The mastermind behind a notorious botnet operating since 2011 has been arrested following an international law enforcement effort to bring an end to his online activities.

33-year-old Sergey Jaretz of Rechitsa, Belarus was arrested by local authorities Dec. 4 on behalf of a joint task-force of European Union law enforcement agencies, the U.S. Federal Bureau of Investigation and several non-EU member states. According to local reports, Jaretz stands accused of being a participant in “an international forum of cybercriminals” that sold malicious software. He’s also accused of being an administrator of the unnamed forum at which “issues of committing illegal actions in the sphere of high technologies were discussed.”

Recorded Future, which was a participant in the investigation leading to the arrest, expanded further, saying that Jaretz was the mastermind of the international cybercriminal group responsible for the distribution and maintenance of the Andromeda Trojan. “We believe that the arrested person is the actor known as ‘Ar3s,’ one of the oldest and more highly respected members of the criminal underground,” the company said. “Ar3s is the mastermind behind the Andromeda Trojan and a longstanding administrator of the Damage Lab hacking forum.”

In a separate statement, Europol, quoting Microsoft Corp., said that the Andromeda’s “main goal was to distribute other malware families” and that the malware and associated botnet “was associated with 80 malware families and, in the last six months… was detected on or blocked an average of over 1 million machines every month.” One of the malware families cited was the Avalanche Network, a botnet network that at one stage was responsible for two-thirds of all phishing attacks globally. It was brought down following a four-year investigation by global law enforcement agencies in December 2016.

Although Jaretz may well have indeed been the mastermind behind Andromeda, ultimately his downfall came about due to a simple, arguably stupid mistake: using a messaging service to discuss his hacking activities that was linked to his actual name.

Recorded Future explained that it learned Ar3s was using the ICQ number “5777677” as one of his primary contact methods. Jaretz had previously used it to register, under his actual name, on multiple white-hacker and tech-oriented forums since the mid-2000s.

“Once we had a possible name, we conducted subsequent contact analysis based on ‘Sergey Jaretz’ and the above-mentioned ICQ number,” the report noted. “We discovered that the phone number of the Belarusian mobile carrier tied him with an individual in Rechica, Belarus named Sergey Jarets or Jaretz.”

Jaretz remains in custody pending a possible formal extradition request from European authorities, although he may first face charges in Belarus for breaches of local criminal laws.

Image: Pixabay