Arrests News

How The FBI Traced An IP Address Despite Tor Usage

Ragnar Locker Hacker Captured
Rate our article

Back in 2020, Japanese game developer Capcom suffered a major ransomware attack. A threat actor stole over 1TB of sensitive data and threatened to release the information should Capcom not pay it. Capcom wasn’t interested and so the hacker released 67 GB of stolen files through a .onion website. 

The hacker figured that he followed some basic OpSec, and by using the Tor Browser, his IP address would have been marked. This didn’t happen, as the attacker was indicted on May 16, 2023 after the FBI managed to exploit and find his “Hidden” IP address. But how was this possible?

Exploiting CapCom

Capcom Leak

Ragnar Locker, a well-known ransomware group managed to take on the Japanese gaming giant and leaked over 67 GB of it’s data on an onion site. Capcom was well aware of the data leak, and it even caused to the halt of multiple portions of their corporate network.

Capcom TXT Edit

Capcom released a statement saying. 

“Beginning in the early morning hours of November 2, 2020 some of the Capcom Group networks experienced issues that affected access to certain systems, including email and file servers. The company has confirmed that this was due to unauthorized access carried out by a third party, and that it has halted some operations of its internal networks as of November 2.”

The hacking group were able to grab employee termination agreements, passports, sales reports, bank statements, NDAs, salary slips, and even information from the CEO’s computer directly. 

It was reported that atleast 2,000 computers had been infiltrated and that Ragnar Locker wanted a sum of $11 million paid in Bitcoin to receive a decryptor.

In their ransom letter, they included the following .onion link where a small portion of Capcom files had already been leaked. t2w5byhtkqkaw6m543i6ax3mamfdy7jkkqsduzzfwhfcep4shqqsd5id.onion/ (The onion link no longer works)

After the leak, all communications took place on the Tor network. The documents were stored on an onion site, which belongs to the Tor network, and therefore, the host’s IP address was *hidden*. The Tor network generally does a nifty job of hiding all valuable information, such as the website’s source code and SSL certificate, etc.

Yet somehow, investigators managed to trace one of the Ragnar group members IP addresses.

Unlocking a Tor User IP Address: ETags

Finding an IP address through the Tor Network is meant to be… impossible. Check out our article, where we explain how it works. 

This means that finding a Darknet Website’ original IP address involves scanning the website for mistakes in the source code, response headers, etc. Sometimes a cyber crime investigator will find unique character strings and fingerprint information. However, the individual who hosted this particular website was smart in his operation and didn’t make any mistakes. 

After some heavy thorough research, the investigator found ETag information in the response header. 

Generally, Etags usually aren’t that helpful for identifying a threat actor. Etags, or Entity Tags, are utilized in the HTTP protocol to support web caching. They offer a way of validating resources, which effectively lessens data exchange, network overhead, and bandwidth usage. This minimizes the transfer of unnecessary data.

But in Capcoms favour, this Etag contained the only information the investigator could link to the criminal on the other end. The Etag found was “0–5a4a8aa76f2f0”

eTag Header Information

The investigator ran the Etag through Shodan, a unique search engine that scours the internet for identical strings/ IP addresses/ and various other filters.  This opens the possibility to find any linked device connected to the internet at any given time. Whether it’s the locations of those devices or just a small digital fingerprint.

Tracing Mikhail Pavlovich Matveev Aka M1x

When searching “0–5a4a8aa76f2f0” on Shodan, 1 result came up. This small mistake from the hacker revealed all the information needed to capture him. 

Shodan Information On Ragnar Locker Hakcer

Shodan revealed the hacker’s IP Address, his set location, and his current connection to the internet. 

Although tracing the IP address directly did not link to Ragnar member “M1X.

According to an FBI Flash report, using IP address They traced the server that hosted Capcoms compromised data. The FBI then sent a warrant to obtain said server and traced it back to an individual named Mikhail Pavlovich Matveev, Aka M1x.

The rest is history. On May 16, 2023, Matveev received an indictment in the District of New Jersey, where he was charged for participating in ransomware attacks against victims in the thousands. Some victims Ragnar went for include law enforcement and other government agencies, hospitals, schools, etc. It’s been estimated that Ragnar Locker has received more than $200 million in ransomware payouts over the last three years. 

“Data theft and extortion attempts by ransomware groups are corrosive, cynical attacks on key institutions and the good people behind them as they go about their business and serve the public. Whether these criminals target law enforcement, other government agencies, or private companies like health care providers, we will use every tool at our disposal to prosecute and punish such offenses. Thanks to exceptional work by our partners here, we identified and charged this culprit.”

U.S. Attorney Matthew M. Grave

$10 Million Reward Up For Grabs

After apprehending Matveev, the DoJ is thirsty for more. The  Department of State announced a $10 Million reward for any individuals willing to provide additional information on Ragnar Locker. If anyone has information that leads to the arrest/ conviction of Ragnar Locker members, they can submit their “Tip” to