A recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin (BTC) ($2.5 million) likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought. The development was reported on The Next Web’s crypto-focused news site Hard Fork on Jan. 14.

Hard Fork cites evidence from cybersecurity research teams McAfee Labs and Crowdstrike, which have analyzed the strategies used in developing and disseminating the Ryuk ransomware strain, and concluded that the identity and motivations of its masterminds have most likely until now been misreported. The Ryuk campaign notably attracted wide attention following its targeting of major United States media group Tribune Publishing over Christmas.

As McAfee notes, Ryuk is a fictional manga character who spreads lethal death notes as an evil distraction from his own boredom — an analogy for the ransom notes reported to have accompanied Ryuk once the ransomware had encrypted victims’ drives.

Ryuk was reportedly initially spread via a banking Trojan dubbed TrickBot, which was concealed in email spam sent to tens of thousands of victims, with the attackers then reported to have graduated to targeting select larger enterprises.

The allegedly mistaken attribution to North Korea appears to have been spurred by code similarities between Ryuk and Hermes — a ransomware that was previously allegedly used by North Korean state actors as an intrigue to distract from a compromise of the SWIFT network of the Far Eastern International Bank (FEIB) in Taiwan.

Yet as McAfee, Crowdstrike, and others argue, Ryuk is likely a modified version of Hermes 2.1., which was available as a commodity malware kit for sale in underground forums. It is believed — with medium to high confidence —  to be attributable to the Russia-based threat actor group GRIM SPIDER, in part because early ads for Hermes stated it would not work on Russian, Ukrainian or Belarusian-language systems.

As of August last year, the Ryuk heist is estimated to have earned its architects 705 BTC. In its analysis of the Ryuk attacks, Crowdstrike has reported that over 52 transactions across 37 BTC address, GRIM SPIDER has made 705.80 BTC ($2.5 million). The research added:

“With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more.”

Crowdstrike further claims that GRIM SPIDER is a cell of e-criminals that forms part of the larger threat group WIZARD SPIDER, identified as the Russia-based operator of the TrickBot banking malware.

In a report published last October, cybercrime firm Group-IB identified the allegedly North Korean state-sponsored hacker group Lazarus as responsible for $571 million of the $882 million total in cryptocurrencies that was stolen from online exchanges during from 2017 to 18.