Connect with us

Hi, what are you looking for?



Blackhole Exploit Kit Author “Paunch” Arrested

The author of perhaps the most widely used malicious software that helps cybercriminals around the world steal millions of dollars from unsuspecting victims has reportedly been arrested.

The author of perhaps the most widely used malicious software that helps cybercriminals around the world steal millions of dollars from unsuspecting victims has reportedly been arrested.

Going by the online moniker of “Paunch”, and thought to be living in a town outside of Moscow, he is responsible for developing and updating the “Blackhole” exploit kit.

Several sources confirmed to SecurityWeek that the arrest of Paunch did occur, but were unable to provide additional details as this is an ongoing law enforcement operation. An official announcement from Moscow is expected next week.

Rumors of the arrest surfaced on Monday when Maarten Boone, a security analyst at Fox-IT tweeted, “BREAKING: Blackhole exploit kit author “Paunch” and his partners arrested in Russia”. 

Blackhole Exploit Kit by Paunch

Late Monday, Jerome Segura from MalwareBytes, highlighted that, an online service used to encrypt the exploit kit, had been offline.

Furthermore, a security researcher going by the name “Kafeine” noticed that a malicious Java applet typically updated by Paunch once or twice each day, had not been changed for at least four days.

One Twitter user reported that Paunch’s account on crime forum Darkode had been deleted, though this has not been confirmed by SecurityWeek.

Advertisement. Scroll to continue reading.

What’s interesting about Blackhole (and other exploits kits), is that it doesn’t actually steal money, exfiltrate data, or spy on victims, but instead is a “browser exploit pack” (BEP) used by cybercriminals to install a wide variety of malware onto systems, including Trojans such as Zeus, SpyEye, Fake A/V, and other types of malware.

As Rod Rasmussen explained in a 2012 SecurityWeek feature on the Blackhole exploit kit, the software is maintained and updated regularly, with a strong business model supporting it.

“Subscribers are continuously updated with the latest exploits against such software as Java, Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), and other programs and browser plug-ins. This means that cybercriminals don’t have to worry about finding exploits, engineering them, or updating their own code—that’s all done conveniently for them by Paunch and his crew.”

In 2012, the Blackhole exploit kit accounted for 27 percent of exploit sites and redirects from legitimate sites that had been hacked, according to Sophos.

Early this year, it was reported that the gang behind the Blackhole exploit kit had plans to branch out into new markets with a new, more expensive exploit kit (Cool Exploit) and a $100,000 budget to buy custom exploits to bundle into the kit, which would be more closely held.

If reports are true that Paunch has been taken in by authorities, it could mean big changes in the cybercriminal underworld.

“This may very well be the last update we see, unless somebody picks up the torch,” Jerome Segura commented. “Criminals that ‘rent’ the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale.”

“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon,” Segura continued. “In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit.”

Related: Blackhole Exploit – A Business Savvy Cybergang Driving a Massive Wave of Fraud

Related: Black Hole Exploit Kit Gets an Upgrade

RelatedOracle Java Vulnerability Exploit Rolled into BlackHole Kit 

RelatedCryptome Hit by Blackhole Exploit Kit

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...