Notorious Cybercrime Kingpin “J.P. Morgan” Arrested and Extradited

Maksym Silnikov, a major figure in the cybercrime world, was arrested in Spain and extradited to the United States, where he faces charges of orchestrating the Ransom Cartel ransomware campaign and masterminding a large-scale malvertising scheme that operated from 2013 to 2022.

The 38-year-old Silnikov, known by his aliases “J.P. Morgan,” and “lansky” on hacker forums, had long been on the radar of intelligence agencies due to his involvement in high-profile cyberattacks. According to British intelligence, Silnikov and his associates—elite cybercriminals—employed stringent measures to secure their online activities and evade capture.

In the latest case, Silnikov is accused of creating and managing a “Ransomware-as-a-Service” (RaaS) scheme, which was actively used to target companies and individuals. Silnikov played a key role in negotiating with Initial Access Brokers (IABs) who provided access to compromised corporate networks, as well as managing communications with victims and handling ransom payments. He was also responsible for laundering the ransom money through cryptocurrency mixers to obscure financial transactions and hinder law enforcement efforts.

Additionally, Silnikov was behind the creation of Reveton—a trojan that locked access to Windows systems and demanded a ransom for their release. The malicious software masqueraded as a law enforcement tool, locking computers under the pretext of detecting child pornography and copyright-protected materials. From its launch in 2011 until 2014, Reveton generated approximately $400,000 daily for various cybercriminals.

Silnikov’s activities in malvertising (from October 2013 to March 2022) were also extensive and devastating. His role involved developing and distributing malicious advertisements that appeared benign but in reality, redirected users to sites hosting viruses and malware.

The malvertising campaign employed the following tools:

• Angler Exploit Kit (AEK): Designed to exploit vulnerabilities in web browsers and their plugins to deliver additional payloads to compromised devices.
• Locker Malware: A “lightweight” ransomware that denies victims access to their data, often demanding payment to restore access.
• Scareware: Bombards the victim’s computer with fake alerts, urging the user to download malware or provide personal information to cybercriminals.

At its peak, the Angler Exploit Kit accounted for 40% of all exploit infections worldwide, generating around $34 million annually for criminals. The attacks affected over 500 million users globally.

Silnikov was also involved in developing and maintaining the technical infrastructure, including a Traffic Distribution System (TDS), to more effectively manage and detect malicious campaigns.

During an international operation, NCA officers, in collaboration with their counterparts in Ukraine, Portugal, and Singapore, conducted raids, seizing over 50 terabytes of data and dismantling the infrastructure used to manage ransomware programs. The collected data will be used in further investigations and to bring other members of the criminal group to justice.

Maxim Silnikov faces charges of fraud, computer crimes, identity theft, and other offenses. If convicted on all counts, Silnikov could face up to 100 years in prison, though the actual sentence may be shorter due to the possibility of concurrent sentencing.

The Ransom Cartel operation, launched in December 2021, bears many similarities to the REvil group’s code. Experts at Palo Alto Networks noted the suspicious connection between Ransom Cartel and REvil. According to their research, Ransom Cartel began its operations just two months after REvil’s disbandment. Experts highlighted that Ransom Cartel operators have access to REvil’s source code but lack the obfuscation mechanism used to encrypt strings and conceal API calls.

In 2019, a member of the cybercriminal group responsible for distributing Reveton ransomware was sentenced in the UK to six years in prison and fined $355,000. According to the investigation, the 25-year-old student had been involved with the notorious Lurk group for six years.