Andromeda botnet mastermind arrested in Belarus, identified by his ICQ number

The suspect "is ​recognized ​as ​a ​leading ​expert ​in ​malware ​development ​and ​reverse engineering, ​network ​security, ​and ​antivirus ​technology," researchers wrote.
(Getty Images)

The prolific hacker behind the Andromeda botnet was brought down by open source intelligence, according to the cybersecurity firm Recorded Future.

One day after an international collection of law enforcement announced the dismantlement of the long-running Andromeda botnet, researchers say they identified the man arrested in Belarus as the leader behind one of the oldest and widespread botnets in history.

Recorded Future identified Sergey ​Jaretz, ​a ​33-year ​old ​male ​residing ​in ​Rechitsa, Belarus as recently arrested by Belarusian authorities as part of the global police effort. Online, he was known as Ar3s but he hasn’t been seen online since November 22.

“Ar3s ​is ​recognized ​as ​a ​leading ​expert ​in ​malware ​development ​and ​reverse engineering, ​network ​security, ​and ​antivirus ​technology,” Recorded Future analysts ​Andrei ​Barysevich ​and ​Alexandr ​Solad wrote in a blog post. “​On ​technologically sophisticated ​forums ​he ​acts ​as ​a ​highly ​reputable ​guarantor ​of ​deals ​on ​the ​one hand, ​and ​an ​analyst ​on ​the ​other. ”


Andromeda, first created in 2011, was detected on an average of one million machines every month in the last six months. The malware and its plugins sold on cybercrime markets from $10 to $500, depending on the version.

In addition to Andromeda, Ar3s is also the developer of ​the ​Win32/Gamarue ​HTTP ​bot, ​the Windows ​SMTP ​Bruter ​v.1.2.3 ​and the ​“Swf-Inj ​Service” which uses malware to hijack web traffic.

Ar3s used ​the ​ICQ ​number ​“5777677” for communications. It’s a number which has also been connected, since at least 2005, to a person named ​“Sergey ​Jaretz.” A simple Google search finds the decade-old use of the number with the Jaretz name on numerous tech forums.

Barysevich and Solad connected the ICQ number to a phone number on ​the ​Belarusian ​mobile ​carrier MTC with a person named ​Sergey ​Jarets ​or ​Jaretz ​(in ​Russian: ​Сергей Григорьевич ​Ярец), a Belarusian management-level software engineer who can be found all over the web, including on LinkedIn.

Multiple law enforcement offices involved in the arrested did not respond to a request for comment on the arrested man’s identity.

A still from a video posted by Belarusian police, showing the arrest of Sergey Jaretz. (YouTube)

Andromeda’s developers targeted the payment card industry in the U.S. in recent years, a profitable venture but one bound to attract attention.

“Andromeda malware has very long history,” researchers at the cybersecurity firm Avast wrote last year. “The authors are skilled programmers and operators, recently updating plugins, maintaining entire systems and looking for new infected domains with exploit kits.”

The operation against Andromeda was led by the FBI in the United States. The Investigative Committee of the Republic of Belarus posted a video of the arrest and seizure of Jaretz’s office on their YouTube page:



Latest Podcasts