Blackhole Exploit Kit creator ‘Paunch’ in custody, Russian police confirm

The first photograph shows a slightly overweight young man standing in front of a white Porsche Cayenne, cigarette in hand, expression uneasy. In a second he appears to be reading a charge sheet as a masked military policeman in black stands guard in the background.

Could this confused-looking individual really be the creator of one of the most successful and feared cybercrime tools of all time?

As previously reported, now confirmed by Russian police, the still unnamed 27-year old man is said to be ‘Paunch’ (his nickname), arrested on 4 October with a dozen others in the city of Togliatti, accused of programming the hugely successful Blackhole Exploit Kit used in attacks on countless millions of Internet users since 2010.

Criminals come and go of course, but if the man nabbed by police really is the creator of Blackhole his arrest is hugely significant. It’s hard to put into numbers how massive this one kit had become from its earliest days in the summer of 2010 to its sudden disappearance only weeks ago after his arrest. No summary of malware activity in the last three years was complete without mentioning it under a heading of its own.

Designed as a service that could be rented by criminals for $500 per month, Blackhole was an all-in-one solution for the aspiring cybercriminal out to attack browser users through compromised web pages and – the service’s speciality – using top-notch exploits for zero-day flaws. It became one of the most important means of attacking online bank systems.

Russian security firm Group-IB (which said it had assisted police in tracking him down and published the pictures), estimates that the accused man had around 1,000 customers across the world of cybercrime. Without this kit, the cybercrime scene of the last three years would have been measurably smaller and duller.

Part of his success was down to this ability to source zero-days by the bucket-load.

“The original purchase budget for the exploits was $100 thousand, but was later increased to $200 thousand. To purchase new exploits, attempts were made to contact some well-known brokers actively working with government agencies,” said Group-IB without elaborating on which brokers these were.

According to police, Paunch’s alleged criminal activities resulted in financial damage of 70 million roubles (about APS1.6 million), a laughably small sum; the real global figure must be a hundred times that or more.

Only days after rumours of Paunch’s arrest emerged in October, it was obvious something major had occurred; criminals had started abandoning Blackhole in favour of rival malware kits. So Blackhole isn’t the only exploit kit out there and if the Russian accused does turn out to be Paunch, his arrest be the perfect business opportunity for delighted rivals stepping up to service what appears to be a huge customer base.