‘We hacked the hackers’: Gardaí part of international police operation to thwart cyber crime group

Firms based in Ireland were given ‘decryption keys’ by police to allow them frustrate ransomware attacks

A number of large companies based in Ireland were supplied with “decryption keys” to allow them frustrate ransomware attacks by a major international criminal operation, the head of the Garda National Cyber Crime Bureau has said.

The bureau was part of an international law enforcement operation that targeted the infrastructure of a ransomware operation called the Hive group. “Effectively it has put them out of business,” Det Supt Pat Ryan said.

Since November 2022, the group and its affiliates are estimated to have collected almost €100 million in ransom payments from more than 1,500 targets in 80 countries, he said. “There are Irish victims that have been identified as part of that,” Supt Ryan said.

The bureau participated in Operation Dawnbreaker, an international operation that seized the hackers’ servers and its website. With a lead role being played by the US Federal Bureau of Investigation, the operation included law enforcement agencies from Canada, the UK, France, Germany, Sweden and other countries, with the European involvement being co-ordinated via Europol.


“Using lawful means, we hacked the hackers,” the US deputy attorney general, Lisa Monaco, said at a news conference in Washington DC.

The group operated a ransomware-as-a-service system whereby software developers designed malicious software that was supplied to affiliates so they could target potential victims. Any ransoms paid were then split between the developers (approximately 20 per cent) and the affiliates (80 per cent).

Supt Ryan declined to comment on what jurisdiction or jurisdictions the criminals were linked to, or whether any Hive group affiliates were behind the ransomware attack on the HSE in May 2021. He said the infrastructure seized from the criminals had to be examined and that a lot of work still needed to be done.

In a statement on the operation, Europol said that since June 2021 Hive ransomware has been used to target a wide range of businesses and critical infrastructure sectors, including government facilities, telecommunication companies, manufacturing, information technology, and healthcare and public health.

It said it worked with European law enforcement agencies to prevent private companies falling victim to ransom attacks.

“Law enforcement provided the decryption key to companies which had been compromised in order to help them decrypt their data without paying the ransom,” it said, adding that €120 million in ransom demands were frustrated.

Operation Dawnbreaker involved a lot of “painstaking work”, Supt Ryan said, including the investigation of cryptocurrency transactions, malware decryption, and the identification of the infrastructure that was being used to carry out attacks.

“That infrastructure was taken over and it is basically now in the hands of law enforcement, which means it is ineffective,” he said.

The ransom operations involved the encryption of data on victims’ IT infrastructure and the demand for payment in return for the software needed to unlock the data. However law enforcement agencies were able to supply the decryption technology and thereby frustrate the criminals.

Colm Keena

Colm Keena

Colm Keena is an Irish Times journalist. He was previously legal-affairs correspondent and public-affairs correspondent