspirator through court documents and public records. While authorities said they plan to bring charges against her, no cases are currently pending.<\/p>\n<p>In court filings, Bednarchik painted a picture of a controlling relationship, writing that Antropenko \u201cconstantly threatens me with full custody of our son, because he has a lot of money\u201d and expressing fears he might take their child to Russia without permission.<\/p>\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" loading=\"lazy\" decoding=\"async\" height=\"800\" width=\"640\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-3.png?resize=640%2C800&#038;ssl=1\" alt=\"Photo of a BMW X6M posted to Antropenko\u2019s public Instagram account Dec. 14, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024.\" class=\"wp-image-85778\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=240,300 240w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=768,960 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=819,1024 819w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=480,600 480w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=134,168 134w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=270,337 270w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=540,675 540w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-8.png?resize=674,843 674w\" sizes=\"auto, (max-width: 819px) 100vw, 819px\"><figcaption class=\"wp-element-caption\">Photo of a BMW X6M posted to Antropenko\u2019s public Instagram account Dec. 14, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024. (Instagram)<\/figcaption><\/figure>\n<p>Court records reveal the family lived together in Miami and later Irvine until 2022. Despite Bednarchik reporting only $800 monthly income from her clothing business, she estimated Antropenko earned $50,000 per month from \u201ccryptocurrency dividends,\u201d describing him as \u201cthe breadwinner for the family.\u201d<\/p>\n<p>When Antropenko was arrested in September 2024, Bednarchik posted his $10,000 bail, identifying herself in the affidavit as his ex-wife.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cShe\u2019s either being redacted because she\u2019s a victim or because she is collaborating with law enforcement and has been able to get her name redacted,\u201d Zach Edwards, senior threat analyst at Silent Push, told CyberScoop.<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-antropenko-s-ties-to-zeppelin-ransomware\">Antropenko\u2019s ties to Zeppelin ransomware<\/h4>\n<p>Authorities did not describe the extent to which Antropenko was involved with Zeppelin ransomware. Prosecutors mention unnamed co-conspirators in some court documents, indicating they are investigating or aware of others involved in the ransomware-as-a-service operation.<\/p>\n<p>The Cybersecurity and Infrastructure Security Agency said Zeppelin ransomware victims include a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies and organizations in the health care and medical industries.&nbsp;<\/p>\n<p>Zeppelin, a variant of the Delphi-based Vega malware, was used from at least 2019 to mid-2022, the agency said in an August 2022 <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/AA22-223A_Zeppelin_CSA.pdf\">advisory<\/a>. A ransom note included in CISA\u2019s advisory listed an AOL address for communication regarding extortion payments.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Prosecutors and investigators working on Antropenko\u2019s case said Zeppelin ransomware affected about 138 U.S. victims since March 2020, including a data analysis company and its CEO based in the Dallas region where Antropenko faces federal charges.<\/p>\n<p>Prosecutors have consistently declared the case against Antropenko \u201ccomplex,\u201d with evidence surpassing 7 terabytes of data, including personally identifiable information of victims, such as names, addresses, photos and bank account numbers.&nbsp;<\/p>\n<p>Zeppelin and Antropenko\u2019s alleged activities rose during the second wave of ransomware, when many cybercriminals were winging it and law enforcement activity was at a lull, Liska said. \u201cIf you start off with a mistake, that mistake is going to catch up to you,\u201d he said.<\/p>\n<p>Indeed, threat researchers and analysts attribute Antropenko\u2019s capture to \u201csloppy\u201d behaviors and practices, including his use of major U.S. service providers.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" loading=\"lazy\" decoding=\"async\" height=\"640\" width=\"640\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-4.png?resize=640%2C640&#038;ssl=1\" alt=\"Photo showing the right rear and emblem of a Lexus LX 570 posted to Antropenko\u2019s public Instagram account April 3, 2021. The car matches the description of the vehicle authorities seized in Irvine, California, February 2024.\" class=\"wp-image-85780\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=150,150 150w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=300,300 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=768,768 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=1024,1024 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=600,600 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=168,168 168w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=337,337 337w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=675,675 675w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-9.png?resize=843,843 843w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/figure>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cAntropenko\u2019s operational security was remarkably poor,\u201d Gray said.<\/p>\n<p>\u201cHe used a personal PayPal account linked to recovery emails for ransomware operations, shared usernames between banking and ransomware accounts, and stored sensitive information like cryptocurrency seed phrases and photos of large cash amounts in iCloud accounts,\u201d he continued. \u201cThese OPSEC failures ultimately led to law enforcement identifying Antropenko.\u201d<\/p>\n<h5 class=\"wp-block-heading\" id=\"h-pretrial-release-violations\"><strong>Pretrial release violations<\/strong><\/h5>\n<p>While prosecutors push Antropenko\u2019s trial date further down the road \u2014 currently set for Feb. 6, 2026 \u2014 his personal life has been unraveling. He was hospitalized on a mental health hold on Dec. 31, 2024, and spent a week in a behavioral health hospital, according to a pretrial release violation report.<\/p>\n<p>Antropenko told his probation officer that his ex-wife took his son from him unexpectedly, which led to a significant bout of depression and increase in alcohol consumption. \u201cWhile walking around his RV park intoxicated, he was approached by an individual who offered him an unknown drug,\u201d which he assumed was some type of methamphetamine, Antropenko\u2019s probation officer wrote in the court filing.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Antropenko said he had little recollection of the events that followed. Once he was placed in a police car after law enforcement arrived the following morning, \u201che assumed he was being arrested which exacerbated his depression, prompting him to bang his head on the window of the police car, after which he recalls regaining consciousness in the hospital,\u201d the probation officer said. No charges were filed.<\/p>\n<p>Almost two months later, Antropenko was arrested for public intoxication in Riverside County, Calif., when he was found laying unresponsive in the center divider of a roadway. Antropenko told his probation officer he sat down on a curb near his home to smoke a cigarette after consuming four to five beers and was feeling tired, so he fell asleep. He was released the following day.<\/p>\n<p>A U.S. magistrate judge in Texas allowed Antropenko to remain out on bond and modified the conditions of his release to include a ban on alcohol consumption and submit to regular alcohol testing.<\/p>\n<p>\u201cIt strikes me as unusual to have so many drug violations and stay out on bail,\u201d Kaiser said. \u201cIt would be overly lenient if they were still perpetrating crimes obviously against others. It appears he\u2019s harming himself.\u201d&nbsp;<\/p>\n<p>In April, Antropenko contacted his parole officer to make an unsolicited admission to cocaine use, according to a court document filed in May. \u201cThe defendant stated that he attended a birthday celebration for a friend\u2019s sister. When he went to the restroom some \u2018random people\u2019 offered him a \u2018bump of cocaine,\u2019\u201d his probation officer said. The court took no further action.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cEven if he is a cooperating witness, he has been given a lot of freedom, a lot more freedom than we normally see in this case,\u201d Liska said. \u201cI can\u2019t think of any case, of anybody this high profile, that has been given this level of freedom, cooperating or not.\u201d<\/p>\n<p>Edwards is also dismayed Antropenko remains out on bail pending trial.<\/p>\n<p>\u201cIt\u2019s wild that a citizen from Russia who has been accused of partnering with serious global threat actors and is out on bail for leading a ransomware campaign, has been arrested multiple times for issues associated with alcohol, including passing out on a street in public, and also admitted to using cocaine while out on bail, and yet his bail hasn\u2019t been revoked,\u201d he said.<\/p>\n<p>Former law enforcement officials were less shocked about the circumstances of Antropenko\u2019s case than security analysts.<\/p>\n<p>Adam Marr\u00e8, chief information security officer at Arctic Wolf, said the post-arrest privileges granted to Antropenko aren\u2019t that odd, especially since Antropenko\u2019s alleged pretrial release violations don\u2019t have anything to do with cybercrime.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Marr\u00e8 said Antropenko\u2019s alleged violations would have frustrated him when he was a special agent at the FBI investigating cybercrime, but he understands the court\u2019s decisions, adding \u201cpeople are innocent until proven guilty.\u201d<\/p>\n<p>It\u2019s important to note the FBI is focused on outcomes, according to Kaiser. \u201cGetting money back to victims who were stolen from is more important than punishing some guy, especially if he\u2019s not doing [ransomware] activities anymore,\u201d she said.<\/p>\n<p>\u201cIt\u2019s hard to arrest these people in the first place and stop them, which means it\u2019s very complicated to deter them over a long period of time,\u201d Kaiser added. \u201cThere\u2019s no one arrest that\u2019s going to stop these types of activities.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.3920454545455\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/09\/prolific-russian-ransomware-operator-living-in-california-enjoys-rare-leniency-awaiting-trial-1.jpg?w=640&#038;ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p> <!-- Start of HubSpot Embed Code --> <!-- End of HubSpot Embed Code --> <\/body> <a href=\"https:\/\/cyberscoop.com\/ianis-antropenko-zeppelin-ransomware-russian-cybercrime\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prolific Russian ransomware operator living in California enjoys rare leniency<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4906,303,1841,4415,4907,4908,1355,948,2515,3390,2701,3454,337,282,78,338,4909,3772,1807,669,3911,117,281,684,4910,3833,1365,2915,4911,46,2015,256,270,4534,1501,288,4912],"tags":[4913,307,1847,4416,4914,4915,1357,949,2519,3391,2704,3455,340,286,86,341,4916,3774,1810,671,3915,119,285,689,4917,3835,1366,2918,4918,54,2017,262,276,4535,1503,294,4919],"class_list":["post-7945","post","type-post","status-publish","format-standard","hentry","category-aol","category-apple","category-arctic-wolf","category-arrest","category-bank-of-america","category-binance","category-bitcoin","category-california","category-computer-fraud","category-computer-fraud-and-abuse-act-cfaa","category-crypto","category-crypto-mixer","category-cryptocurrency","category-cybercrime","category-cybersecurity","category-department-of-justice-doj","category-district-court-of-northern-texas","category-ethereum","category-exclusive","category-federal-bureau-of-investigation-fbi","category-flashpoint","category-government","category-hacking","category-halcyon","category-icloud","category-indictment","category-money","category-paypal","category-proton-mail","category-ransomware","category-recorded-future","category-research","category-russia","category-silent-push","category-texas","category-threats","category-zeppelin","tag-aol","tag-apple","tag-arctic-wolf","tag-arrest","tag-bank-of-america","tag-binance","tag-bitcoin","tag-california","tag-computer-fraud","tag-computer-fraud-and-abuse-act-cfaa","tag-crypto","tag-crypto-mixer","tag-cryptocurrency","tag-cybercrime","tag-cybersecurity","tag-department-of-justice-doj","tag-district-court-of-northern-texas","tag-ethereum","tag-exclusive","tag-federal-bureau-of-investigation-fbi","tag-flashpoint","tag-government","tag-hacking","tag-halcyon","tag-icloud","tag-indictment","tag-money","tag-paypal","tag-proton-mail","tag-ransomware","tag-recorded-future","tag-research","tag-russia","tag-silent-push","tag-texas","tag-threats","tag-zeppelin"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/aol\/\" rel=\"category tag\">AOL<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apple\/\" rel=\"category tag\">Apple<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/arctic-wolf\/\" rel=\"category tag\">Arctic Wolf<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/arrest\/\" rel=\"category tag\">Arrest<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bank-of-america\/\" rel=\"category tag\">Bank of America<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/binance\/\" rel=\"category tag\">Binance<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bitcoin\/\" rel=\"category tag\">bitcoin<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/california\/\" rel=\"category tag\">California<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/computer-fraud\/\" rel=\"category tag\">computer fraud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/computer-fraud-and-abuse-act-cfaa\/\" rel=\"category tag\">Computer Fraud and Abuse Act (CFAA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crypto\/\" rel=\"category tag\">crypto<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/crypto-mixer\/\" rel=\"category tag\">crypto mixer<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cryptocurrency\/\" rel=\"category tag\">cryptocurrency<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-justice-doj\/\" rel=\"category tag\">Department of Justice (DOJ)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/district-court-of-northern-texas\/\" rel=\"category tag\">District Court of Northern Texas<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ethereum\/\" rel=\"category tag\">Ethereum<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/exclusive\/\" rel=\"category tag\">Exclusive<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/flashpoint\/\" rel=\"category tag\">Flashpoint<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/halcyon\/\" rel=\"category tag\">Halcyon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/icloud\/\" rel=\"category tag\">iCloud<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/indictment\/\" rel=\"category tag\">indictment<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/money\/\" rel=\"category tag\">Money<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/paypal\/\" rel=\"category tag\">PayPal<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/proton-mail\/\" rel=\"category tag\">Proton Mail<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/recorded-future\/\" rel=\"category tag\">Recorded Future<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/russia\/\" rel=\"category tag\">Russia<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/silent-push\/\" rel=\"category tag\">Silent Push<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/texas\/\" rel=\"category tag\">Texas<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zeppelin\/\" rel=\"category tag\">Zeppelin<\/a>","tag_info":"Zeppelin","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7945"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7945\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}