Russian Citadel Mastermind Sentenced to 4.5 YearsExtradited Cybercriminal Was Tracked Via Citadel User Group
A Russian cybercriminal who used the Citadel banking Trojan to infect 7,000 PCs worldwide has been sentenced by a U.S. judge to serve four years and six months in prison, according to the U.S. Attorney's Office.
Dimitry Belorossov, a.k.a. Rainerfox, 22, pleaded guilty in July 2014 to charges that he ran a Citadel botnet that was used to infect PCs and steal people's personal information - including online banking credentials that could be used to commit fraud - as well as contributed to the ongoing development of the Citadel malware (see Citadel Malware: The Growing Threat).
On Sept. 29, Belorossov was sentenced by U.S. District Court Chief Judge Thomas W. Thrash Jr. to serve four years and six months in prison, followed by three years of supervised release. He was also ordered to pay $322,000 in restitution. The U.S. Attorney's Office didn't immediately respond to a query as to whether that amount represented the sum of what Belorossov was believed to have stolen, or whether it included other costs, such as compensating banks' for related clean-up efforts.
"Global cybercrime requires a global response, and this case is a perfect example," says U.S. Attorney John Horn. "This defendant committed computer hacking offenses on victims in the United States from the relative safety of his home country of Russia, but he was arrested by our law enforcement partners in Spain."
Citadel - a variant of the notorious Zeus - first appeared in 2012, and is sold in the cybercrime underground as a malware-as-a-service product to which users subscribe (see Analysis: The Impact of Malware Developers' Takedowns). According to cybercrime statistics cited by prosecutors, security experts suspect that various Citadel botnets have been used to infect about 11 million PCs worldwide, and commit more than $500 million in fraud.
U.S. authorities say that Belorossov first began using Citadel in 2012, and then operated a Citadel botnet from Russia that ultimately compromised more than 7,000 Citadel-infected PCs.
Authorities appear to have tracked St. Petersburg, Russia-based Belorossov at least in part thanks to his participation in a Russian-language Citadel user group. "In 2012, Belorossov made numerous postings to Citadelmovement.com, an online forum in which Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware," according to the U.S. Attorney's Office. "In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the Internet and electronically communicating with other cybercriminals via e-mail and instant messaging."
Chasing Russian Cybercrime Suspects
One challenge with cybercriminals based in Russia, however, is that the United States has no extradition treaty with Russia (see How Do We Catch Cybercrime Kingpins?).
One strategy practiced by U.S. prosecutors has been to file sealed indictments against suspects based in Russia or former Soviet satellites. If U.S. law enforcement agencies find that the suspect has traveled to a country that's friendly to the United States, then authorities request that police arrest the suspect, and prosecutors will file an extradition request (see Russian Cybercrime Rule No. 1: Don't Hack Russians).
Authorities say that for this investigation, which was led by the FBI, the bureau's ties with international law enforcement agencies was crucial, and serves as a template for similar arrests in the future (see Fighting U.S. Card Data Fraud Overseas). "The FBI, in working with its international partners, continues to demonstrate that international boundaries no longer provide a safe haven for cybercriminals targeting U.S. individuals or interests domestically," says Special Agent in Charge J. Britt Johnson.