Suspected head of prolific cybercrime groups arrested and extradited

The NCA has been investigating the online moniker ‘J.P. Morgan’ and his criminal network since 2015, with parallel investigations also being run by the US Secret Service and FBI.

The NCA said J.P. Morgan and his associates are “elite cyber criminals” who practiced extreme operational and online security in an effort to avoid law enforcement detection.

Cybercrime specialists from the NCA, working closely with international partners, identified the real-world individuals responsible for several high-profile online monikers – including J.P. Morgan – and successfully tracked and located them as they sought to avoid detection across Europe.

Investigators established that these individuals were responsible for the development and distribution of notorious ransomware strains, including Reveton and most recently Ransom Cartel, as well as exploit kits, including Angler, which have extorted tens of millions from victims worldwide.

Following charges brought in the US against several individuals, a coordinated day of action took place on July 18, 2023, during which the Guardia Civil, supported by NCA and US officers, arrested 38-year-old Maksim Silnikau, also known as Maksym Silnikov, at an apartment in Estepona, Spain.

Silnikau, from Belarus, is believed to have used the J.P. Morgan moniker, as well as other notorious monikers within the cybercrime community including ‘xxx’ and ‘lansky’.

On Friday (August 9), Silnikau was extradited from Poland to the US to face charges relating to cybercrime offences.

Vladimir Kadariya, 38, from Belarus, and Andrei Tarasov, 33, from Russia, are also facing charges in the US for allegedly playing key roles in J.P. Morgan’s crime group.

The NCA said J.P. Morgan’s criminal activities can be traced back to at least 2011 when he and associates introduced Reveton, the first ever ransomware-as-a-service business model.

Such services provide a suite of tools that allow low skilled offenders to launch effective ransomware attacks for a fee and are now widely used, meaning they have significantly lowered the barrier to entry into cybercrime.

Victims of Reveton received messages purporting to be from law enforcement, with a notification that would lock their screen and system, accusing them of downloading illegal content such as child abuse material and copyrighted programmes.

Reveton could detect the use of a webcam and take an image of the user to accompany the notification with a demand for payment. Victims were then coerced into paying large fines through fear of imprisonment or to regain access to their devices.

The scam resulted in approximately $400,000 being extorted from victims every month from 2012 to 2014.

J.P. Morgan’s network also developed and distributed a number of exploit kits, including the notorious Angler Exploit Kit, which they used to conduct ‘malvertising’ campaigns.

These campaigns took a variety of forms, but generally involved the cyber criminals purchasing advertising space on legitimate websites and uploading ads which were laced with a malicious exploit kit.

The kit would seek out vulnerabilities in the website’s system which ultimately enabled it to deliver malware, including ransomware (Reveton, CryptXXX, CryptoWall and other strains), to a victim’s device.

Once the cyber criminals had infected a victim’s device, they were able to exploit them in a number of ways, often stealing banking credentials and sensitive personal information. A victim would potentially be forced to pay a ransom under threat of their information being published online.

NCA investigators established that British national Zain Qaiser was working with J.P. Morgan, launching Angler malvertising campaigns and sharing the profits with him.

Qaiser was convicted of blackmail, Computer Misuse Act and money laundering offences and sentenced to six years and five months imprisonment in the UK in 2019.

At its peak, Angler represented 40 per cent of all exploit kit infections, having targeted around 100,000 devices and with an estimated annual turnover of around $34 million.

To deliver exploit kits and malware, J.P. Morgan‘s network often inserted and disguised malware within online advertising in a way that prevented it from being detected by anti-virus software. They operated under various names, including Media Lab, at times based in physical offices in Kyiv, Ukraine.

These malvertising campaigns have impacted more than half a billion victims worldwide, including in the UK.

The NCA worked closely with the Cyber Department of the Security Service of Ukraine, passing it information relating to Media Lab, enabling it to conduct 15 searches targeting several employees and group members on the day of action.

Working with partners, including the Singapore Police Force (SPF), the NCA was able to locate infrastructure used to manage and operate the ransomware strain Ransom Cartel and ensure that this was offline following the day of action.

Operational activity also took place in Portugal, where one person believed to be connected to the crime group was interviewed and her home/business premises was searched by the Judicial Police.

Key evidence was obtained from the interviews and searches – including over 50 terabytes of data – which is being reviewed to support the ongoing investigation targeting further actors linked to this criminal network and associated cybercrime groups.

NCA Deputy Director Paul Foster, Head of the National Cyber Crime Unit, said: “This action is the culmination of complex and long running international investigations into J.P. Morgan and his criminal network, who have caused immeasurable harm to individuals and businesses around the world.

“As well as causing significant reputational and financial damage, their scams led victims to suffer severe stress and anxiety.

“Their impact goes far beyond the attacks they launched themselves. They essentially pioneered both the exploit kit and ransomware-as-a-service models, which have made it easier for people to become involved in cybercrime and continue to assist offenders.

“These are highly sophisticated cyber criminals who, for a number of years, were adept at masking their activity and identities.

“However, the NCA is committed to identifying the organised criminals at the top of the chain who direct the crime groups causing the greatest harm to the UK.

“Using our unique capabilities, and working closely with the US Secret Service, FBI and other international partners, we were able to identify, track and locate the individuals behind the online monikers, map the group’s activity and target their technical infrastructure, rendering a significant arm of their criminal operation inoperable.

“This is an extremely significant result in our continued efforts to protect the British public from cybercrime.”

He added: “Our investigation is ongoing, and anyone with relevant information, especially relating to the perpetrators, is urged to contact the NCA.”

US Secret Service Assistant Director of Investigations Brian Lambert said: “This arrest underscores a long-term investigation by the US Secret Service, in coordination with foreign, domestic and private partners, of cybercrime organisations that allegedly distributed the notorious Angler Exploit Kit, conducted malvertising and operated the Ransom Cartel ransomware organisation”.

“Cybercriminals should know that even if they attempt to hide their criminal conduct behind the anonymity of the internet that eventually, through the dedication of international law enforcement professionals, they will be apprehended and held accountable for their actions.”

Ransomware attacks are illegal acts which involve denying the user access to files on their computer, then encrypting these files and demanding a ransom in order to regain access. In the UK, it is a criminal offence under the Computer Misuse Act 1990 to conduct a ransomware attack or purchase a ransomware-as-a-service Product.

The Cyber Choices programme was created to help those on the fringes of committing cybercrime understand the law and encourage them to use their skills legally.

This is a national programme coordinated by the NCA and delivered by Cyber Choices teams within Regional Organised Crime Units and local police force cyber teams.

FBI Deputy Director Paul Abbate said: “Silnikau and his co-conspirators allegedly used malware and various online scams to target millions of unsuspecting internet users in the United States and around the world.

“They hid behind online aliases and engaged in complex, far-reaching cyber fraud schemes to compromise victim devices and steal sensitive personal information. The FBI will continue to work with partners to aggressively impose costs on cybercriminals and hold them accountable for their actions.”