Skip to content

Search the site

cybercrimeNCANews

J.P. Morgan arrested: Police swoop on “world’s most prolific” Russian-speaking cybercriminal

Cops claims the crook "essentially pioneered both the exploit kit and ransomware-as-a-service models".

The Guardia Civil arrest a man believed to be J.P. Morgan in Spain

Cops have arrested and deported a man believed to be “J.P. Morgan” - the alias of “one of the world’s most prolific Russian-speaking cybercrime actors.”

The UK National Crime Agency (NCA) has been investigating J.P. and his criminal network since 2015 in partnership with the United States Secret Service (USSS) and FBI.

Together, investigators cracked the “extreme operational and online security” of the “elite cybercriminals” to track their movements across Europe.

It’s alleged that J.P. and his gang developed and distributed notorious ransomware strains, including Reveton and Ransom Cartel, as well as exploit kits, including Angler, which have extorted tens of millions of dollars from victims worldwide.

After the US brought charges against several individuals, a “coordinated day of action” took place on 18 July 2023. The Guardia Civil arrested a 38-year-old man at an apartment in Estepona, Spain. He has now been extradited to the US to face cybercrime charges.

As well as using the moniker J.P. Morgan, the crook was also known as “xxx” and “lansky”.

A 38-year-old man from Belarus and a 33-year-old from Russia are also facing charges in the US for “allegedly playing key roles in J.P. Morgan’s crime group”.

The Morgan-mobile: This is believed to be the cybercriminal's car
The Morgan-mobile: This is believed to be the cybercriminal's car

J.P. Morgan’s criminal activities are believed to have begun in 2011 when he introduced Reveton, which the NCA described as the first-ever ransomware-as-a-service business model.

These services “provide a suite of tools that allow low-skilled offenders to launch effective ransomware attacks for a fee and are now widely used, meaning they have significantly lowered the barrier to entry into cybercrime”.

The NCA wrote: “Victims of Reveton received messages purporting to be from law enforcement, with a notification that would lock their screen and system, accusing them of downloading illegal content such as child abuse material and copyrighted programmes.

“Reveton could detect the use of a webcam and take an image of the user to accompany the notification with a demand for payment. Victims were then coerced into paying large fines through fear of imprisonment or to regain access to their devices. The scam resulted in approximately $400,000 being extorted from victims every month from 2012 to 2014.”

The Angler Exploit Kit was used to conduct malvertising campaigns in which cyber criminals purchased advertising space on legitimate websites and uploaded ads which were laced with a malicious exploit kit.

The kit would seek out vulnerabilities in the website’s systems and use them to deliver malware, including ransomware such as Reveton, CryptXXX, CryptoWall and other strains to a victim’s device.

At its peak, Angler is alleged to have made up 40% of all exploit kit infections, targeting roughly 100,000 devices and generating an estimated annual turnover of around $34 million.

“Once the cybercriminals had infected a victim’s device, they were able to exploit them in a number of ways, often stealing banking credentials and sensitive personal information,” the NCA added. “A victim would potentially be forced to pay a ransom under threat of their information being published online.”

The British connection

NCA investigators have also established that a British national was working with J.P. Morgan to launch Angler malvertising campaigns and share the profits.

That man was convicted of blackmail, Computer Misuse Act and money laundering offences and sentenced to six years and five months imprisonment in the UK in 2019.

Paul Foster, NCA Deputy Director and Head of the National Cyber Crime Unit, said: “This action is the culmination of complex and long running international investigations into J.P. Morgan and his criminal network, who have caused immeasurable harm to individuals and businesses around the world.

“As well as causing significant reputational and financial damage, their scams led victims to suffer severe stress and anxiety. Their impact goes far beyond the attacks they launched themselves. They essentially pioneered both the exploit kit and ransomware-as-a-service models, which have made it easier for people to become involved in cybercrime and continue to assist offenders.

“These are highly sophisticated cyber criminals who, for a number of years, were adept at masking their activity and identities. Using our unique capabilities, and working closely with the US Secret Service, FBI and other international partners, we were able to identify, track and locate the individuals behind the online monikers, map the group’s activity and target their technical infrastructure, rendering a significant arm of their criminal operation inoperable."

The Secret Service speaks

Brian Lambert, the United States Secret Service's Assistant Director of Investigations, added: “This arrest underscores a long-term investigation by the U.S. Secret Service, in coordination with foreign, domestic and private partners, of cybercrime organisations that allegedly distributed the notorious Angler Exploit Kit, conducted malvertising and operated the Ransom Cartel ransomware organisation.

“Cybercriminals should know that even if they attempt to hide their criminal conduct behind the anonymity of the internet that eventually, through the dedication of international law enforcement professionals, they will be apprehended and held accountable for their actions.”

READ MORE: Prisoner and asylum seeker data to be "captured" by £18m NHS record system

Latest