The suspected mastermind behind the massive Andromeda botnet that was recently taken down by international authorities has been identified as Jarets Sergey Grigorevich — one of the most prolific cybercriminals in Eastern Europe. Europol announced earlier this week that a Belarusian was arrested in connection with the botnet, but did not offer any details about the suspect.
The Andromeda malware botnet, also known as Gamarue or Wauchos, has been active since 2011 and has been advertised on the Dark Web as a crime kit for any hacker to buy a "piece" to launch malware, phishing attacks or online scams. Linked with 80 malware families, Andromeda has been detected on or blocked on nearly 1.1 million machines every month on average over the past six months.
Swedish-American cybersecurity firm Recorded Future assessed with a "high degree of certainty" that the arrested Belarusian is likely 33-year-old Jarets Sergey Grigorevich who also goes by the hacker moniker "Ar3s".
Grigorevich resided in Rechitsa, near Gomel, the second largest city in Belarus before he was arrested by national police working with a global coalition including the FBI, Europol and other European law enforcement agencies. Microsoft and ESET also assisted in the operation.
However, authorities did not name the suspected hacker.
According to Recorded Future, Ar3s is one the "oldest and more highly respected members of the criminal underground" and a longstanding administrator of the Damage Lab hacking forum.
"Ar3s is recognized as a leading expert in malware development and reverse engineering, network security, and antivirus technology," Recorded Future's director of advanced collection Andrei Barysevich and intelligence analyst Alexandr Solad wrote in a blog post.
Also known as "Apec", "Ch1t3r" or "Sergey Jarets", the hacker has operated in the Russian-speaking underground since at least 2004, experts said. He is also the developer of the Win32/Gamarue HTTP bot, the Windows SMTP Bruter v.1.2.3 and the "Swf-Inj Service" that hijacks web traffic using malware.
"Since following Ar3s, we learned that Ar3s has used the ICQ number '5777677' as one of his primary contact methods, which was connected to the internet user 'Sergey Jaretz', who was also registered on multiple white-hacker and tech-oriented forums since the mid-2000s," Recorded Future noted.
The Investigative Committee of the Republic of Belarus issued a press release disclosing the arrest of a Belarusian citizen and resident of the country's Gomel region who served as a cybercrime forum administration. However, they did not name the suspect.
The Committee posted a video (embedded below) of the arrest and seizure of the hacker's office on YouTube.
Authorities noted that the arrested man charged other hackers $500 (£372) for every copy of Andromeda and $10 for every subsequent software updates.