Europol Debunks Fake $50,000 Ransomware Reward Claim
▼ Summary
– Europol confirmed a fake Telegram channel impersonating the agency offered a $50,000 reward for information on Qilin ransomware administrators.
– The impostor later admitted the channel was created to troll researchers and journalists who reported on the false claims.
– The fake post targeted two Qilin administrators known as “Haise” and “XORacle,” who coordinate the ransomware group’s global attacks.
– This incident is part of a pattern where threat actors create hoaxes to mislead the media and security community, as seen in similar past events.
– The Qilin ransomware operation, active since 2022, is one of the most prolific groups targeting critical infrastructure worldwide.
Europol has officially confirmed that a fraudulent Telegram channel impersonating the agency and promising a $50,000 reward for information leading to the capture of two Qilin ransomware administrators is entirely fabricated. The channel, which appeared under the name @europolcti on August 16, falsely claimed to be part of an international effort to locate individuals using the aliases “Haise” and “XORacle.” Europol clarified in a statement to BleepingComputer that the announcement did not originate from any of its official channels, emphasizing that the agency was taken aback by how widely the false story spread.
The impersonator’s post mimicked official law enforcement language, referencing “ongoing international investigations” and describing Qilin’s attacks on critical infrastructure. It also included a call for public assistance, offering a substantial financial incentive for information. Shortly after Europol exposed the hoax, the same Telegram account posted a new message admitting the entire scheme was designed to mislead journalists and cybersecurity researchers. The message, signed by an individual using the name Rey, previously associated with breaches at major telecommunications firms, boasted about how easily so-called experts had been fooled.
This incident is not an isolated case. Threat actors have a history of attempting to manipulate media coverage and public perception through fabricated narratives. In August, several cybercriminal groups, including those claiming affiliation with “Scattered Spider” and “Lapsus,” used Telegram to publicly criticize Qilin and its operators. These actions appear to be part of a broader pattern of disinformation within the cybercriminal ecosystem.
A similar situation occurred in 2021 when a RAMP forum administrator using the alias “Orange” encouraged attacks on U.S. targets, only to later claim the post was a prank aimed at misleading journalists. Security analysts from firms like McAfee and Intel 471 suggested the retraction was likely an attempt to conceal the failure of a ransomware-as-a-service operation. More recently, in 2023, BleepingComputer received a false tip about the arrest of two Canadian teenagers in connection with a cryptocurrency theft, another clear effort to troll both the media and those accused.
The Qilin ransomware group, originally launched as “Agenda” in mid-2022 before rebranding, remains highly active and continues to target organizations globally. Haise, one of the individuals named in the fake bounty, has been linked to affiliate recruitment on cybercrime forums. While law enforcement agencies worldwide are actively pursuing ransomware operators, this fake reward scheme underscores the importance of verifying sources before publicizing unconfirmed threats or offers.
(Source: Bleeping Computer)
