An international operation led by the National Crime Agency (NCA) has successfully arrested and extradited a key figure in global cybercrime, believed to be one of the most prominent Russian-speaking cybercriminals. The NCA has been investigating the individual known online as “J.P. Morgan” and his network since 2015, alongside concurrent investigations by the U.S. Secret Service (USSS) and FBI.
J.P. Morgan and his associates are known for their high-level operational security, which has allowed them to evade law enforcement for years. NCA cybercrime specialists, collaborating with international partners, managed to uncover the identities of those behind several notorious online aliases, including J.P. Morgan, and tracked their movements across Europe.
Investigations revealed that this group was responsible for creating and distributing infamous ransomware strains like Reveton and Ransom Cartel, as well as exploit kits like Angler, which have collectively extorted millions from victims worldwide.
On July 18, 2023, a coordinated effort resulted in the arrest of 38-year-old Maksim Silnikau, also known as Maksym Silnikov, at his apartment in Estepona, Spain. This operation was supported by the Guardia Civil, NCA, and U.S. officers. Silnikau, originally from Belarus, is suspected of using the J.P. Morgan alias, along with other prominent monikers in the cybercrime community, such as “xxx” and “lansky.”
On August 9, 2024, Silnikau was extradited from Poland to the U.S. to face charges related to his cybercrime activities. Two other suspects, Vladimir Kadariya (38) from Belarus and Andrei Tarasov (33) from Russia, are also facing charges in the U.S. for their involvement in J.P. Morgan’s crime network.
J.P. Morgan’s criminal activities date back to at least 2011, when he and his associates introduced Reveton, the first ransomware-as-a-service model, which allowed low-skilled offenders to launch ransomware attacks for a fee, thereby lowering the entry barrier to cybercrime.
Victims of Reveton received messages falsely claiming to be from law enforcement, which locked their screens and accused them of downloading illegal content. The ransomware could even capture images from victims’ webcams, adding pressure for them to pay large fines to regain access to their devices. This scam reportedly extorted around $400,000 per month from victims between 2012 and 2014.
The network also developed exploit kits like the Angler Exploit Kit, used for “malvertising” campaigns that injected malware into legitimate advertisements. These campaigns exploited vulnerabilities in websites to deliver ransomware and other malicious software to victims, compromising sensitive information and banking credentials.
British national Zain Qaiser collaborated with J.P. Morgan, running Angler malvertising campaigns and sharing profits. He was convicted of multiple charges, including blackmail and money laundering, and sentenced to over six years in prison in the UK in 2019.
At its peak, the Angler kit accounted for 40% of all exploit kit infections, affecting around 100,000 devices and generating an estimated $34 million annually. J.P. Morgan’s network often disguised malware within online ads to evade detection by antivirus software, operating under various names, including Media Lab, with physical offices in Kyiv, Ukraine.
The NCA worked closely with Ukraine’s Cyber Department to conduct searches related to Media Lab, resulting in 15 targeted actions on the day of the operation. Additionally, they collaborated with the Singapore Police Force to locate infrastructure linked to the Ransom Cartel, successfully shutting it down.
During these operations, key evidence was gathered, including over 50 terabytes of data, which is currently under review to further investigate and target additional actors within this cybercrime network.