In August 2024, the Justice Department issued a press release announcing the arrest of Maksim Silnikau and charges against two co-conspirators for ongoing cybercrime operations including ransomware and malvertising. While the indictment used their given names and aliases, we at Confiant know them as the malvertising threat actor Zirconium, Zirco for short (not to be confused with APT31). We are pleased that they have been disrupted, and proud to have offered assistance to law enforcement in the investigation that led to these arrests.

As early as 2016, it was clear that we were dealing with one of the more formidable malvertising groups to date. Our first public mention of Zirco appeared in the 2017 blog post Uncovering 2017's Largest Malvertising Operation, where we revealed that the Zirconium group had successfully created and operated 28 fake ad agencies that bought an estimated 1 billion ad views and reached 62% of ad-monetized websites weekly throughout 2017. After more research, we were able to establish that the same group was investigated by other teams as GooNky.

Malvertisers masquerade as legitimate entities to buy their ads and often try to get allow-listed to circumvent protection systems—it’s a type of social engineering attack we often encounter. By following this pattern, Zirco attracted our attention and kicked off a series of events that deeply disrupted their criminal activities and bottom line.

We are proud to have been able to offer assistance to law enforcement in the investigation and grateful to the other security professionals whose hard work over many years also helped bring this group to justice. We hope that this is one of many such victories to come in the ongoing battle against malvertising.