Security Experts:

Blackhole Exploit Kit Author "Paunch" Arrested

The author of perhaps the most widely used malicious software that helps cybercriminals around the world steal millions of dollars from unsuspecting victims has reportedly been arrested.

Going by the online moniker of “Paunch”, and thought to be living in a town outside of Moscow, he is responsible for developing and updating the “Blackhole” exploit kit.

Several sources confirmed to SecurityWeek that the arrest of Paunch did occur, but were unable to provide additional details as this is an ongoing law enforcement operation. An official announcement from Moscow is expected next week.

Rumors of the arrest surfaced on Monday when Maarten Boone, a security analyst at Fox-IT tweeted, “BREAKING: Blackhole exploit kit author "Paunch" and his partners arrested in Russia”. 

Blackhole Exploit Kit by Paunch

Late Monday, Jerome Segura from MalwareBytes, highlighted that, an online service used to encrypt the exploit kit, had been offline.

Furthermore, a security researcher going by the name "Kafeine" noticed that a malicious Java applet typically updated by Paunch once or twice each day, had not been changed for at least four days.

One Twitter user reported that Paunch’s account on crime forum Darkode had been deleted, though this has not been confirmed by SecurityWeek.

What’s interesting about Blackhole (and other exploits kits), is that it doesn’t actually steal money, exfiltrate data, or spy on victims, but instead is a “browser exploit pack” (BEP) used by cybercriminals to install a wide variety of malware onto systems, including Trojans such as Zeus, SpyEye, Fake A/V, and other types of malware.

As Rod Rasmussen explained in a 2012 SecurityWeek feature on the Blackhole exploit kit, the software is maintained and updated regularly, with a strong business model supporting it.

“Subscribers are continuously updated with the latest exploits against such software as Java, Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), and other programs and browser plug-ins. This means that cybercriminals don’t have to worry about finding exploits, engineering them, or updating their own code—that’s all done conveniently for them by Paunch and his crew.”

In 2012, the Blackhole exploit kit accounted for 27 percent of exploit sites and redirects from legitimate sites that had been hacked, according to Sophos.

Early this year, it was reported that the gang behind the Blackhole exploit kit had plans to branch out into new markets with a new, more expensive exploit kit (Cool Exploit) and a $100,000 budget to buy custom exploits to bundle into the kit, which would be more closely held.

If reports are true that Paunch has been taken in by authorities, it could mean big changes in the cybercriminal underworld.

“This may very well be the last update we see, unless somebody picks up the torch,” Jerome Segura commented. “Criminals that ‘rent’ the Blackhole exploit kit will no longer receive updates and eventually the exploit and payload are going to go stale.”

“In all likelihood, we are going to see cyber-crooks migrate their infrastructure towards other exploit kits very soon,” Segura continued. “In fact, Kafeine already spotted that the Reveton distribution moved from a Cool EK (maintained by Paunch) to a Whitehole exploit kit.”

Related: Blackhole Exploit - A Business Savvy Cybergang Driving a Massive Wave of Fraud

Related: Black Hole Exploit Kit Gets an Upgrade

RelatedOracle Java Vulnerability Exploit Rolled into BlackHole Kit 

RelatedCryptome Hit by Blackhole Exploit Kit

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.