National police in Belarus, working with the US Federal Bureau of Investigation, said they had arrested an unnamed citizen of Belarus on suspicion of selling malicious software who they described as administrator of the Andromeda network.
Andromeda can be described as a "botnet", or group of computers that have been infected with viruses to allow hackers to control them remotely without the knowledge of their owners, enabling them to install crime tools to mount further attacks.
The arrested individual is suspected of being a ringleader of the criminal network surrounding Andromeda, a collection of online tools for other criminals to mount malware or phishing attacks and other online scams, a Europol spokesman said.
"Andromeda was one of the oldest malwares on the market," said Jan Op Gen Oorth a spokesman for Europol, the European Union's law enforcement agency.
The police operation, which involved help from Microsoft, was significant both for the number of infected computers and because Andromeda had been used over a number of years to distribute new viruses.
The shutdown of the Andromeda botnet, announced on Monday, was engineered by a taskforce coordinated by Europol which included several European law enforcement agencies, the FBI, the German Federal Office for Information Security and agencies from Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.
Information about the operation has been gradually released by Europol, the US Federal Bureau of Investigation and Belarus's Investigative Committee over the past two days. No further arrests have been reported.
The Belarus Ministry of Internal Affairs in Minsk said the arrested man was born in 1983 and a resident of Gomel region.
Cyber security firm Recorded Future said they have "a high degree of certainty" that the arrested 33-year-old Belarussian is "Ar3s", a prominent hacker in the Russian speaking cybercrime underground since 2004, who the firm has identified as the creator of the Andromeda botnet, among other hacking tools.
Reuters was unable to reach Ar3s or confirm the identity of the alleged hacker and therefore is not naming him.
However, a colleague at the telecoms company where the individual is employed confirmed to Reuters said that he had been arrested. The colleague provided no further details.
Authorities in Belarus declined to name the alleged hacker. Europol declined to comment. The FBI was not immediately available to comment.
Officers had seized equipment from the hacker's offices in Gomel, the second city in Belarus, and he was cooperating with the investigation, the country's Investigative Committee said.
Belarus authorities said the man charged other cyber criminals $500 for each copy of Andromeda he sold to mount online attacks, and $10 for subsequent software updates.
Microsoft said the Andromeda crime kit charged $150 for a keylogger to copy keystrokes to steal user names and passwords. And for $250, it offered modules to steal data from forms submitted by web browsers, or the capacity to spy on victims using remote control software from German firm Teamviewer.
Recorded Future said members of online criminal forums where the hacker Ar3s was known to be active have been complaining he was last seen online around November 20.
German authorities, working with Microsoft, had taken control of the bulk of the network, so that information sent from infected computers was rerouted to safe police servers instead, a process known as "sinkholing."
Information was sent to the sinkhole from more than 2 million unique internet addresses in the first 48 hours after the operation began on Nov. 29, Europol said.
Owners of infected computers are unlikely to even know or take action. More than 55 percent of computers found to be infected in a previous operation a year ago are still infected, Europol said.