The police investigation began after various Italian companies and organizations were infected by CryptoLocker , a virus that requires bitcoin payment to unlock infected files. Some of the victims used Coinbit.it to pay the ransoms, so the Italian authorities concluded that the bitcoin exchange was at least an accessory to the attacks, shut it down and arrested its management.
The police operation, called Cryptowash, led by the the Postal Police of Udine and coordinated by the District Attorney of Trieste, was launched after the malware hit numerous businesses in Friuli
Police reported that a breakthrough in the investigation occurred in March after a complaint was lodged by the head of a Friulian company. The company’s managers had decided to pay the ransom through Coinbit.it and received, in response, an email containing the key to decrypt files “blocked” by Cryptolocker.
Using evidence recovered from the company, the agents were able to approach an individual resident in the province of Padua. During the investigation, it emerged that responsibility for the attacks was attributable to a partnership, which also was linked to a company in Estonia, whose members used Coinbit.it as an intermediary.
Udine police were able to arrest the Coinbit.it personnel based on exchanged smartphone messages that showed that they were fully aware of the ransom attacks and possibly facilitated them. The messages discussed the spread of Cryptolocker, money laundering, how to behave in front of the police and information on appointing lawyers.
According to preliminary police estimates, the criminal conspiracy raked in approximately 277,000 Euros from more than 1,500 people. Victims of the ransomware included citizens and private companies but also ironically included courts such as Udine, municipalities such as Trento, and even law enforcement agencies.