A coalition of law enforcement agencies, coordinated by the UK’s National Crime Agency (NCA), has led to the arrest and extradition of a dual Belarusian-Ukrainian national suspected of links to Russian-speaking cybercrime groups.

Maksim Silnikau (aka Maksym Silnikov), 38, who went by the online names JP Morgan, xxx and lansky, was extradited from Poland to the U.S. on August 9, 2024, to face charges related to international computer hacking and wire fraud.

“JP Morgan and its associates are elite cybercriminals who have deployed extreme operational and online security to avoid detection by law enforcement,” the NCA said in a statement.

These individuals, the agency said, were responsible for developing and distributing ransomware strains such as Reveton and Ransom Cartel, as well as exploit kits such as Angler. Reveton, launched in 2011, has been described as the “first-ever ransomware-as-a-service business model.”

Victims of Reveton have received messages that appear to be from police, accusing them of downloading child abuse material and copyrighted programs, and threatening them with large fines to avoid jail time and gain access to their locked devices.

The scam resulted in approximately $400,000 being extorted from victims monthly from 2012 to 2014, with Angler infections at its peak generating an estimated annual revenue of approximately $34 million. It is believed that as many as 100,000 devices were targeted with the exploit kit.

Silnikau, along with Volodymyr Kadariya and Andrei Tarasov, are believed to have been involved in the distribution of Angler and in the misuse of malvertising techniques from October 2013 to March 2022, spreading malicious and fraudulent content designed to trick users into providing their sensitive personal data.

The stolen information, such as banking details and login credentials, and access to the compromised devices, were then offered for sale on Russian cybercrime forums on the dark web.

“Silnikau and his accomplices allegedly used malware and a variety of online scams to target millions of unsuspecting Internet users in the United States and around the world,” said FBI Assistant Director Paul Abbate. “They hid behind online aliases and engaged in complex, high-profile cyberfraud schemes to compromise victims’ devices and steal sensitive personal information.”

According to the U.S. Department of Justice (DoJ), the criminal scheme not only forcibly redirected unsuspecting Internet users to malicious content millions of times, but also defrauded and attempted to defraud several U.S. companies involved in the sale and distribution of legitimate online advertising.

One of the most well-known methods of spreading malware was the Angler Exploit Kit, which exploited vulnerabilities in web browsers and plugins to display “scareware” ads. These ads displayed warning messages claiming that a computer virus had been detected on victims’ devices. Victims were then tricked into downloading remote access trojans or exposing personal or financial information.

“For years, the conspirators deceived advertising companies into carrying out their malvertising campaigns by using dozens of online personas and fictitious entities posing as legitimate advertising companies,” the U.S. Department of Justice said.

“They also developed and used advanced technologies and computer code to refine their malvertisements, malware, and computing infrastructure to hide the malicious nature of their advertisements.”

In a separate indictment from the Eastern District of Virginia, Silnikau is also accused of being the creator and administrator of the Ransom Cartel ransomware variant that began operating in May 2021.

“Silnikau allegedly distributed information and tools to participants in the ransom cartel on several occasions, including information about compromised computers, such as stolen login credentials, and tools designed to encrypt or ‘lock’ compromised computers, for example,” the U.S. Department of Justice said.

“Silnikau also allegedly set up and maintained a hidden website where he and his accomplices could monitor and control ransomware attacks; communicate with each other; communicate with victims, including sending and negotiating payment requests; and manage the distribution of funds between accomplices.”

Silnikau, Kadariya and Tarasov are charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud and two counts of substantial wire fraud. Silnikau is further charged with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, conspiracy to commit access device fraud and two counts of wire fraud and aggravated identity theft.

If found guilty on all counts, he faces more than 50 years in prison. Before his extradition, he was arrested in July 2023 at an apartment in Estepona, Spain, as part of a coordinated effort between Spain, the UK and the US.

“Their impact goes far beyond the attacks they launched themselves,” said NCA Deputy Director Paul Foster. “They were in fact the pioneers of both the exploit kit and ransomware-as-a-service models, which have made it easier for people to get involved in cybercrime and continue to help offenders.”

“These are highly sophisticated cybercriminals who have managed to hide their activities and identities for years.”