Group-IB assists to suppress activities of the “Blackhole” exploit-kit author, said “Paunch” is arrested
06.12.2013, Moscow,− Group-IB has disclosed that it has assisted the police in investigating and suppressing the criminal activities of a well-known hacker hiding on the Internet under the name ‘paunch’. He was arrested on October 4, 2013. The 27-years old criminal was residing in the city of Togliatti. Paunch is the author of the notorious BlackHole and Cool exploit kits that are today popular among cybercriminals. He also created Crypt.Am − an anonymous anti-virus simulator. Besides the founder of above-mentioned criminal services, police officers brought charges to 12 more members of interregional criminal group (with the such known cybercriminals as Germes, Pioneer, ADV, velles, etc.). To Participants of this criminal community showed article 210 of the criminal code of Russian Federation parts 1&2 (creation and participation in criminal community (the criminal organization) for joint commission of one or several heavy or especially serious crimes). The general damage caused by this group of persons is estimated at 70 million rubles.
The BlackHole Exploit Kit found its first buyer in summer 2010 and gradually gained immense popularity among cybercriminals wishing to spread malicious programs. To install malware on users' computers, Blackhole exploits the vulnerabilities in web browsers, particularly the so-called zero-day vulnerabilities (vulnerabilities against which no vendor has released a patch). Compromised web pages and malicious link contained in a spammed email were the main ways through which Blackhole delivered a malicious payload to a victim's computer.
BlackHole Exploit Kit is rented on the seller's server for $500 per month. The price of renting the software itself for installation on your own server was $700 for three months. At present, there are reports that BlackHole kingpin, ‘Paunch’ , has more than a thousand customers. It is known that 'Paunch' was earning $50,000 per month from his illegal activity and had a white Porsche Cayenne as his personal car.
Blackhole statistics page, version 2.0.1
Over the years, BlackHole Exploit Kit became increasingly very popular among cybercriminals. It was used by many cybercriminals for Internet banking theft against bank customers in Russia, Ukraine, USA and many other countries. In 2012, Paunch released a new branch of exploit kit – Cool Exploit Kit. This new exploit kit was designed to be used against the high needs of key customers. It was focused primarily onimproving the quality of exploiting vulnerabilities, and as a result, increasing the number of malicious programs installed on victims' computers. Cool Exploit Kit was rented out for a higher price and was not available to beginner hackers. According to recent data, received from many cybersecurity companies, sale of the Blackhole and Cool Exploit Kit occupied about 40% of percent of the exkit market. It means that 40% of infections worldwide was done with use of the means provided by "paunch".
It is remarkable that 'Paunch' used his connections with a known fraudster, a.k.a 'J.P.MORGAN', to buy new exploits. On various hacker forums, J.P.MORGAN posted ads on buying the zero-day vulnerabilities of browsers but indicated his Jabber contact address as firstname.lastname@example.org . The original purchase budget for the exploits was $100 thousand, but was later increased to $200 thousand. To purchase new exploits, attempts were made to contact some well-known brokers actively working with government agencies.
Ads on buying browser exploits (in Russian and foreign platforms)
In addition to selling exploits, ‘paunch’ also specialized in providing support to online service Crypt.am, which provided services for automatic hiding of initial codes. In other words, Crypt.am provided services for protection of malware against detection by antivirus programs. The unlimited tariff price (without a limit in the number of "protected" malicious software) was $50 per month.
Fragment of the home page of Crypt.am
Group-IB is one of the leading international companies specializing in preventing and investigating high- tech cyber crimes and fraud. The company offers a range of services on preventing financial and reputational damages, consulting and auditing of information security systems, and on computer forensics. The company also develops a number of innovative software products used to monitor, detect and prevent emerging cyber threats.
The Group-IB team is made up of experts with unique skills and solid practical experience. They are internationally certified by CISSP, CISA, CISM, CEH, CWSP, GCFA, and also have information security state certificates. In 2013, computer security incident response team CERT-GIB operated by Group-IB became a member of FIRST - Forum of Incident Response and Security Teams.
In 2013, the company became a member of the international cyber security alliance IMPACT (International Multilateral Partnership Against Cyber Threats).
For more information, please contact:
Georgiy Pulyaevskiy, PR Manager, Group-IB
Phone: +7 495 984 3364 ext. 092
Phone: +7 964 766-24-26