Author of Blackhole Exploit Kit Allegedly Arrested in Russia

The Kremlin at night: Author of Blackhole Exploit Kit Allegedly Arrested in Russia
The Kremlin at night: Author of Blackhole Exploit Kit Allegedly Arrested in Russia

'Paunch' is the nickname given to the author of the Blackhole exploit kit; and Blackhole has long been the dominant EK on the internet. Maarten Boone, a security researcher with the Dutch firm Fox-IT, broke the news yesterday; but had no further information.

Other researchers have looked for supporting circumstantial evidence. Jerome Segura at MalwareBytes noted that the encryption service normally used by Blackhole ( is currently offline. It is still offline at the time of writing this report. The Google cache page shows that it was online at least until 22 September 2013.

French researcher, Kafeine, also published a graphic showing that the updates normally performed by Paunch once or twice every day have not been done for at least four days. This applied to both Blackhole and Cool EK, another exploit kit thought to have been authored by Paunch.

But still there is no definitive confirmation. Indeed, Trojan7 tweeted, "If Paunch (author of black hole) has been arrested then who's using his darkode account? He's 'online' and just posted :/" A little later he added, "If you use grammar and spelling mapping paunch is only one person and that same person is still posting."

The simple fact, then, is that we currently do not know whether Paunch has or has not been arrested in Russia. If he has, it will be a feather in Russian law enforcement's cap – but it will probably have little effect on the dark side of the internet. "Blackhole is one of the most popular exploit kits used nowadays. If these reports are true, then this is really good news," Luis Corrons, technical director at PandaLabs told Infosecurity.

"However we should not get over-excited. Sadly there are a number of different exploit kits that are being used now, which means that current Blackhole customers will simply move to one of those: Styx, Sweetorange, Cnmeboss, Cool [possibly also authored by Paunch], Sibhost, Popads, Fiesta, Sofosfo, Whitehole, Reddot, Impact, flimkil, etc. As you can see this is a (black) business with a lot of different players."

Troels Oerting, head of the European Cybercrime Centre, an arm of Europol, has now confirmed to TechWeekEurope that an arrest has been made. He gave no further details.

What’s hot on Infosecurity Magazine?