A man alleged of carrying out the landmark cyber attack at Medibank has reportedly been detained by Russian authorities.

Last month, alleged Russian cyber criminal Aleksandr Ermakov was named for his role in the colossal 2022 data breach at health insurer Medibank.

Some 14 months after the cyber incident occurred, the federal government imposed an unprecedented cyber sanction against 34-year-old Ermakov for his part in releasing some 9.7 million records of current and former Medibank customers on the dark web.

At the time, cyber experts pointed out the sanction most likely wouldn’t lead to an arrest, with the most notable repercussions against Ermarkov being financial penalties and restrictions on travel.

Now, Russian authorities, with the support of Russian cybersecurity firm F.A.C.C.T, have detained a hacker suspected to be Ermakov.

Three men were detained and accused of being members of a ransomware-as-a-service operation called SugarLocker – a Russia-based outfit known for targeting victims both domestically and internationally.

Ermakov, who is believed to have been detained as part of the Russia-led action against SugarLocker, has notoriously operated under the pseudonyms “GustaveDore”, “JimJones” and “Blade Runner”.

While F.A.C.C.T’s media statement does not explicitly name Ermakov or the other detained suspects, it noted one of the three men owned the same nicknames as the Medibank-linked hacker.

The firm found the suspected attackers attempted to cover their tracks by working under the guise of a legitimate IT company called Shtazi-IT, but may have undercut their efforts by openly posting job-listings using the contact name @GustaveDore – one of the nicknames already linked to Ermarkov’s criminal activity.

F.A.C.C.T said the men have already been charged under Article 273 of the Criminal Code of the Russian Federation, which prohibits the “creation, use and distribution of malicious computer programs”.

Authorities respond

An Australian Federal Police (AFP) spokesperson told Information Age it was aware of a Russian individual being reportedly detained, but did not specify any connection to the Medibank hack.

“The AFP investigation into the Medibank Private hack in 2022 remains ongoing and is a priority for the AFP,” they said.

“The AFP has no further comment at this stage.”

Last year, AFP commissioner Reece Kershaw revealed the police had shared key information to the Russian state regarding individuals related to the Medibank hack, but received no help in response.

As the AFP struggled to receive adequate co-operation from Russian authorities, hackers had already declared “case closed” and dumped a plethora of stolen data online – including Medicare numbers, contact information and claims data – in response to Medibank’s refusal to pay a ransom.

In late January this year, the federal government applied its first-ever application of new cyber sanctions laws to bring some long-awaited justice to Ermakov – making it a criminal offence of up to 10 years’ imprisonment to provide assets to the sanctioned hacker or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

The UK and US followed suit soon after, with the UK’s Foreign, Commonwealth and Development Office describing the collective sanctions as part of a “coordinated action aimed at cracking down on international cyber crime”.

Australian intelligence has further linked Ermakov to Russia-linked ransom group REvil, a prominent cyber crime outfit that has faced repeated international police action for years.

At the time of writing, Australia’s foreign minister has not publicly commented on Russia’s reported action against Ermakov, while F.A.A.C.T notes a further investigation of the three suspects is underway.