The US offers a $2.5M bounty for the arrest of Angler Exploit Kit co-distributor

The US Department of State is offering a reward of $2.5 million for information leading to the arrest of Volodymyr Kadariya, the cybercriminal associated with an alleged scheme to transmit the Angler Exploit Kit (AEK) along with other malware.

“The US Department of State is offering a reward of up to $2.5 million for information leading to the arrest and/or conviction in any country of Volodymyr Kadariya for his alleged participation in a significant malware organization,” said the reward notice.

Government officials and employees are not eligible for the reward, the notice further added.

AEK malware delivery toolkit

The Angler Exploit Kit (AEK) was a widely used toolkit that allowed cybercriminals to exploit vulnerabilities in web browsers (including Internet Explorer, Chrome, and Firefox), and their plugins (such as Adobe Flash, Java, and Silverlight).

“At times during the scheme, the Angler Exploit Kit was a leading vehicle through which cybercriminals delivered malware onto compromised electronic devices,” said the US Justice Department in the August 12 unsealing of indictment. “The conspirators also allegedly enabled the delivery of “scareware” ads that displayed false messages claiming to have identified a virus or other issue with a victim Internet user’s device.”

The payloads delivered by Angler typically included various types of malware, such as ransomware (like CryptoWall and TeslaCrypt), banking trojans, information stealers, and other forms of malicious software designed to either steal data or hold systems hostage for ransom.

Angler employed advanced evasion techniques, including checking for virtual machines and sandbox environments to avoid detection by security researchers, leading to its popularity and significance in the cybersecurity community. Angler’s activities ceased abruptly in mid-2016, reportedly, due to law enforcement actions in Russia against cybercriminals allegedly linked to Angler.

First charged in 2023

The Belarusian and Ukrainian hacker was first indicted in the District of New Jersey in June 2023, for using malvertising and other means to deliver malware, scareware, and online scams to “millions of unsuspecting Internet users in the United States and elsewhere,” from October 2013 through March 2022.

The indictment, however, was unsealed only on August 12, 2024. The indictment against Kedariya also involved two other cybercriminals, Belarussian and Ukrainian dual-national Maksim Silnikau, and Russian national, Andrei Tarasov.

Both of Kedariya’s co-conspirators, after their indictment in 2023, faced significant legal actions. While the details of Tarasov’s extradition status or any further legal proceedings are less clear, Silnikau was recently extradited to the US from Poland and faces a mandatory minimum of two years and a maximum penalty of 20 years in prison.

A few other high-profile cybercrime arrests sought by the US government in exchange for significant rewards recently include the bounties placed on Maksim Yakubets (up to $5 million), Evgeniy Bogachev (up to $3 million), and Park Jin Hyok (up to $5 million).