Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a “powerful botnet” consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers.
The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have leveraged the automated network to detect vulnerabilities in websites and break into them as well as stage brute-force attacks in order to guess email passwords. The Ukrainian police agency said it conducted a raid of the suspect’s residence and seized their computer equipment as evidence of illegal activity.
“He looked for customers on the closed forums and Telegram chats and payments were made via blocked electronic payment systems,” the Security Service of Ukraine (SSU) said in a press statement. The payments were facilitated via WebMoney, a Russian money transfer platform banned in Ukraine.
But in what appears to be a trivial opsec error, the actor registered the WebMoney account with his legitimate address, thus allowing the officials to zero in on his whereabouts.
The development comes weeks after Russian cybersecurity firm Rostelecom-Solar, a subsidiary of the telecom operator Rostelecom, disclosed late last month that it had sinkholed a portion of the Mēris DDoS botnet that’s known to have co-opted an estimated 250,000 hosts into its mesh.
By intercepting and analyzing the commands used to control infected devices, the company said it was able to “detect 45,000 network devices, identify their geographic location and isolate them from the botnet.” Over 20% of the devices attacked are located in Brazil, followed by Ukraine, Indonesia, Poland, and India.