The prolific hacker behind the Andromeda botnet was brought down by open source intelligence, according to the cybersecurity firm Recorded Future.
One day after an international collection of law enforcement announced the dismantlement of the long-running Andromeda botnet, researchers say they identified the man arrested in Belarus as the leader behind one of the oldest and widespread botnets in history.
Recorded Future identified Sergey Jaretz, a 33-year old male residing in Rechitsa, Belarus as recently arrested by Belarusian authorities as part of the global police effort. Online, he was known as Ar3s but he hasn’t been seen online since November 22.
“Ar3s is recognized as a leading expert in malware development and reverse engineering, network security, and antivirus technology,” Recorded Future analysts Andrei Barysevich and Alexandr Solad wrote in a blog post. “On technologically sophisticated forums he acts as a highly reputable guarantor of deals on the one hand, and an analyst on the other. ”
Andromeda, first created in 2011, was detected on an average of one million machines every month in the last six months. The malware and its plugins sold on cybercrime markets from $10 to $500, depending on the version.
In addition to Andromeda, Ar3s is also the developer of the Win32/Gamarue HTTP bot, the Windows SMTP Bruter v.1.2.3 and the “Swf-Inj Service” which uses malware to hijack web traffic.
Ar3s used the ICQ number “5777677” for communications. It’s a number which has also been connected, since at least 2005, to a person named “Sergey Jaretz.” A simple Google search finds the decade-old use of the number with the Jaretz name on numerous tech forums.
Barysevich and Solad connected the ICQ number to a phone number on the Belarusian mobile carrier MTC with a person named Sergey Jarets or Jaretz (in Russian: Сергей Григорьевич Ярец), a Belarusian management-level software engineer who can be found all over the web, including on LinkedIn.
Multiple law enforcement offices involved in the arrested did not respond to a request for comment on the arrested man’s identity.
Andromeda’s developers targeted the payment card industry in the U.S. in recent years, a profitable venture but one bound to attract attention.
“Andromeda malware has very long history,” researchers at the cybersecurity firm Avast wrote last year. “The authors are skilled programmers and operators, recently updating plugins, maintaining entire systems and looking for new infected domains with exploit kits.”
The operation against Andromeda was led by the FBI in the United States. The Investigative Committee of the Republic of Belarus posted a video of the arrest and seizure of Jaretz’s office on their YouTube page: