Accessibility links

Russians Claim To Have Nabbed Notorious Cybercriminal 'Paunch'

The suspect that Russian police are said to have arrested is believed to be behind the massively popular "Blackhole" and "Cool" exploit kits, which provide shortcuts to cybercriminals. (Photo @Shutterstock)

The suspect that Russian police are said to have arrested is believed to be behind the massively popular "Blackhole" and "Cool" exploit kits, which provide shortcuts to cybercriminals. (Photo @Shutterstock)

Russian authorities believe they have captured a vaunted cybercriminal known in hacker circles as "Paunch" and thought to be responsible for two of the most prolific "exploit kits" employed to terrorize computer users around the globe.

Such tools provide shortcuts for cybercriminals seeking to infect computers to steal financial data or passwords, commit identity theft, or spam PC users with bogus sales offers, for instance.

While observers suggest Russia is the source of many mercenary hackers, arrests are extremely scarce and prosecutions even more rare.

The Internet security community has been abuzz ever since over indications that the arrest of Paunch and partners led to an immediate dropoff in activities normally connected with the group.

Paunch has not been publicly identified by name, and Russian authorities have remained relatively silent over the arrest. Russian media, including RT, have confirmed the arrest. Reuters quoted a "former Russian police detective in contact with Russia's federal government" in reporting the news.

Paunch is believed to be behind "Blackhole" and "Cool," coded tools designed to help "automate cybercrime" by providing cybercriminals with "not only the tools for criminals to create and distribute malware, but also the systems used to manage networks of infected machines," according to leading cybersecurity provider Sophos.

The online sale of such exploit kits can reap many millions of dollars in sales for their creators.

Hints that Russian law enforcement was on the right track include decreased use of the "Blackhole" and "Cool" programs, the former of which was suspected of aiding at least one in four web attacks just two years ago.

The head of Europol's new European Cybercrime Centre (EC3), Troels Oerting, reportedly confirmed the arrest after a full day of intense speculation.

Oerting subsequently retweeted Finnish cybersecurity specialist Timo Hirvonen's illustration of the immediate effect that the arrest appeared to have. The graphs show a dramatic drop in "hits" employing "Blackhole" and "Cool."

BBC quoted the chief security expert at Moscow-based Internet protection firm Kaspersky Lab, Aleksandr Gostev, as saying "anonymous sources" had confirmed the arrest to him.

Conde Nast Digital's tech news website Ars Technica highlighted both the massive role that Paunch has played in undermining online security and the danger of assuming that his or her arrest will translate into relief for PC users anywhere. It noted that while Blackhole was thought to play a part in nearly a third of Internet attacks in 2011, "Blackhole" and "Cool" "only make up four percent of the market" now.

Online specialist mag Infosecurity underscores the continuing risk, quoting Luis Corrons, technical director at PandaLabs told Infosecurity:

"[W]e should not get over-excited. Sadly there are a number of different exploit kits that are being used now, which means that current Blackhole customers will simply move to one of those: Styx, Sweetorange, Cnmeboss, Cool [possibly also authored by Paunch], Sibhost, Popads, Fiesta, Sofosfo, Whitehole, Reddot, Impact, flimkil, etc. As you can see this is a (black) business with a lot of different players."

-- Andy Heil

About This Blog

Written by RFE/RL editors and correspondents, Transmission serves up news, comment, and the odd silly dictator story. While our primary concern is with foreign policy, Transmission is also a place for the ideas -- some serious, some irreverent -- that bubble up from our bureaus. The name recognizes RFE/RL's role as a surrogate broadcaster to places without free media. You can write us at