Yaroslav Vasinskyi, online persona Robotnik, is a Ukrainian national arrested at the Polish border in October 2021, extradited to the United States in March 2022, and convicted in May 2024 of operating as a REvil ransomware affiliate. He is one of the few ransomware operators who has actually faced trial in a U.S. courtroom.
The Kaseya attack
On 2 July 2021 — the Friday afternoon of the U.S. Independence Day long weekend — REvil affiliates exploited CVE-2021-30116, a SQL injection zero-day in Kaseya's VSA remote-management platform. The attackers pushed the REvil encryptor as a "VSA hotfix" through Kaseya's update mechanism, propagating to roughly 60 managed service providers and through them to between 1,500 and 2,000 downstream organisations.
It was the largest supply-chain ransomware attack on record at the time. Coop, Sweden's second-largest grocery chain, closed all 800 of its stores for days because its point-of-sale terminals had been encrypted via a downstream MSP. REvil demanded $70 million for a universal decryptor. Kaseya eventually obtained a decryptor from the FBI, which had quietly compromised REvil infrastructure during the attack.
Vasinskyi was identified by U.S. and Polish authorities as a key operational affiliate of the campaign.
Arrest, extradition, trial
- October 8, 2021: arrested at the Polish-Ukrainian border on a U.S. warrant.
- March 3, 2022: extradited to the United States.
- May 1, 2024: sentenced in the Middle District of Pennsylvania to 13 years 7 months federal prison and ordered to pay $16 million in restitution.
The trial documented Vasinskyi's REvil membership, his cryptocurrency wallets, his communications with the REvil core team (which the FBI accessed via the same compromised infrastructure that enabled the decryptor recovery), and his share of ransom proceeds.
Why it matters
Vasinskyi is one of the very few ransomware operators ever to stand trial in a Western country. The combination of factors that made it possible was specific:
- Ukrainian rather than Russian nationality — Ukraine's cooperation with U.S. extradition requests is materially different from Russia's.
- Border crossing into Poland — Vasinskyi was caught attempting to enter the Schengen area.
- FBI compromise of REvil infrastructure — the same operation that yielded the universal decryptor produced months of communication logs implicating named individuals.
The case proves the personalisation of ransomware response works — given the right access and the right travelling target. It also explains why a non-trivial fraction of the ransomware operator community has moved their physical residence to non-extraditing jurisdictions since 2022.