August 24, 2018 • Alexandr Solad
Scope Note: This is an update to the report “Mastermind Behind Andromeda Botnet Arrested in Belarus,” profiling threat actor Ar3s, that was originally published by Insikt Group on December 4, 2017. Insikt Group offers the following details based on recently disclosed open source information regarding Ar3s’s release from prison.
On August 9, 2018, Sergey Yarets, also known as Ar3s, a notorious cybercriminal and co-developer of the Andromeda botnet, was released from prison in Belarus after reportedly cooperating with authorities and paying the Belarusian government around $5,500 for the income made from the Andromeda botnet in Belarus. This case is another example of a double standard toward prosecuting cybercriminals in post-Soviet countries, where they treat their own cybercriminals differently, allowing them to avoid fair punishment and then using them in the interests of the state, neutralizing the efforts of the international community to combat cybercrimes.
On August 9, 2018, Ar3s posted the image below to his Twitter account (@Ar3s1) with the comment, “I am free!”
Ar3s was arrested by the Investigative Committee of the Republic of Belarus in cooperation with the FBI in connection to the Andromeda trojan. Shortly after the arrest, Andromeda was dismantled by European and U.S. law enforcement agencies. The Belarusian Investigative Committee claimed that Ar3s, along with other members of the criminal group, was involved in the sale, maintenance, and use of the trojan.
Recorded Future first identified Ar3s as Sergey Yarets, or Сергей Ярец, a resident of Rechitsa, Gomel Region, Belarus, who was formerly a technical director at OJSC “Televid” Tele-Radio company.
On August 9, 2018, the Rechitsa District Court released Sergey Yarets, also known as Ar3s. According to Radio Svaboda Belarus, Yarets fully repented for his crimes, actively collaborated with the investigation, and paid the Belarusian government around $5,500 for the income made from the Andromeda botnet in Belarus. The court also waived a $1,450 fine crediting Yarets for the time already spent in custody since November 2017.
As reported by Radio Svaboda Belarus, Yarets’s lawyer stated that this was a unique trial because the defendant “actively cooperated with law enforcement and even helped to provide evidence against himself.” In fact, the interrogator, a highly qualified IT specialist, was said to have learned a lot from Yarets. The lawyer elaborated that Yarets’s extraordinary knowledge should serve the country’s interests and that there was no evidence of damage done to Belarusian citizens or organizations because Yarets did not target member countries of the Commonwealth of Independent States.
After the court hearing, Yarets mentioned that he is passionate about IT security, and at the time of his arrest, he was working for three unspecified Belarusian companies where he was responsible for network security. Yarets said that he pursued his technical interests in underground hacker forums due to the need to keep abreast of modern trends in the field. Yarets grew to become an administrator of the currently defunct DaMaGeLaB and a highly respected member of the underground, frequently making technical reviews of member software and services.
Yarets’s statement that Andromeda was created by another developer — a “genius and alcoholic” — likely refers to the Russian threat actor waahoo. According to Yarets, he made only technical reviews of Andromeda and later became a representative and vendor of the trojan on several forums at waahoo’s request. Yarets claims that due to waahoo’s severe alcohol addiction and Yarets’s inability to reach him for several weeks, he copied the Andromeda trojan source code onto his hard drive and had not used it until undercover FBI agents purchased it from him.
In this regard, it should be noted that waahoo handed over the exclusive rights of the Andromeda trojan to Yarets in 2012 and announced it on an underground forum. Waahoo continued to be involved in its development, supervision, and the hiring of programmers until approximately 2015, but at the time of the FBI purchase and arrest, Yarets was the only one who was responsible for the trojan operation. The Belarusian investigators and judges most likely knew this but did not take it into account for unknown reasons.
Yarets said that he is not planning any visits to the United States or Europe. He added that he might return back to his former employer, the OJSC “Televid” Tele-Radio company.
Despite renewed activity on his Twitter account, Yarets’s Facebook account is still inactive.
The Belarusian state media made no mention regarding Yarets’s release. The only Belarusian media source that announced this event was the opposition news agency Radio Svaboda and the IT web portal Dev.by. This case is an example of a selective approach toward the punishment of cybercriminals in ex-Soviet states, allowing them to avoid just punishment when states are interested in them, diminishing the importance and efficiency of international cooperation in this field.