Suspected head of Reveton, Ransom Cartel RaaS groups arrested
An international operation coordinated by the UK National Crime Agency (NCA) has resulted in the arrest and extradition of a man believed to be one of the world’s most prolific Russian-speaking cybercrime actors.
The arrest
The NCA has been investigating the online moniker “J.P. Morgan” and his criminal network since 2015, with parallel investigations also being run by the United States Secret Service (USSS) and FBI.
Cybercrime specialists from the NCA, working closely with international partners, identified the real-world individuals responsible for several high-profile online monikers – including J.P. Morgan – and successfully tracked and located them as they sought to avoid detection across Europe.
Investigators established that these individuals were responsible for the development and distribution of notorious ransomware strains, including Reveton and most recently Ransom Cartel, as well as exploit kits, including Angler, which have extorted tens of millions from victims worldwide.
Following charges brought in the US against several individuals, the Spanish Guardia Civil, supported by NCA and US officers, arrested 38-year-old Maksim Silnikau (also known as Maksym Silnikov), at an apartment in Estepona, Spain on 18 July 2023.
Silnikau, from Belarus, is believed to have used the J.P. Morgan moniker, as well as other notorious monikers within the cybercrime community including “xxx” and “lansky”.
On Friday 9 August 2024, Silnikau was extradited from Poland to the US to face charges relating to cybercrime offences.
Vladimir Kadariya, 38, from Belarus, and Andrei Tarasov, 33, from Russia, are also facing charges in the US for allegedly playing key roles in J.P. Morgan’s crime group.
The first RaaS
J.P. Morgan’s criminal activities can be traced back to at least 2011 when he and associates introduced Reveton, the first ever ransomware-as-a-service business model.
Victims of Reveton received messages purporting to be from law enforcement, with a notification that would lock their screen and system, accusing them of downloading illegal content such as child abuse material and copyrighted programs.
Reveton could detect the use of a webcam and take an image of the user to accompany the notification with a demand for payment. Victims were then coerced into paying large fines through fear of imprisonment or to regain access to their devices.
The scam resulted in approximately $400,000 being extorted from victims every month from 2012 to 2014.
Exploit kits
J.P. Morgan’s network also developed and distributed a number of exploit kits, including the notorious Angler Exploit Kit, which they used to conduct “malvertising” campaigns.
The kit would seek out vulnerabilities in the website’s system which ultimately enabled it to deliver malware, including ransomware (Reveton, CryptXXX, CryptoWall and other strains), to a victim’s device.
At its peak, Angler represented 40% of all exploit kit infections, having targeted around 100,000 devices and with an estimated annual turnover of around $34 million.
NCA investigators established that British national Zain Qaiser was working with J.P. Morgan, launching Angler malvertising campaigns and sharing the profits with him.
Qaiser was convicted of blackmail, Computer Misuse Act and money laundering offences and sentenced to six years and five months imprisonment in the UK in 2019.
J.P. Morgan‘s network operated under various names, including Media Lab, at times based in physical offices in Kyiv, Ukraine.
A coordinated law enforcement action
The NCA worked closely with the Cyber Department of the Security Service of Ukraine, passing them information relating to Media Lab, enabling them to conduct 15 searches targeting several employees and group members on the day of action.
Working with partners, including the Singapore Police Force (SPF), the NCA was able to locate infrastructure used to manage and operate the ransomware strain Ransom Cartel and ensure that this was offline following the day of action.
Operational activity also took place in Portugal, where one person believed to be connected to the crime group was interviewed and her home/business premises was searched by the Judicial Police.
NCA Deputy Director Paul Foster, Head of the National Cyber Crime Unit, said: “This action is the culmination of complex and long running international investigations into J.P. Morgan and his criminal network, who have caused immeasurable harm to individuals and businesses around the world.
“As well as causing significant reputational and financial damage, their scams led victims to suffer severe stress and anxiety.
“Their impact goes far beyond the attacks they launched themselves. They essentially pioneered both the exploit kit and ransomware-as-a-service models, which have made it easier for people to become involved in cybercrime and continue to assist offenders.”