Presented at
DEF CON 33 (2025),
Aug. 9, 2025, 3 p.m.
(45 minutes).
Yaroslav Vasinskyi was sentenced in 2024 to 13 years in U.S. federal prison for his role in the $700M Kaseya ransomware attack. But behind the headlines lies a more human and complex story. Over the past year, threat researcher Jon DiMaggio built a relationship with Vasinskyi, speaking with him regularly by phone and email. Joining him is John Fokker, Head of Threat Intelligence at Trellix and former Dutch cybercrime investigator involved in operations targeting the REvil gang with global law enforcement.
This talk reveals how REvil operated from the inside, what really happened behind the Kaseya attack, and how ego, greed, and betrayal tore the crew apart. The session also provides new information on the group’s leadership, who vanished and remain at large.
This isn’t theory or speculation. It is raw human intelligence, operational insight, and criminal context behind one of the most devastating ransomware attacks in history. It also tells Vasinskyi’s personal journey, revealing the often overlooked human side of ransomware crime.
Coinciding with the next Ransomware Diaries release, this talk exposes the inner workings and unraveling of one of the most infamous ransomware groups of all time. This is not a glorification, it is a reckoning.
References:
- 60 min (full episode): 4/14/2024: Scattered Spider; Knife; Tasmanian Tiger - CBS News
- 60 Min Overtime: Infiltrating ransomware gangs on the dark web - CBS News
- Ransomware Diaries:
- Ransomware Diaries: Volume 1 | Analyst1
- Ransomware Diaries V. 2: A Ransomware Hacker Origin Story (analyst1.com)
- Ransomware Diaries V. 3: LockBit’s Secrets (analyst1.com)
- Ransomware Diaries Volume 5: Unmasking LockBit (analyst1.com)
- Ransomware Diaries Volume 6: Lie to me. A Bassterlord Ransomware Story (Analyst1.com)
Presenters:
-
Jon DiMaggio
Jon DiMaggio is the Chief Security Strategist at Analyst1 and a cybercrime hunter who doesn’t just follow ransomware gangs, he infiltrates them. A former U.S. intelligence analyst with a background in signals intelligence, Jon has spent his career going deep undercover inside some of the world’s most dangerous cybercrime syndicates. In 2024, he embedded himself within the notorious LockBit ransomware gang, gathering intelligence that helped law enforcement take down one of the most prolific cybercriminal operations in history.
His investigative series The Ransomware Diaries exposed LockBit’s inner workings and earned widespread recognition. Jon is the author of The Art of Cyberwarfare (No Starch Press), a two-time SANS Difference Makers Award winner, has appeared on 60 Minutes, and has been featured in The New York Times, Wired, and Bloomberg. He is also a regular speaker at DEFCON, RSA, and other major security conferences. Whether he’s chasing cybercriminals or telling their stories, Jon brings the kind of firsthand insight you only get when you’ve walked into the lion’s den, and walked out.
-
John Fokker
As Head of Threat Intelligence at Trellix and former head of cyber investigations at the Dutch National High Tech Crime Unit, I bring deep technical knowledge and operational experience bridging law enforcement, intelligence, and private sector perspectives. My work has helped coordinate international takedowns of ransomware infrastructure, and I have direct experience investigating REvil and its affiliates at the height of their operations.
My contribution complements Jon’s HUMINT narrative with:
• Technical validation of the behind-the-scenes activities discussed in the talk
• Law enforcement and intelligence insights on affiliate operations, infrastructure, and monetization patterns
• An investigative trail linking Revil and GandCrab, through shared TTPs and operational overlaps
Together, our presentation fuses Hacking, CTI, HUMINT and investigative storytelling with forensic rigor, revealing how trust, betrayal, and ego brought down one of the most feared ransomware gangs in the world.
Similar Presentations: