An ex-Canadian government IT worker has admitted to being a high-level hacker with a Russian cyber-crime group.
Sebastien Vachon-Desjardins, from Quebec, Canada, has agreed to plead guilty in a Florida court.
The 34-year-old was affiliated to the NetWalker ransomware crew, which has attacked companies, municipalities, hospitals, schools and universities.
When he was arrested, police discovered he was in possession of $27m (£22.2m) in Bitcoin.
The case represents a rare example of a successful arrest and prosecution of a hacker working for a Russia-based cyber-crime group.
US court documents state that the Canadian was one of NetWalker’s most prolific affiliates.
Evidence gathered by police shows he went on a hacking spree between April and December 2020, attacking 17 Canadian companies and many others around the world.
NetWalker operated a ransomware-as-a-service criminal business, offering its malicious software and extortion website to hacker affiliates.
The leaders, who are still at large, communicate in Russian online and ensure that their malware does not infect Russian computer systems, or those of former Soviet countries which are now members of the Commonwealth of Independent States.
Affiliates like Mr Vachon-Desjardins are responsible for identifying and attacking high-value victims with the ransomware.
NetWalker developers and affiliates split the ransom or, if the victim refuses to pay, a share of the money made from selling the stolen data.
Mr Vachon-Desjardins was arrested in Canada in January 2021 and subsequently extradited following a US investigation into the cyber-crime group, which dismantled its online operation and uncovered a database of affiliate details.
In one incident, the group extorted $1.14m from a US university trying to develop a Covid-19 vaccine.
A NetWalker attack on the Düsseldorf University Clinic in September 2020 is also believed to have contributed to the death of a patient who had to be relocated to another hospital for treatment.
In each incident the victims would find a note on their computers reading: “Hi! Your files are encrypted by NetWalker.
“Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to co-operate with us and get the decrypter program. For us this is just business.”
Police seized dozens of computers and storage devices, 719 Bitcoin worth approximately C$35m ($27m, £22m) and C$790,000 in cash from Mr Vachon-Desjardins’ house.
On his LinkedIn profile, he says he worked for various government departments from 2010 onwards, and cites expertise in responding to cyber-security incidents.
He is pleading guilty to one count of conspiring to commit computer fraud, and one count of transmitting a demand in relation to damaging a protected computer.
The court has agreed not to proceed with two other charges.
He will be sentenced at a later date, and could face 10 years in prison.