Thread: Kingpin behind large chunk of world’s malware exploits led lavish life

Kingpin behind large chunk of world’s malware exploits led lavish life

Russian prosecutors confirm arrests connected to BlackHole Exploit kit.

An online crime kingpin arrested in October and charged with creating and distributing the Blackhole exploit kit may have had his hand in as much as 40 percent of the world's malware infections, according to information released by the security firm that helped track him down.


A screenshot showing BlackHole statistics

The 27-year-old Russian, identified only as Paunch, allegedly earned about $50,000 per month selling BlackHole subscriptions for as much as $500 per month, according to a report published Friday by security firm Group-IB. He is also alleged to be behind the much more expensive Cool Exploit Kit and a "Crypt" service used to obfuscate malware to go undetected by antivirus programs. With more than 1,000 customers, he was able to lead a lavish lifestyle that included driving a white Porsche Cayenne, Group-IB said.


A man Group-IB identifies as "Paunch" standing in front of a Porsche Cayenne.

Exploit kits are the do-it-yourself tools used to embed crimeware into hacked or malicious websites so they target a host of vulnerabilities found on end-user computers. People who visit the websites are exposed to "drive-by" attacks that are often able to install highly malicious software on the computers with no sign that anything is amiss. Group-IB estimated that Paunch may have supplied the code used in as much as 40 percent of the PC crimeware infections worldwide. Researchers arrived at that guess by gauging sales of BlackHole and Cool, which they said accounted for about 40 percent of world revenue for exploit kits. Even assuming that some crimeware is installed independent of exploit kits, it's hard to overstate the role these two kits played in seeding the Web with exploit code that installed malware used in bank fraud and other forms of online crime.

The Group-IB report came the same day the Russian Interior Ministry confirmed the arrests in October of 13 individuals that it said took part in the "dissemination of malicious software ('banking Trojans'), followed by unauthorized access to legally protected computer information (logins, passwords, electronic keys, certificates)." The statement didn't name Paunch or anyone else by name or handle, but it did say the group was connected to BlackHole. The statement came two months after a former police detective in Russia told Reuters that Paunch had been arrested. It's unknown if Paunch has made a court appearance or issued a plea of guilty or not guilty.

According to Group-IB, Paunch worked with others to stockpile exploits, which typically target programming bugs in Internet Explorer, Oracle's Java software framework, Adobe's Reader and Flash applications, and other widely used programs. Group-IB said one alleged colleague, a third-party exploit broker who went by the handle J.P. Morgan, sent out a series of posts in underground crime forums announcing a budget of $100,000 to purchase exploits targeting unpatched and undocumented "zero-day" vulnerabilities. He later increased his war chest to $200,000. KrebsonSecurity's Brian Krebs said the budget eventually reached $450,000.

Russian officials estimated that the BlackHole defendants inflicted damage of about 70 million rubles, equivalent to about $2.13 million based on current exchange rates. Krebs makes a convincing argument about why the real sum is likely much higher, since BlackHole was the driving force behind an entire ecosystem of other crimeware titles including ZeuS and Citadel.

arstechnica.com

Paunch and Arashi (age 23, arrested in 2012) are considered to be geniuses who taught the rest of their cyber criminal group.
They owned a botnet of more than 4.5 millions of infected computers (6 millions according to some other srcs) and every week were adding about one more million.

They were also renting the use of this botnet to anyone who had $$ to spend, the botnet was involved in DDos attacks, sending spam, brute forcing passwords,
banking fraud.
The investigation started in 2011 and at that time all members of the group were identified, 4 members were arrested in 2012, 13 members in this mentioned bust, 1 member is still wanted internationally. All individuals are 25-under 30 years old, spread across russian federation with majority in Moscow and St. Petersburg.

Paunch was living in Toliati (name of the city has italian roots, russian version of Detroit , industrial car-city),
He was also the founder and owner of Crypt.am (source code/ payload encryption) service.

In Real life Paunch was a manager in advertisement and tourism agency (which never paid as much as his online crime carrier)


If all charges stand in court, Arashi, as a leader of a criminal group, facing up to 20 years imprisonment, Paunch - 10

Since Paunch's real name already been leaked at russian places, i think it is ok to post it: Fedotov, Dmitriy Evgenevich (rus: Федотов, Дмитрий Евгеньевич)

Originally Posted by arstechnica.com

... Russian officials estimated that the BlackHole defendants inflicted damage of about 70 million rubles, equivalent to about $2.13 million based on current exchange rates...

That is incorrect, estimated damages 26 billion roubles (USD $866 million)