Threat ActorsThe Bloodline · Part 6 of 7

The Parallel Track

Not everything descends from the Business Club. A second world, GandCrab to REvil, DarkSide to ALPHV, LockBit, and the Maze cartel, industrialized the business model. One of its lineages has been named down to the founder. Another has never leaked a single name. The difference is the finding.

By Reno July 3, 2026 14 min read Open Research
GANDCRAB → REVIL DARKSIDE → ALPHV MAZE → EGREGOR BABUK · HIVE AFFILIATES LOCKBIT THE CONVERGENCE HUB Four lineages, one marketplace · illustration

The Business Club bloodline of Parts 1 through 5 is only half the map. Alongside it ran a second world that owed nothing to Bogachev's orbit and everything to a business model: ransomware-as-a-service, crime rendered as a subscription product. Its four lineages, sketched here, matter to this series for a comparative reason that the final part will weaponize: the ones that got named were betrayed by their own structure, and the one that stayed anonymous chose a different structure. Analyst inference

GandCrab to REvil: the franchise

GandCrab ran from January 2018 to mid-2019 and pioneered RaaS as a polished commercial product: affiliate recruitment, a support desk, aggressive forum marketing, and a public representative under the handle UNKN. In May 2019 its operators announced retirement, boasting of $2 billion in collections (a figure researchers treat as inflated). The retirement was a rebrand. Within weeks UNKN was recruiting affiliates for REvil (Sodinokibi). Secureworks assessed with high confidence that REvil's operators held the GandCrab source and were former GandCrab hands, and Europol stated in 2021 that both gangs were "operated by the same individuals." Confirmed reporting

REvil defined the 2021 crisis: the Travelex attack, the JBS attack that ended in an $11 million payment, and the Kaseya supply-chain attack of July 2021, which pushed ransomware to as many as 1,500 downstream organizations at once and demanded a $70 million universal decryptor. Kaseya provoked direct US-Russia diplomatic pressure, and in January 2022 the FSB staged a rare theatrical response: fourteen REvil members arrested on camera. The prosecutions stalled after the invasion of Ukraine; the episode reads as a bargaining chip, not a crackdown. The real identification came in late March 2026, when the BKA named UNKN as Daniil Shchukin, with Anatoly Kravchuk as developer; a 2023 DOJ forfeiture had already tied a Shchukin wallet to $317,000 in REvil proceeds. The affiliate Yaroslav Vasinskyi, tied to Kaseya, was arrested abroad and sentenced to more than 13 years. The principals remain in Russia. Confirmed reporting

The DarkSide cluster: anonymity as tradecraft

The DarkSide to BlackMatter to ALPHV line is the counterpoint to everything else in this series. It produced the single most politically consequential ransomware attack in history, and not one of its core operators has been publicly named. In May 2021 a DarkSide affiliate shut down Colonial Pipeline, the largest fuel pipeline on the US East Coast, triggering panic buying and an emergency declaration. DarkSide folded within days; two months later the same operators relaunched as BlackMatter (CrowdStrike attributed it to the same adversary), and after BlackMatter's November 2021 "shutdown" the crew resurfaced within weeks as ALPHV/BlackCat, rebuilt in Rust. Confirmed reporting

ALPHV's defining act was the February 2024 Change Healthcare attack, which disrupted US healthcare payments nationwide, produced a payment near $22 million, and ended in an exit scam against its own affiliate. The only people charged in connection with ALPHV are affiliates, including two US-based incident-response professionals who pleaded guilty in December 2025 and paid the unnamed administrators their 20 percent cut. The core remains a blank. The operator behind the whole cluster is tracked as FIN7 / Coreid / CARBON SPIDER, and FIN7 is one of the only genuine bridges between the two ransomware worlds: SentinelOne assessed it shares a developer with Black Basta. FIN7 members have been arrested, but only for the group's pre-ransomware card fraud, never for the ransomware line. Credible reporting

Conti was named down to its junior staff. DarkSide has never leaked a name. The difference is not investigator skill. It is structure.

Why does this cluster stay anonymous while Conti and Evil Corp are named to the org-chart level? Partly structure, partly the absence of an insider leak. Conti and Black Basta ran cohesive organizations with big rosters and shared internal chats: a wide exposure surface, detonated twice by disgruntled insiders. The DarkSide cluster runs the purer compartmentalized model, a small anonymous core with arms-length affiliates who never learn the operators' names. The State Department's standing $10 million rewards on DarkSide and ALPHV leadership are an open admission that the identities are unknown. It is the highest-value, lowest-progress target in the ecosystem. Analyst inference

LockBit: the convergence hub

LockBit is not a lineage so much as a marketplace, which is precisely its analytic importance. Developed and run by Dmitry Khoroshev ("LockBitSupp," "putinkrab") from 2019, it industrialized the affiliate model further than anyone: a polished panel, a bug bounty, aggressive recruitment, roughly 20 percent of each ransom to the house. Khoroshev was unmasked and indicted in May 2024 with a $10 million reward. He denies the identification; it rests on Cronos-seized infrastructure and cryptocurrency tracing, and because he sits unarrested in Russia it remains a strong designation rather than a court-tested conviction. Confirmed reporting

LockBit's affiliate roster is where the ecosystem's threads meet. Aleksandr Ryzhenkov bridges to Evil Corp (Part 3). Mikhail Matveev ("Wazawaka") operated across LockBit, Babuk, and Hive simultaneously. Ivan Kondratyev ("Bassterlord") ran LockBit and his own crew while authoring RaaS training manuals that propagated tradecraft across gangs. The charged affiliations are confirmed; the cross-brand claims beyond them are largely self-reported and deserve caution. Matveev advertised his ties in interviews, and Analyst1 titled its Bassterlord report "Lie to Me" after concluding he had embellished his own legend. Credible reporting

The February 2024 Operation Cronos, led by the NCA, seized LockBit's infrastructure, took over its leak site, and exposed affiliate data, including the Ryzhenkov link to Evil Corp. LockBit tried to rebuild, but Cronos plus the Khoroshev unmasking degraded the brand's standing in the affiliate market. For a business that runs on affiliate trust, reputational disruption proved to matter as much as technical seizure. Confirmed reporting

Maze: the inventors of the playbook

Maze (2019 to 2020) earns its place in a people-centric history for one reason: it invented double extortion, stealing data before encryption and threatening publication, the innovation behind every leak site now in operation. Its operators were never publicly named. Egregor inherited its affiliates; both derive from the short-lived Sekhmet, and all three families share a developer persona, Topleak, who in February 2022 released verified master decryption keys for all three. Topleak's identity has never been determined. And Maze's famous 2020 "cartel" with LockBit and RagnarLocker turned out, per Analyst1's blockchain tracing, to involve no profit-sharing at all: a facade of shared leak sites, advertised for strategic effect. Criminal groups advertise cooperation; test alliances against the money before treating them as structural. Credible reporting

Fig. 1 · The parallel track at a glance (per cited sources)
LineageSignature incidentNamed core figureConfidence
GandCrab → REvilKaseya (2021)Daniil Shchukin ("UNKN", BKA 2026)Confirmed
DarkSide → BlackMatter → ALPHVColonial Pipeline (2021); Change Healthcare (2024)None. $10M rewards outstandingCore unknown
LockBitConvergence hub; Cronos takedown (2024)Dmitry Khoroshev ("LockBitSupp")Confirmed
Maze → EgregorInvented double extortion (2019)"Topleak" persona onlyCredible
Attribution status per BKA (Mar 2026), DOJ/NCA (May 2024), CrowdStrike, Secureworks, Europol, and Analyst1. Unresolved identities left unresolved.
US DOJ / UK NCA · Operation Cronos and the LockBit unmasking (excerpt)
Subject: Dmitry Yuryevich KHOROSHEV, alias “LockBitSupp”, “putinkrab”
Role: creator, developer and administrator, LockBit ransomware group
Reward: up to $10,000,000 (US State Dept)
Actions: indicted (D.N.J., May 2024); sanctioned by US, UK, Australia
Status: at large, Russian Federation
Source: US DOJ indictment announcement and UK NCA disclosures, May 2024, following the February 2024 Operation Cronos seizure. Public record, reproduced for analysis.

Every track on this map ends the same way the Business Club tracks did: infrastructure seized, affiliates arrested when they traveled, principals untouched at home. What varies is only how much we know about the men at the core, and that variance is set by their own internal structure, not by ours. The final part of this series turns to what never varies at all: the enablers, the money, and the roof. Analyst inference

Sourcing & confidence

This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on DOJ and NCA disclosures from Operation Cronos and the Khoroshev indictment (2024), BKA disclosures on REvil leadership (March 2026), Secureworks, CrowdStrike, SentinelOne and Analyst1 vendor reporting, Europol statements on GandCrab/REvil continuity, and contemporaneous reporting on Colonial Pipeline, Kaseya, and Change Healthcare. Confidence labels follow standard analytic practice.

Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.

Continue · The Bloodline, Part 7 of 7

The Constants: the enablers, the money, and the roof

Read Part 7 →
REvilDarkSideALPHVLockBitKhoroshevMazeThreat Actors