The US has charged a suspect it believes is a Belarusian-Ukrainian cybercriminal whose crimes date back to 2011.

Maksim Silnikau, 38, was recently extradited from Poland to the US and formally charged in New Jersey and Virginia with crimes related to malvertising and ransomware, respectively.

Silnikau is accused of being behind several online aliases over the years, including “JPMorgan,” “xxx” and “lansky,” the Justice Department said.

Britain’s National Crime Agency (NCA) said in a simultaneous announcement that it has been investigating Silnikau since 2015 and was leading the international operation that led to the man’s arrest in Spain last year.

The NCA alleged that Silnikau was an “elite cybercriminal”, “one of the most prolific Russian-speaking cybercriminals in the world” and the founder of the first ransomware-as-a-service group, Reveton.

Silnikau’s alleged accomplices – Volodymyr Kadariya, 38, of Belarus, and Andrei Tarasov, 33, of Russia – also face charges in the US but have not yet been arrested.

Kadariya and Tarasov are believed to have assisted Silnikau in one of his cybercriminal activities: a malware and malvertising operation that lasted nearly a decade, from October 2013 to March 2022.

One of the most high-profile offenses the suspects are accused of is their involvement in the distribution of Angler, an exploit kit that was considered one of the most effective of its kind in its heyday, but mysteriously disappeared eight years ago.

“As alleged in the indictment, Silnikau and his accomplices distributed online advertisements to millions of Internet users for the purpose of disseminating harmful content,” said Nicole M. Argentieri, principal deputy assistant attorney general and chief of the Justice Department’s Criminal Division.

“These advertisements appeared legitimate, but were in fact designed to deliver malware that would compromise users’ devices or deliver ‘scareware’ that would trick users into giving up their sensitive personal information. Silnikau’s arrest and extradition demonstrate that the Criminal Division, in collaboration with its domestic and international partners, is committed to bringing to justice cybercriminals who target U.S. victims, regardless of where they are located.”

Charge Number One – New Jersey

In Newark, New Jersey, where charges against Silnikau were made public this week, he will be tried in connection with the long-running malvertising campaigns that ran between 2023 and 2022.

These campaigns took various forms, but according to the indictment, Silnikau et al. typically purchased advertising space on websites and directed web users to malicious domains that delivered malware to their devices. The DoJ said that web users were redirected to the malicious campaigns millions of times.

These ads would also sometimes deliver scareware – think of those primitive pop-ups from the early internet era that tried to convince users they had been hacked, or some other innocuous message along those lines. They would of course urge users to download software that would “fix” the problem, but instead would drop real malware that would often lead to remote desktop access or data theft.

But the aspect of this campaign that has drawn the most attention from authorities was the distribution of Angler. The DoJ alleged that Silnikau and co. played “a leading role” in the distribution of the dangerous exploit kit, which was the malware loader of choice for cybercriminals at the time.

Kaspersky told us after Angler disappeared in 2016 that it believed the perpetrators were members of the Russian Lurk group, many of whom were arrested in 2016 and 2017 in connection with the group’s eponymous banking Trojan and Angler.

“At its peak, Angler represented 40 percent of all exploit kit infections, targeting approximately 100,000 devices and generating an estimated annual revenue of approximately $34 million,” the NCA said today.

Indictment Number Two – Virginia

The second charge relates to Silnikau’s alleged role as a ransomware boss in the Ransom Cartel group, which was founded in 2021.

Silnikau is said to have been a member of Russian cybercrime forums since 2005 and to have recruited employees to work for the cartel through these sites.

The Justice Department said that in addition to carrying out the operation, it would also provide information to its partners to carry out attacks, such as genuine login credentials for user accounts at the target organizations and details of already compromised devices.

The NCA added that Silnikau was also responsible for the Reveton ransomware group, the group that pioneered the ransomware-as-a-service business model that almost every modern group still uses today.

“Reveton victims received messages that appeared to be from the police, telling them that their screen and system had been locked and that they had downloaded illegal content, including child abuse material and copyrighted programmes,” the NCA said.

“Reveton was able to detect the use of a webcam and take a photo of the user to accompany the notification with a payment request. Victims were then forced to pay large fines for fear of imprisonment or to regain access to their devices.

“This scam extorted approximately $400,000 from victims every month between 2012 and 2014.”

Police believe British national Zain Qaiser is a former associate of Silnikau. He was convicted for his role in the 2019 Reveton operation. The NCA alleges he worked with Silnikau to embed Angler into adverts on pornographic websites, which would then load Revton and extort victims.

Qaiser was sentenced to six years and five months in prison, meaning he will be released around the time Silnikau’s case is concluded.

“In the District of New Jersey, Silnikau, Kadariya, and Tarasov are charged with conspiracy to commit wire fraud, conspiracy to commit computer fraud, and two counts of substantive wire fraud,” the DoJ said. “If convicted, Silnikau, Kadariya, and Tarasov face a maximum sentence of 27 years in prison for the wire fraud count, 10 years in prison for the computer fraud count, and 20 years in prison for each count of wire fraud.

“In the Eastern District of Virginia, Silnikau is charged with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, conspiracy to commit access device fraud, and two counts of wire fraud and aggravated identity theft. He faces a mandatory minimum sentence of two years in prison and a maximum sentence of 20 years in prison.” ®