A coalition of law enforcement agencies coordinated by the U.K. National Crime Agency (NCA) has led to the arrest and extradition of a Belarussian and Ukrainian dual-national believed to be associated with Russian-speaking cybercrime groups.
Maksim Silnikau (aka Maksym Silnikov), 38, went by the online monikers J.P. Morgan, xxx, and lansky. He was extradited to the U.S. from Poland on August 9, 2024, to face charges related to international computer hacking and wire fraud schemes.
"J.P. Morgan and his associates are elite cyber criminals who practiced extreme operational and online security in an effort to avoid law enforcement detection," the NCA said in a statement.
These individuals, the agency said, were responsible for the development and distribution of ransomware strains such as Reveton and Ransom Cartel, as well as exploit kits like Angler. Reveton, introduced in 2011, has been described as the "first ever ransomware-as-a-service business model."
Victims of Reveton have been found to have received messages purporting to be from law enforcement, accusing them of downloading child abuse material and copyrighted programs and threatening them with large fines to avoid imprisonment and gain access to their locked devices.
The scam resulted in about $400,000 being extorted from victims every month from 2012 to 2014, with Angler infections accounting for an estimated annual turnover of around $34 million at its peak. As many as 100,000 devices are believed to have been targeted by the exploit kit.
Silnikau, alongside Volodymyr Kadariya and Andrei Tarasov, are said to have been involved in the distribution of Angler and for leveraging malvertising techniques from October 2013 through March 2022 to deliver malicious and scam content designed to trick users into providing their sensitive personal information.
The stolen information, such as banking information and login credentials, and access to the compromised devices were then offered for sale in Russian cybercrime forums on the dark web.
"Silnikau and his co-conspirators allegedly used malware and various online scams to target millions of unsuspecting internet users in the United States and around the world," FBI Deputy Director Paul Abbate said. "They hid behind online aliases and engaged in complex, far-reaching cyber fraud schemes to compromise victim devices and steal sensitive personal information."
The criminal scheme not only caused unsuspecting internet users to be forcibly redirected to malicious content on millions of occasions, but also defrauded and attempted to defraud various U.S.-based companies involved in the sale and distribution of legitimate online ads, the U.S. Justice Department (DoJ) said.
Prominent among the methods used to disseminate malware was the Angler Exploit Kit, which leveraged web-based vulnerabilities in web browsers and plugins to serve "scareware" ads that displayed warning messages claiming to have found a computer virus on victims' devices and then deceived them into downloading remote access trojans or disclosing personal identifying or financial information.
"For years, the conspirators tricked advertising companies into delivering their malvertising campaigns by using dozens of online personas and fictitious entities to pose as legitimate advertising companies," the DoJ said.
"They also developed and used sophisticated technologies and computer code to refine their malvertisements, malware, and computer infrastructure so as to conceal the malicious nature of their advertising."
A separate indictment from the Eastern District of Virginia also accused Silnikau of being the creator and administrator of the Ransom Cartel ransomware strain beginning in May 2021.
"On various occasions, Silnikau allegedly distributed information and tools to Ransom Cartel participants, including information about compromised computers, such as stolen credentials, and tools such as those designed to encrypt or 'lock' compromised computers," the DoJ noted.
"Silnikau also allegedly established and maintained a hidden website where he and his co-conspirators could monitor and control ransomware attacks; communicate with each other; communicate with victims, including sending and negotiating payment demands; and manage distribution of funds between co-conspirators."
Silnikau, Kadariya, and Tarasov have been charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud, and two counts of substantive wire fraud. Silnikau has further been charged with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, conspiracy to commit access device fraud, and two counts each of wire fraud and aggravated identity theft.
If convicted on all counts, Silnikau faces more than 50 years in prison. Prior to his extradition, he was arrested from an apartment in Estepona, Spain in July 2023 as part of a coordinated effort between Spain, the U.K., and the U.S.
"Their impact goes far beyond the attacks they launched themselves," NCA Deputy Director Paul Foster said. "They essentially pioneered both the exploit kit and ransomware-as-a-service models, which have made it easier for people to become involved in cybercrime and continue to assist offenders."
"These are highly sophisticated cyber criminals who, for a number of years, were adept at masking their activity and identities."
Update
The U.S. Department of State has announced rewards of up to $2.5 million for information leading to the arrest or conviction of Volodymyr Kadariya for his alleged role in the distribution of the Angler exploit kit.
"Kadariya is charged with cybercrime offenses associated with an alleged scheme to transmit the Angler exploit kit (AEK), other malware, and online scams to the computers of millions of unsuspecting victim Internet users through online advertisements – so-called 'malvertising' – and other means from October 2013 through March 2022," the agency said.
"At times during the scheme, the AEK was a leading vehicle through which cybercriminals delivered malware onto compromised electronic devices."