Former FBI employees told how their colleagues stopped the activities of a dangerous syndicate.
	
	
		
		
	
	
		
			
		
		 
	
The international cybercrime syndicate Hive ceased to exist in January after the FBI seized the group's IT infrastructure.
According to the US Department of Justice ( DoJ ), FBI agents infiltrated the gang in July 2022 and provided victims with more than 300 decoder keys, eliminating the need to pay $ 130 million as ransom. This means that over the past 6 months, authorities have known most of the victims of Hive, and the syndicate is likely to face a sharp drop in ransom income. However, cybercriminals did not realize that they had insiders.
How did FBI agents get into Hive?
How exactly was the operation – classified information, but former FBI special agent Darren Mott, specializing in cybercrime, believes that the FBI had an undercover agent, or, more likely, The bureau recruited someone inside Hive. One of the obvious signs of an insider is an unprotected decoder.
Former FBI adviser Chris Pearson said the operation could also combine two approaches. For example, authorities could recruit an insider to invite « their » person to join the team.
A different approach could be used to capture Hive: FBI hackers entered Hive systems without internal assistance. Once inside, the feds began to track the actions of cybercriminals on the network. « In fact, they crack the environment, sit watching and accumulating information about the operation – just like cybercriminals do when they attack the company », said Pearson.
Why didn't the Hive syndicate notice how it ended up on the fly?
The FBI has provided more than 300 decryption keys to Hive victims, however, hackers still have not noticed such a number of unsuccessful attacks. This may be due to the fact that Hive works on the RaaS model ( Ransomware-as-a-Service ) – the syndicate had so many affiliates that he did not follow the victims.
The FBI could also find out which entry points Hive used, share information with targeted victims, and allow them to strengthen protection in the initial stages of the attack. Cybercriminals might not suspect anything at all if the victims, who decided to cooperate with law enforcement agencies, did not publicly declare that they had been attacked.
According to Pearson, there is also the possibility that Hive simply ignored the ratio of hacks and paid ransoms. This may be due to software problems, lack of data collection, or lack of file decryption.
Why was the FBI waiting 6 months?
Randy Pargman, a former member of the FBI Cyber Operations Group, believes that the longer the power remains inside, the more chances they have to destroy the systems of criminals. If they immediately turned off the Hive server, attackers would simply restore another server and continue their activities. Instead, law enforcement agencies monitored the server and imperceptibly provided victims with decryption keys.
Perhaps law enforcement agencies imperceptibly informed all the victims they were able to reach, but some companies still chose to pay the ransom so that their files were not published by hackers. All the efforts of the FBI have led the Hive syndicate to no longer work, but hackers may soon split up and join other groups, as the Conti members did after the group broke up.
	
		
			
		
		
	
								 
	The international cybercrime syndicate Hive ceased to exist in January after the FBI seized the group's IT infrastructure.
According to the US Department of Justice ( DoJ ), FBI agents infiltrated the gang in July 2022 and provided victims with more than 300 decoder keys, eliminating the need to pay $ 130 million as ransom. This means that over the past 6 months, authorities have known most of the victims of Hive, and the syndicate is likely to face a sharp drop in ransom income. However, cybercriminals did not realize that they had insiders.
How did FBI agents get into Hive?
How exactly was the operation – classified information, but former FBI special agent Darren Mott, specializing in cybercrime, believes that the FBI had an undercover agent, or, more likely, The bureau recruited someone inside Hive. One of the obvious signs of an insider is an unprotected decoder.
Former FBI adviser Chris Pearson said the operation could also combine two approaches. For example, authorities could recruit an insider to invite « their » person to join the team.
A different approach could be used to capture Hive: FBI hackers entered Hive systems without internal assistance. Once inside, the feds began to track the actions of cybercriminals on the network. « In fact, they crack the environment, sit watching and accumulating information about the operation – just like cybercriminals do when they attack the company », said Pearson.
Why didn't the Hive syndicate notice how it ended up on the fly?
The FBI has provided more than 300 decryption keys to Hive victims, however, hackers still have not noticed such a number of unsuccessful attacks. This may be due to the fact that Hive works on the RaaS model ( Ransomware-as-a-Service ) – the syndicate had so many affiliates that he did not follow the victims.
The FBI could also find out which entry points Hive used, share information with targeted victims, and allow them to strengthen protection in the initial stages of the attack. Cybercriminals might not suspect anything at all if the victims, who decided to cooperate with law enforcement agencies, did not publicly declare that they had been attacked.
According to Pearson, there is also the possibility that Hive simply ignored the ratio of hacks and paid ransoms. This may be due to software problems, lack of data collection, or lack of file decryption.
Why was the FBI waiting 6 months?
Randy Pargman, a former member of the FBI Cyber Operations Group, believes that the longer the power remains inside, the more chances they have to destroy the systems of criminals. If they immediately turned off the Hive server, attackers would simply restore another server and continue their activities. Instead, law enforcement agencies monitored the server and imperceptibly provided victims with decryption keys.
Perhaps law enforcement agencies imperceptibly informed all the victims they were able to reach, but some companies still chose to pay the ransom so that their files were not published by hackers. All the efforts of the FBI have led the Hive syndicate to no longer work, but hackers may soon split up and join other groups, as the Conti members did after the group broke up.


















 
 
		
