AMSTERDAM/LONDON–One of Eastern Europe’s most prolific cyber criminals has been arrested in a joint operation involving Belarus, Germany and the United States that aimed to dismantle a vast computer network used to carry out financial scams, officials said on Tuesday.
National police in Belarus, working with the U.S. Federal Bureau of Investigation, said they had arrested a citizen of Belarus on suspicion of selling malicious software who they described as administrator of the Andromeda network.
Andromeda is made up of a collection of “botnets”, or groups of computers that have been infected with viruses to allow hackers to control them remotely without the knowledge of their owners, These networks were in turn leased to other criminals to mount malware or phishing attacks and other online scams.
Swedish-American cyber security firm Recorded Future said they have “a high degree of certainty” that the arrested Belarussian is “Ar3s”, a prominent hacker in the Russian speaking cybercrime underground since 2004, who the firm has identified as the creator of the Andromeda botnet, among other hacking tools.
“Andromeda was one of the oldest malwares on the market,” said Jan Op Gen Oorths a spokesman for Europol, the European Union’s law enforcement agency. It estimated the malicious software infected more than 1 million computers worldwide every month, on average, dating back to at least 2011.
One #botnet Down. In a coordinated International cyber operation, one of the longest-running #malware families in existence known as #Andromeda was taken down. https://t.co/SDJc9GfKef pic.twitter.com/bIz9S4rUdW
— Pyramid (@PyramidCyber) December 6, 2017
Although authorities in Belarus declined to name the suspected hacker and Europol and the FBI declined to comment, the firm Recorded Future identified Ar3s as Sergei Yarets, a 33-year-old man living in Rechitsa, near Gomel, the second largest city in Belarus.
Reuters could not reach Yarets via phone or social media.
Yarets is identified on LinkedIn as technical director of OJSC “Televid”, a television broadcaster in southeastern Belarus.
A colleague at the company contacted by Reuters said Yarets had been arrested but declined to comment further.
A source at a government agency involved in the investigation said that the arrested hacker behind Andromeda was Yarets.
The Belarus Ministry of Internal Affairs in Minsk said officers had seized equipment from the hacker’s offices and he was cooperating with the investigation.
Information about the operation has been gradually released by Europol, the FBI and Belarus’s Investigative Committee over the past two days. No further arrests have been reported.
Cyber Crime Wholesaler
The shutdown of the Andromeda botnet, announced on Monday, was engineered by a taskforce coordinated by Europol which included several European law enforcement agencies, the FBI, the German Federal Office for Information Security and agencies from Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.
The police operation, which involved help from Microsoft and ESET, a Slovakian cyber security firm, was significant both for the number of computers infected worldwidew and because Andromeda had been used over a number of years to distribute scores of new viruses.
Belarus authorities said the man they arrested charged other criminals $500 for each copy of Andromeda he sold to mount online attacks, and $10 for subsequent software updates.
Microsoft said Andromeda charged $150 for a keylogger to copy keystrokes to steal user names and passwords. And for $250, it offered modules to steal data from forms submitted by web browsers, or the capacity to spy on victims using remote control software from German firm Teamviewer.
— IT Security News (@IT_securitynews) December 6, 2017
German authorities, working with Microsoft, had taken control of the bulk of the network, so that information sent from infected computers was rerouted to safe police servers instead, a process known as “sinkholing.”
Information was sent to the sinkhole from more than 2 million unique internet addresses in the first 48 hours after the operation began on Nov. 29, Europol said.
Owners of infected computers are unlikely to even know or take action. More than 55 percent of computers found to be infected in a previous operation a year ago are still infected, Europol said.
By Toby Sterling and Eric Auchard