Montri - stock.adobe.com

Cyber criminal kingpin ‘J.P. Morgan’ appears in US court

‘J.P. Morgan’, a Belarusian cyber criminal who ran a major ransomware campaign supported by malvertising scams, faces decades in prison in the United States after being extradited from the EU

One of the world’s most notorious Russian-speaking cyber criminals, who went by the handle “J.P. Morgan”, among others, has appeared in court in the United States following his extradition from Poland.

Belarusian national Maksim Silnikau, also styled as Maksym Silnikov, aged 38, was arrested in July 2023 in Estepona, Spain, during a coordinated operation by Spain’s Guardia Civil, the UK’s National Crime Agency (NCA), and US authorities in the culmination of an investigation dating back to 2015.

Along with his associates, named in US indictments as Vladimir Kadariya from Belarus, and Andrei Tarasov from Russia, “J.P. Morgan” practiced “extreme operational and online security” to throw their pursuers off the scent, even as they operated a significant cyber criminal cartel that developed ransomware strains such as Reveton and Ransom Cartel, which netted them tens of millions of dollars.

National Crime Agency deputy director Paul Foster, head of the National Cyber Crime Unit, said: “This action is the culmination of complex and long-running international investigations into ‘J.P. Morgan’ and his criminal network, who have caused immeasurable harm to individuals and businesses around the world.

“As well as causing significant reputational and financial damage, their scams led victims to suffer severe stress and anxiety,” said Foster. “Their impact goes far beyond the attacks they launched themselves. They essentially pioneered both the exploit kit and ransomware-as-a-service [RaaS] models, which have made it easier for people to become involved in cyber crime and continue to assist offenders.

“These are highly sophisticated cyber criminals who, for a number of years, were adept at masking their activity and identities. However, the NCA is committed to identifying the organised criminals at the top of the chain who direct the crime groups causing the greatest harm to the UK.

“Using our unique capabilities, and working closely with the US Secret Service, FBI and other international partners, we were able to identify, track and locate the individuals behind the online monikers, map the group’s activity and target their technical infrastructure, rendering a significant arm of their criminal operation inoperable.

“This is an extremely significant result in our continued efforts to protect the British public from cyber crime,” he added.

The joint investigation, which also spanned Portugal, Singapore and Ukraine, is ongoing. So far, the authorities have obtained over 50 terabytes of data which is still being reviewed in the hope that it will be used to support further actions targeting others linked to “J.P. Morgan”.

Foster urged anybody with relevant information to contact the NCA on [email protected] or via Crimestoppers on 0800 555 111.

Lengthy career

“J.P. Morgan” began his criminal career in 2011 when Reveton appeared on the scene with the then novel RaaS business model, which enables low-skilled criminals to launch effective cyber attacks by buying locker malware and other tools from more competent developers, who then take a cut of any profits made.

Reveton was a particularly nasty strain of ransomware that targeted private individuals rather than businesses. It sent its victims messages purporting to be from the police, notifying them that their screens and systems were being locked, accusing them of downloading illegal content, including pirated TV shows and even child sexual abuse material (CSAM).

It was also able to detect the use of a webcam and use it to take images of the victim to accompany the notification with a demand for payment. Many victims were coerced into handing over large sums of money in the belief that they might be imprisoned – between 2012 and 2014, Reveton is thought to have netted the gang $400,000 every month.

Meanwhile, J.P. Morgan and his network were also developing and distributing exploit kits, including the well-known Angler Exploit Kit, which was used to conduct malvertising campaigns. In these campaigns, the gang often bought ad space on legitimate websites and uploaded ads laced with Angler, which sought out vulnerabilities in the website’s system and used it to deliver malware, including Reveton without being detected by antivirus software.

At its peak, it represented 40% of exploit kit infections worldwide and turned over $34m per annum. For a time, the gang was able to operate out of a physical office in Kyiv using the name Media Lab to appear legitimate.

A British national, Zain Qaiser, of Barking in Essex, was convicted in 2019 over his involvement in the Angler malvertising campaigns. Qaiser spent the proceeds of his crime spree on high-end hotel stays, drugs and prostitutes, in addition to a £5,000 Rolex watch. In one 10-month period, said the NCA, Qaiser also spent £68,000 on gambling in a London casino.

Indictments

Along with his co-conspirators, J.P. Morgan have been charged in New Jersey with conspiracy to commit wire fraud, conspiracy to commit computer fraud, and two counts of substantive wire fraud. They face a maximum penalty of 27 years in prison for the first charge, 10 for the second, and 20 for each of the third charges.

J.P. Morgan is additionally charged in Virginia with conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, conspiracy to commit access device fraud, and two counts each of wire fraud and aggravated identity theft. These charges carry a mandatory minimum two-year jail term, and a maximum penalty of 20 years in prison.

At this time, the indictments are merely allegations and all defendants will be presumed innocent until proven otherwise beyond reasonable doubt.

“Today, the Justice Department takes another step forward in disrupting ransomware actors and malicious cyber criminals who prey on victims in the US and around the world,” said US deputy attorney general Lisa Monaco.

“As alleged, for over a decade, the defendant used a host of online disguises and a network of fraudulent ad campaigns to spread ransomware and scam US businesses and consumers. Now, thanks to the hard work of federal agents and prosecutors, along with Polish law enforcement colleagues, Maksim Silnikau must answer these grave charges in an American courtroom.” 

Read more about cyber crime

  • Proposals from legislators in Washington DC to treat ransomware attacks as terrorism could shake up the global ransomware ecosystem and give law enforcement sweeping new powers.
  • The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work.
  • Hundreds of malicious domains exploiting CrowdStrike’s branding are appearing all over the web in the wake of the 19 July outage. Experts from Akamai share some noteworthy examples, along with guidance on how to avoid getting caught out.

Read more on Hackers and cybercrime prevention

CIO
Security
Networking
Data Center
Data Management
Close