Following 24 hours of uncertainty, Europol has confirmed that the renowned Russian cyber-criminal known as Paunch has been arrested.

Europol Confirm Arrest of Blackhole Exploit Kit Creator Paunch
An artist\'s illustration shows a supermassive black hole, a phenomenon which gives its name to one of the most prevalent cyber-threats on the web. (Reuters)

In a move likely to have huge repercussions for the cyber-security industry, Europol has confirmed to TechWeekEurope journalist Tom Brewster that renowned Russian cyber-criminal Paunch has been arrested but didn't give much more detail.

Troels Oerting, head of the European Cybercrime Centre, an arm of Europol, confirmed an arrest had been made, the details of which were given to his organisation yesterday:

"I know it is true, we got some information, but I cannot say anymore," Oerting told TechWeekEurope. IBTimes UK contacted Europol for confirmation of the arrest and spokesperson Søren Kragh Pedersen said: "It is correct that Europol/EC3 has been informed that a high-level, suspected cyber-criminal has been arrested."

There is currently no information available about the circumstances of the arrest or the true identity of Paunch, who is known to be the leader of a Russian cyber-criminal gang and one of the creators of the Blackhole exploit kit.


The Blackhole exploit kit is used to booby-trap compromised websites in order to download malware without the person visiting the website even knowing it is happening. The types of malware typically downloaded include banking Trojans and ransomware.

According to AVG, Blackhole is the most prevalent web threat on the internet with 91% of all web threats detected by the anti-virus company due to this exploit kit.

Senior security researcher at MalwareBytes, Jerome Segura, said the arrest of Paunch would be a "major event in the exploit kit business, one that could trigger a chain reaction leading to more arrests and disruption."

The apparent confirmation comes after 24 hours of confusion following the first reports of the arrest on Twitter.

It started with a tweet

On Monday a tweet from Maarten Boone, a security researcher at Fox-IT, a Dutch security firm claimed that a Russian hacker nicknamed Paunch, one of the creators of the Blackhole exploit kit, had been arrested in Russia.

There were no more details from Boone, but the tweet was quickly picked up by others in the security industry. However Segura examined some other indications that pointed to the validity of Boone's tweet.

The first is that, a Russian service used to encrypt the Blackhole exploit kit, has been offline at least since Boone first tweeted about the alleged arrest. At the time of publication the service was still offline.

The second piece of corroborating evidence comes from French security researcher Kafeine, who has been documenting the Blackhole Exploit Kit for a long time, and in the wake of reports of Paunch's arrest, published a graphic showing how the malicious Java applet normally updates once or twice a day by Paunch simply hasn't changed in at least four days.


Unlike other pieces of malware, Blackhole is licenced from the owners and can be customised to suit the clients' particular needs. Cyber-criminals licencing the product can then redirect users from a malicious webpage to the Blackhole exploit kit server's landing page.

With Paunch being arrested it will mean that criminals who have rented Blackhole will no longer receive updates and eventually the exploit and payload are "going to go stale" according to Segura.