The suspect whom international authorities arrested in Belarus during a 29 November operation to dismantle the Andromeda botnet has been identified with a high degree of certainty as Jarets Sergey Grigorevich – aka Ar3s, a high-profile cyber-criminal and malware expert.
According to a 5 November blog post from Recorded Future's Insikt Group, whose researchers made the identification, Ar3s, 33, is the mastermind of the botnet, and “one of the oldest and more highly respected members of the criminal underground.”
Also known as Apec (in Russian), Ch1t3r, and Sergey Jaretz or Sergey Jarets, Grigorevich's dealings in the Russian-speaking underground date back to at least 2014, the post continues. “Ar3s is recognised as a leading expert in malware development and reverse engineering, network security, and antivirus technology,” writes company blog post authors Andrei Barysevich, director of advanced collection, and Alexandr Solad, intelligence analyst.
In addition to developing Andromeda, Ar3s also created the brute-forcing tool Windows SMTP Bruter v.1.2.3, and also the Swf-Inj Service, “which hijacks web traffic by embedding iFrame malware into SWF (small web format) files,” Recorded Future explains.
On Monday, the Investigative Committee of the Republic of Belarus issued a press release disclosing its role in the arrest, but did not specifically name the individual involved. Rather, the agency described the suspect as a Belarussian citizen and resident of the country's Gomel region, who served as a cyber-crime forum administrator, helping other online actors purchase and update malicious software. The Committee further reported that the suspect earned US$ 500 (£374) for every malware sale, and US$ 10 (£7) for every software update.
Recorded Future has since supplemented that information, reporting that the detainee specifically lives in the city of Rechitsa and on forums acted as both a guarantor of underground deals as well as an analyst.
During the investigation that preceded the crackdown on Andromeda, the FBI confirmed the Ar3s' affiliation with the botnet by purchasing malware from the hacker and analysing the source code of his program, the Investigative Committee has stated. Following the arrest, investigators with the Belarus Ministry of Internal Affairs' Department of High-Tech Crimes Detection (also known as the K Office) uncovered direct evidence of the suspect's crimes through examination of his computer equipment, the press announcement continues.
Recorded Future reports that it identified Grigorevich as the suspect based on details released following his arrest (including his date of birth and location), as well as his forum activities and behaviour, linguistic patterns and photo materials.
Insikt analysts also observed that Ar3s last accessed the Russian forum DaMaGeLaB on 22 November, one week prior to the major law-enforcement operation. And based on online chatter, he may have been off the grid as far back as 20 November. This may indicate he is no longer free to access these websites.
Recorded Future researchers previously linked the handle Ar3s to a man named Sergey Jaretz, after finding that the ICQ (instant messaging client) number that Ar3s has used as a contact method was connected to an internet user by that name. Jaretz was also registered on various white-hat hacker and technology forums – and researching this connection led to the discovery of a phone number from a Belarussian mobile carrier that also linked back to a man by the name of Sergey Jaretz or Jarets, who worked as a technical director for OJSC “Televid” Tele-Radio Company, which broadcasts throughout the Rechitsa area.