Earlier this month, Belarusian authorities released from prison Sergey Yarets, a notorious cybercriminal and co-developer of the Andromeda botnet.
Yarets, who used the online moniker of Ar3s, was arrested in late November 2017, when Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe dismantled the Andromeda botnet.
Also known as Gamarue or Wauchos, Andromeda has been around since 2011, its primary purpose being that of credential theft and malware distribution. Detected on over 1 million machines each month during the second half of 2017, the botnet had been associated with 80 malware families.
At the time of takedown, security researchers identified 464 distinct Andromeda botnets and 1,214 domains and IP addresses of command and control (C&C) servers. In January this year, ESET warned of difficult cleaning efforts for such a long-lived botnet and said Andromeda would die a slow death.
Despite Andromeda’s size (victims were identified in over 200 countries) and the considerable effort international law enforcement agencies and private organizations put into taking it down, Yarets was released on August 9, 2018.
When arrested, Yarets was charged for his involvement in the sale, maintenance, and use of Andromeda. A resident of Rechitsa, Gomel Region, Belarus, he was formerly a technical director at OJSC “Televid” Tele-Radio, threat intelligence provider Recorded Future reveals.
Opposition news agency Radio Svaboda, the only Belarusian media outlet to have reported the release, says that Yarets was ordered to pay $5,500 as retribution for the income made from the botnet, and that his apparent cooperation with the authorities was what led to his quick release.
As per Radio Svaboda Belarus’ reporting, Yarets’s lawyer “elaborated that Yarets’s extraordinary knowledge should serve the country’s interests and that there was no evidence of damage done to Belarusian citizens or organizations because Yarets did not target member countries of the Commonwealth of Independent States,” Recorded Future notes.
Yarets apparently claimed that Andromeda was created by a “genius and alcoholic” developer, supposedly the Russian threat actor waahoo. Yarets claims he received the exclusive rights of the Andromeda Trojan in 2012.
Although waahoo apparently continued to be involved in the Trojan’s development until approximately 2015, Yarets was the only one responsible for Andromeda’s operation at the time of his arrest.
“The Belarusian investigators and judges most likely knew this but did not take it into account for unknown reasons,” Recorded Future notes.
“This case is an example of a selective approach toward the punishment of cybercriminals in ex-Soviet states, allowing them to avoid just punishment when states are interested in them, diminishing the importance and efficiency of international cooperation in this field,” the security firm concludes.