Armenia is currently holding a Russian tourist, Aleksandr Ermakov, in detention based on a U.S. extradition request. The request targets a suspect linked to the REvil ransomware group, also named Aleksandr Ermakov, creating a complex case of mistaken identity, according to reports.
His wife, Maria Yurova, recounted that border officers apprehended him at Yerevan’s Zvartnots airport, presenting a photo from his social media profile before escorting him away. His legal team contends that Washington has apprehended the wrong individual. The man sought by the U.S. is identified as Aleksandr Gennadievich Ermakov, who was sanctioned by several countries earlier this year for his alleged involvement in a significant data breach. Meanwhile, the detained man, identified by his lawyers as Aleksandr Yuryevich Ermakov, is reportedly a former lawyer from Omsk with no English language skills.
The Case of the Two Aleksandr Ermakovs
The U.S. indictment, which has been reported by Russian media outlets, accuses an Aleksandr Ermakov of participating in Sodinokibi/REvil ransomware attacks between April 2019 and July 2021. These alleged attacks impacted over 1,000 victims, including private companies, law enforcement agencies, government offices, schools, and hospitals, some located in the Northern District of Texas. The Interpol notice, stemming from this U.S. warrant, reportedly designates one of the ransomware platform’s administrators as having profited over $13.7 million.
The U.S. Treasury Department previously sanctioned Aleksandr Gennadievich Ermakov in January 2024 for allegedly stealing 9.7 million records from Medibank Private, a major Australian health insurer. However, the Medibank hack occurred in October 2022, fifteen months after the period cited in the U.S. charging document against the REvil-linked Ermakov. Furthermore, the U.S. has not publicly announced any charges against Ermakov specifically for the Medibank breach.
According to Russian news agency TASS, Aleksandr Gennadievich Ermakov is also currently serving a two-year sentence in Russia that prohibits him from leaving the country. Case files reviewed by Russian outlets suggest this sentence is active. In contrast, the man detained in Armenia, Aleksandr Yuryevich Ermakov, is alleged by his lawyers to be a former prison-service lawyer who does not speak English, suggesting a significant disparity in profiles.
Discrepancies in Identifying the Suspect
Russian passports include patronymic names, which are crucial for distinguishing individuals with similar given names and surnames. Australia’s consolidated list and the UK’s entries clearly state the patronymic as Gennadievich for the sanctioned Ermakov. The U.S. Office of Foreign Assets Control (OFAC) designation, however, does not include a patronymic, listing only the given name and surname. This omission is a key point raised by the defense.
The U.S. Specially Designated Nationals (SDN) record for Aleksandr Ermakov lists Moscow as his location, with a date of birth of May 16, 1990, and includes several online handles. Dylan Rajavi, one of the detained man’s lawyers, suggested to Izvestia that the U.S. paperwork might have contained only the given name and surname, leading to an automated matching error. He further argued that standard identification methods like fingerprints or complete passport data, which would unequivocally prove identity, have not been provided by the U.S. authorities.
“There is only an arrest warrant,” Rajavi stated, emphasizing that this is the defense’s assertion and not a legal finding. Armenian authorities have remained silent on the matter, and the U.S. Department of Justice has not announced any new charges. The provenance of the documents held by the Russian outlets remains undisclosed.
The REvil Connection and Prior Investigations
The intelligence gathered by the Australian signals directorate and federal police over an 18-month investigation, codenamed Operation Aquila, led to the identification of Aleksandr Gennadievich Ermakov. The link between this Ermakov and the SugarLocker ransomware operation, which is distinct from the REvil group, was established through forum data analysis by Intel 471. This analysis revealed that Ermakov used handles such as SHTAZI and shtaziIT, and his alias JimJones was active on the Exploit forum selling malware development services and advertising a dev shop named Shtazi-IT.
Following this, Russian police announced the dismantling of the SugarLocker ransomware crew, with contact information for its developer referencing the handle @GustaveDore, associated with Ermakov. This investigation was pursued independently by both a U.S. vendor and Russia’s interior ministry, reaching the same operational front.
In October 2024, a Moscow court sentenced Aleksandr Gennadievich Ermakov to two years of restriction of freedom under Russia’s malware statute for his role in co-authoring and selling SugarLocker. Reports indicate he pleaded guilty, and the case proceeded through Russia’s summary procedure. This sentence means he is still subject to restrictions that would prevent international travel.
The next step in the current case is a decision by the Armenian court regarding the extradition of the detained Aleksandr Ermakov to Dallas. His brother expressed to RIA Novosti on Friday that the family anticipates the extradition to proceed. Despite extensive sanctions, intelligence operations, and a new U.S. warrant, the situation highlights the challenge of definitively identifying individuals in the digital realm, with legal teams asserting that the wrong Aleksandr Ermakov is currently detained.

