Igor Rudenko
Photo Courtesy of Igor Rudenko

Igor Rudenko is a cybersecurity specialist with over a decade of experience in law enforcement and digital forensics. He focuses on investigating and prosecuting international cybercrime. His background uniquely combines prosecutorial work with technical expertise, enabling him to contribute to complex cases involving institutions across several continents.

In this interview, he discusses how cybercrime is evolving, the importance of international cooperation, and the practical methodologies that have shaped his approach to protecting organisations and individuals from sophisticated global threats.

Can you tell us about your professional background and how you became involved in cybersecurity?

My career in cybersecurity began in 2011 with the Ukrainian Prosecutor's Office, where I spent most of my time working in Kyiv, focusing on cybercrime investigations. Over a decade, I developed legal and technical expertise, combining prosecutorial experience with hands-on skills in digital forensics, OSINT, and network security analysis. This combination proved especially valuable in complex international cases, allowing me to bridge the gap between legal and technical teams.

One of the most high-profile cybercrime cases in recent years involved hackers who infiltrated primary newswire services to steal confidential press releases for insider trading. Could you share more details about this case?

Absolutely. That case is a landmark in the fight against international cybercrime, both for its scale and impact on global financial markets. A group of hackers gained unauthorised access to the networks of leading business newswire services, including Marketwired, PR Newswire, and Business Wire. Over several years, they stole thousands of unpublished press releases containing sensitive, market-moving information.

This information was passed to a network of traders, primarily in the United States, who used it to execute illegal insider trades on hundreds of companies, including prominent names like Caterpillar, Home Depot, and Hewlett Packard, netting over $30 million in illicit profits.

The operation was particularly notable for its technical sophistication. The group used phishing and other advanced methods to bypass security measures and maintain undetected access for years. They exploited the brief window between when press releases were uploaded to the newswire servers and their public release, allowing them to act on non-public information almost immediately.

Law enforcement described this as the largest cyber-enabled securities fraud ever prosecuted. Several individuals involved in the scheme were arrested and faced charges, including wire fraud, computer hacking, and securities fraud. Sentences included prison time, supervised release, and multi-million dollar restitution orders. This case is a landmark in the fight against cybercrime and market manipulation.

In 2021, Ukrainian authorities apprehended individuals associated with the Egregor ransomware group. Can you describe your role in that investigation and how it related to the earlier newswire hacking case?

In February 2021, a joint operation between French and Ukrainian law enforcement targeted the Egregor ransomware group, which had terrorised organisations worldwide since 2020. The group used double extortion tactics: encrypting victims' data and threatening to leak stolen information unless ransoms were paid. Notable targets included Barnes & Noble, Ubisoft, KMart and Metro Vancouver's TransLink.

Working with Europol and French investigators, Ukrainian cyber units conducted synchronised raids, arresting key affiliates who provided logistical and financial support. Technical analysis revealed Egregor's use of tools like Cobalt Strike and Qakbot for lateral movement and cryptocurrency wallets for laundering payments.

As the lead prosecutor overseeing the Ukrainian side of the investigation, I coordinated forensic teams to analyse server logs (using tools such as Splunk and Wireshark) and trace cryptocurrency transactions, ensuring all evidence complied with Ukrainian and international legal standards.

The operation disrupted Egregor's infrastructure, taking their leak site offline and preventing planned attacks on US logistics firms. It also recovered stolen financial records destined for darknet markets.

Our ability to establish connections between new suspects and those previously convicted in the United States made this case remarkable. By applying OSINT techniques and analysing cryptocurrency transactions, we traced financial flows that linked these operations, ultimately preventing planned attacks on American logistics companies and securing hundreds of thousands of stolen financial records before they could be sold on darknet forums.

You've handled a range of cybercrime cases. Is there a large-scale fraud operation that stands out to you, and what role did you play in addressing it?

Indeed, one of the most complex cases I led involved dismantling a transnational network of fraudulent call centres operating across 16 regions of Ukraine, with direct links to criminal groups in the US and EU. Staffed by over 2,500 operators, these call centres posed as representatives of banks, investment firms, and telecom providers. They targeted American and European citizens, extracting confidential data and gaining unauthorised access to bank accounts through sophisticated social engineering.

My responsibilities included coordinating law enforcement and technical experts to document evidence, analyse SIP and RTP traffic, and investigate the configuration of VoIP systems. Through digital forensics, we uncovered phishing sites hosted on encrypted VPS servers, Telegram bots used for credential harvesting, and malicious Android apps redirecting victims to fake banking pages.

Our efforts resulted in over 150 authorised searches, the seizure of over 4,000 computers and 650 mobile devices, and the identification of key technical nodes used to attack US financial institutions. Significantly, we prevented further financial losses for US and EU citizens and provided critical evidence to international partners, ensuring the case could be prosecuted in Ukraine and abroad.

How have you collaborated with international agencies, particularly those in the United States?

My collaboration with US agencies has been substantial and productive. In the case connected to the Egregor Ransomware group, I coordinated directly with American prosecutors to exchange vital intelligence.

We formalised this cooperation through Mutual Legal Assistance Treaty (MLAT) requests, providing US authorities with server logs, forensic dumps, and cryptocurrency wallet information. In return, American prosecutors shared intelligence regarding links between individuals involved in the earlier newswire hacking scheme and financial organisations that were targeted in the United States.

This collaboration led to tangible results for US national interests: we prevented planned ransomware attacks on American businesses, recovered hundreds of thousands of stolen financial records before they could be sold, and provided US authorities with additional evidence to expand charges against members within the cybercriminal network.

Looking back at your career, what do you consider your most significant contribution to cybersecurity, and what are you focusing on in your current role?

My most significant contribution has been developing methodologies that bridge the gap between technical cybersecurity and legal prosecution for cybercrime investigation.

In traditional approaches, there's often a disconnect: technical experts may collect valuable evidence in ways that make it inadmissible in court, while legal professionals may lack the technical understanding to direct investigations properly. I've dedicated my career to solving this problem by combining deep technical expertise with thorough legal knowledge.

This approach proved particularly valuable in international cases, where evidence is needed to satisfy legal requirements in multiple jurisdictions. By ensuring digital evidence was collected and preserved correctly, we successfully prosecuted cybercriminals while providing valuable intelligence to international partners. This contribution is impactful across borders because the methodologies I've developed have helped protect institutions and individuals in Ukraine, the United States, and the European Union from sophisticated cyber threats.

As for my current role, In 2024, after completing a cybersecurity project with a construction company in Poland, I joined a US corporation as a Software Development Engineer in Test. My focus is on application security and DevSecOps, where I help strengthen the company's defences by improving secure development practices and reducing vulnerabilities in cloud and .NET systems.