Hacker from Russian crime group jailed for multi-million pound global blackmail conspiracy

A top level cyber criminal who targeted hundreds of millions of computers with locking ransomware has been jailed for six years and five months after a National Crime Agency investigation.

Zain Qaiser, 24, of Barking in Essex, was a member of an international, Russian-speaking organised crime group that made massive profits from victims in more than 20 countries.

The investigation identified that Qaiser received more than £700,000 through his financial accounts for his role in this global campaign of malware and blackmail. However, the total is likely to have been very much higher.

Qaiser spent the proceeds of his criminal activity on stays in high-end hotels, prostitutes, gambling, drugs and luxury items including a £5,000 Rolex watch.

In just one 10-month period, he spent £68,000 on gambling in a London casino, despite being unemployed and living with his family.

He bought masses of advertising traffic from pornographic websites, using the online name K!NG, on behalf of the crime group, using fraudulent identities and bogus companies to pose as legitimate online advertising agencies in a process of social engineering. Once advertising space was secured, the crime group would host and post advertisements laced with malicious software, known as malware.

When users clicked on the ads they were redirected to another website, hosting highly-sophisticated malware strains including the infamous Angler Exploit Kit (AEK) – believed to have been created, managed and marketed by one of Qaiser’s Russian-speaking associates. Users with any vulnerabilities would subsequently be infected with a malicious payload.

One of those malicious payloads was a piece of software called Reveton – a type of malware that would lock a user’s browser. Once locked, the infected device would display a message purporting to be from a law enforcement or a government agency, which claimed an offence had been committed and the victim had to pay a fine of anything between $300-$1,000 in order to unlock their device.

The campaign infected millions of computers worldwide across multiple jurisdictions.

Ransom demands were made by Qaiser through a complex process of virtual and crypto-currency money laundering. Blackmailed victims would be directed to pay the ransom demand using a prescribed virtual currency, which would then be laundered using a variety of methods and an international network of illegitimate financial service providers.

For example, one of Qaiser’s international accomplices in the US transferred ransom payments onto pre-loaded credit cards in fraudulent identities, withdrew that cash at locations throughout the US, converted it into crypto-currency, and transferred it to Qaiser.

Some online advertising agencies that sold Qaiser the advertising traffic realised what he was doing and tried to stop him. He responded by blackmailing them and their businesses, hitting at least two agencies with DDoS attacks (distributed denial of service). Qaiser told one company director: “I’ll first kill your server, then send child porn spam abuses.” These attacks resulted in the companies losing at least £500,000 through lost revenue and mitigation costs.

Qaiser, a computer science student, was hugely useful to the crime group. Using his command of the English language and knowledge of the online advertising industry, in conjunction with basic social engineering techniques, he could convince advertising agencies he was a legitimate customer.

He employed a variety of bogus companies and fake identity documents, such as passports procured from his online criminal associates, to persistently acquire new internet traffic and advertising space to conduct his criminal activities.

Qaiser’s offending is thought to have started in at least September 2012 and lasted until he was remanded in custody in December 2018.

He was first arrested in July 2014 and was charged in February 2017.

NCA investigators later identified a series of financial accounts linked to Qaiser, including an overseas crypto-currency account. Cumulatively, these accounts received in excess of £100,000, despite him having no job and declaring no earnings. Qaiser was subsequently arrested in December 2018 on suspicion of money laundering, whilst on bail for the previous offences.

Qaiser admitted 11 offences, including blackmail, fraud, money laundering and computer misuse, and was jailed at Kingston Crown Court.

Nigel Leary, NCA Senior Investigating Officer, said:

“This was one of the most sophisticated, serious and organised cyber crime groups the National Crime Agency has ever investigated.

“The group owned and operated the Angler Exploit Kit – one of the most successful and closely guarded pieces of malicious software ever developed by the cyber crime community.

“Zain Qaiser was an integral part of this organised crime group generating millions of pounds in ransom payments by blackmailing countless victims and threatening them with bogus police investigations.

“In addition, when Qaiser’s criminal enterprise was frustrated by diligent members of the online advertising community, he retaliated causing misery and hundreds of thousands of pounds in financial losses.

“This was an extremely long-running, complex cyber-crime investigation in which we worked with partners in the US, Canada, Europe and the Crown Prosecution Service. The FBI and the US Secret Service have both arrested people in relation to this global malware campaign.

“The investigation demonstrates that cyber-criminals cannot operate from behind a veil of anonymity, and that the NCA has the tenacity and specialist skills to catch them and bring them to justice. The international law enforcement community will continue to work together to counter the threat of borderless cyber-crime.”