Key Takeaways:

A Russian couple living in Spain ran one of Europe’s largest ransomware schemes, earning more than €64 million in bitcoin.

Their relationship began when a victim, Elena Timofeeva, confronted her hacker, Vadim Sirotin—and eventually joined him.

Investigators tracked the pair through a mysterious tip-off that revealed the servers hosting their ransomware.

The case underscores the growing sophistication of “ransomware-as-a-service” and the blurred line between private and state-linked hacking.

Both were convicted in Belgium in 2025 and sentenced to prison after refusing to reveal passwords to encrypted devices.

Elena Timofeeva seemed an unlikely figure to emerge as a major cybercriminal. In the coastal calm of Marbella, she lived a modest life, far from her roots in Siberia’s coal-mining region of Kemerovo. But behind her quiet exterior, she was “Drakosha,” a top operative in one of the most profitable ransomware operations in Europe. Alongside her partner, Vadim Sirotin, she helped extort hundreds of thousands of victims across multiple countries, generating more than €64 million in bitcoin over nearly a decade.

Their story began not with crime, but with curiosity. In 2015, Timofeeva received a ransom note after her files were encrypted by a hacker. Instead of paying, she mocked the attacker’s spelling and engaged him in conversation. The hacker—who went by “Corrector the Magnificent”—was Sirotin, a 30-year-old from St. Petersburg living with his parents in southern Spain. Their exchanges, initially sarcastic, evolved into daily communication. Soon, Timofeeva began offering business suggestions. Before long, she wasn’t a victim—she was a partner.

Investigators later described the pair as pioneers in what became known as “ransomware-as-a-service,” offering hacking tools to affiliates for a share of the profits. Their early platform, Cryakl, targeted thousands of victims through phishing emails and infected attachments. Later iterations, rebranded as Crylock, moved beyond Russia’s borders and adopted a double-extortion model, threatening to leak stolen data unless victims paid up. “You want to sell the shovels and picks to the gold miners rather than trying to gold mine yourself,” said cybersecurity analyst Allan Liska, referencing the growing sophistication of such business models.

The pair’s partnership blended intellect and manipulation. Sirotin, who once described hacking as “power over someone’s life,” viewed himself as a kind of digital demigod. “I can pardon, I can punish,” he wrote in a message later presented in court. “Power can be a beautiful thing.” Timofeeva brought operational structure, managing recruits and payment flows, and developing new targeting strategies. She also harbored feelings for Sirotin that he rarely reciprocated. “Sometimes we’re friends. Sometimes we’re a couple. We also argue a lot,” he later told investigators.

Their network expanded rapidly. By 2020, Crylock was striking victims across Europe. Timofeeva and Sirotin moved their operations to Spain, using multiple pseudonyms and digital wallets. Investigators believe they targeted as many as 400,000 users, from small businesses to large organizations. But even sophisticated cybercriminals make mistakes. The couple’s downfall began when European authorities received a tip-off revealing the location of two servers hosting their ransomware. The origin of that intelligence remains unclear.

Belgian authorities, who had been quietly investigating the group since 2016, acted on the tip, seizing servers in Germany and the Netherlands. Those servers contained not just code, but decryption keys, victim lists, and messages linking the pair directly to the crimes. From there, police traced emails and bitcoin transactions to accounts controlled by Sirotin and Timofeeva. “Basically everybody that is on the internet is leaving a trace,” said a Europol investigator involved in the case. “Our work is going after that trace.”

Their arrest came in June 2023 in Spain, when police detained Sirotin first, then moved in on Timofeeva’s apartment. Officers seized bank cards, phones, and laptops—two still powered on. The evidence was overwhelming. In 2025, the couple stood trial in Belgium’s Justice Palace in Brussels, facing charges of cyber extortion, money laundering, and obstruction of justice for refusing to reveal their device passwords.

During the hearings, prosecutors described Sirotin as “a sadist” who relished control over victims, often taunting them on social media. Defense lawyers argued that Belgium lacked jurisdiction, as only a few local companies had been directly affected. But the prosecution countered that the servers used in the attacks and the infrastructure of the operation had significant Belgian connections.

The court sentenced Sirotin to seven years in prison and Timofeeva to five. Their bitcoin holdings were ordered forfeited. During her testimony, Timofeeva apologized for calling investigators “stupid” in a wiretapped call and denied referring to her subordinates as “slaves,” claiming a mistranslation from Russian. Her lawyer, Pieter Filipowicz, later said, “When you learn to speak French in one year, you’re not stupid. She was the intelligent one of the pair.”

The tip that led to their arrest remains one of the case’s central mysteries. Some believe it originated from a private cybersecurity company such as Kaspersky, which had monitored Cryakl for years and publicly claimed to have deciphered its code in 2018. Others speculate it may have come from rival hackers—or even someone within Russia. “They’re not part of the Russian army,” said European cybersecurity expert Mikko Hyppönen. “They’re just gangs useful to the Russian government, in the sense that they’re attacking western infrastructure.”

The couple’s story illustrates how personal relationships can intertwine with digital crime. What began as an email exchange between a hacker and his victim grew into a sprawling, multinational criminal enterprise. Yet it also shows how ransomware operations are changing. Increasingly, they mirror legitimate businesses—with recruitment, profit-sharing, and management hierarchies—making them harder to detect and dismantle.

For now, Sirotin has appealed his sentence, while Timofeeva has chosen not to. She is seeking asylum in Belgium, fearing persecution if deported to Russia. After years of living behind screens, both are confined by prison walls—a stark contrast to the virtual freedom that once made them rich.

In one of their earliest exchanges, Timofeeva had asked Sirotin if there wasn’t “another way to make money with your mind.” His answer was dismissive. A decade later, that question still lingers—an ironic echo of how greed and power blurred the boundaries between love, loyalty, and lawlessness in one of Europe’s most extraordinary ransomware sagas.

