Hive is the operation that produced one of the most satisfying counter-ransomware operations in the modern era. For seven months in 2022, the FBI was inside Hive’s network, quietly siphoning off decryption keys and handing them to victims, while Hive’s operators kept attacking organisations none the wiser. When the bureau finally went public in January 2023 with the seizure of Hive’s infrastructure, the announcement included a remarkable detail: more than $130 million in ransom demands had already been preempted by the silent decryptor distribution. Hive is the proof that disruption can be more than performative, that law enforcement, given enough time, can functionally neutralise an operation while it still thinks it is winning.
Origins
Hive launched in June 2021 as a fresh RaaS program. It was Russian-speaking by linguistic indicators, jurisdictionally protected, and openly recruiting affiliates on the usual forums. Its operators presented a polished package from launch: a Tor-based affiliate panel, a "Hive Leaks" data publication site, structured negotiation, and a comparatively rare commitment to publishing its own decryption performance benchmarks.
The malware
Hive’s locker went through a notable technical evolution. The early Windows variants were written in Go, which gave the operators easy cross-compilation but produced large binaries that were comparatively easy to reverse-engineer. Israeli researchers from KAIST and elsewhere published a paper in February 2022 demonstrating a partial cryptographic flaw in early Hive that allowed recovery of files in a meaningful percentage of cases. The operators responded by rewriting the locker in Rust later that year, dramatically improving both performance and detection evasion.
A Linux/ESXi variant accompanied the Rust rewrite. Encryption used per-file keys wrapped with the operator’s public key, with intermittent encryption modes available to affiliates.
Notable victims
Hive disregarded common-sense restraints on hospital and critical-infrastructure targeting. Notable victims included:
- Memorial Health System (US, August 2021), which forced ambulance diversions across multiple Ohio and West Virginia hospitals.
- Costa Rica’s public health system, the CCSS (May 2022), in an attack that effectively followed Conti’s earlier extortion of the Costa Rican government and forced the country to operate critical health services on paper for weeks.
- The Indonesian state oil company Pertamina, the Bulgarian Postal Service, and a long list of US school districts and small healthcare providers.
- Tata Power in India.
- EuroControl infrastructure suppliers in Europe.
By the time of the takedown, Hive was credibly considered to have extorted hundreds of millions of dollars from more than 1,500 victim organisations across more than 80 countries.
The FBI infiltration
The FBI obtained access to Hive’s networks in July 2022. The exact technical means has not been disclosed publicly. From that point until the takedown in January 2023, the bureau ran a covert disruption campaign:
- It captured decryption keys for 336 victims actively under extortion at the time of access.
- It recovered an additional 1,000+ keys from previous incidents, allowing free decryption to be offered to victims who had not yet paid or whose data was being held.
- It distributed those keys to victim organisations through field offices, foreign liaisons, and CISA, in many cases without the victims knowing the keys had come from inside the criminal infrastructure.
- It estimated that this activity prevented more than $130 million in ransom payments.
For seven months, Hive’s affiliates ran intrusions, deployed encryption, and watched victims simply walk away from negotiations. The operators were apparently unable to figure out why.
The takedown
On 26 January 2023, the FBI, in coordination with German federal police (BKA) and Dutch authorities, seized Hive’s leak site, payment portal, and back-end infrastructure. The takedown banner on the leak site listed the agencies involved and confirmed the seven-month covert operation. Attorney General Merrick Garland called the action "a 21st-century cyber stakeout."
No arrests were announced at the time. The infrastructure seizure effectively ended the brand. Some Hive affiliates rotated to other operations, primarily Black Basta, BlackCat, and Royal. A US$10 million reward for information on Hive operators was issued under the Department of State’s Rewards for Justice program.
Aftermath
In April 2023 a US federal indictment unsealed in Florida charged a Russian national, Mikhail Pavlovich Matveev (aliases "Wazawaka," "m1x," "Boriselcin"), in connection with Hive, LockBit, and Babuk operations. He has not been extradited and remains in Russia.
In November 2023, a separate operation re-launched under the brand "Hunters International," which researchers quickly tied to former Hive affiliates and code reuse. Hunters International continued operations through 2024, publicly announcing closure in late 2024 and reportedly transitioning to a leak-only "World Leaks" model.
What Hive proved
Hive’s significance is in the methodology of its takedown rather than the operation itself. Three lessons stand out:
- Patience pays. A seven-month delay between gaining access and going public allowed law enforcement to deliver real, immediate value to hundreds of victims. Counter-ransomware does not have to be visible to be effective.
- Decryption keys are weapons. Having the keys to ongoing operations let the FBI bypass the entire negotiation process for victims, removing the leverage the attackers thought they had.
- The victim-first model works. Hive is the clearest example of law enforcement prioritising restoration of victim data over public credit, and the model has clearly informed subsequent operations against LockBit, BlackCat, and Hunters International.
The brand is gone. The methodology, quiet, long-running, covert disruption, is the most important contribution of any counter-ransomware operation in the past decade.