Next-Generation Technologies & Secure Development

Two SpyEye Malware Masterminds Sentenced

Malware Stole Payment Card Data, Drained Bank Accounts
Two SpyEye Malware Masterminds Sentenced

Two of the hacker masterminds behind the notorious SpyEye malware have each received lengthy prison sentences after pleading guilty to related charges in U.S. federal court. But alleged Zeus creator and accomplice Evginy Bogachev remains at large.

See Also: Close the Case on Ransomware

SpyEye was used by "a global syndicate of cybercriminals to infect over 50 million computers, causing close to $1 billion in financial harm to individuals and financial institutions around the globe," according to the U.S. Department of Justice. Security experts say SpyEye was the dominant malware toolkit cybercriminals used from 2009 to 2011.

"It is difficult to overstate the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world," U.S. Attorney John Horn says in a statement.

The chief developer behind SpyEye, authorities say, was Russian national Aleksandr Andreevich Panin, a.k.a. Gribodemon, Harderman. The FBI arrested him in July 2013 - while on a layover at Hartsfield-Jackson Atlanta International Airport. In January 2014, he pleaded guilty to conspiracy to commit wire fraud and bank fraud charges. He was sentenced April 20 to serve nine years and six months in prison, followed by three years of probation.

Busted in Bangkok

One of his accomplices, 27-year-old Algerian national Hamza Bendelladj, a.k.a. Bx1, was apprehended by the FBI at an airport in Bangkok in January 2013 while he was in transit from Malaysia to Algeria and extradited to the United States in May 2013. On June 26, 2015, he pleaded guilty to all 23 counts of a federal indictment first filed in 2011 against both him and Panin, who at that time had yet to be named. The charges included various counts of wire and bank fraud as well as computer fraud.

On April 20, Bendelladj was sentenced to serve 15 years in prison, followed by three years of probation.

Bendelladj pleaded guilty to sending more than 1 million emails that contained SpyEye and other malware to potential victims. He also admitted developing and selling various malicious botnet add-ons such as "spreaders," designed to sneak malware onto systems, which he used to disseminate SpyEye and Zeus, web injections to alter the appearance of online banking pages to hide malicious activities and automated transfer systems to drain funds from accounts, prosecutors say.

Authorities say Bendelladj stole personal identifying information from nearly 500,000 individuals, stole hundreds of thousands of payment card and bank account numbers, caused millions of dollars in losses to both individuals and global financial institutions and ran the website, which sold stolen payment card information to other cybercriminals.

Modern Banking Trojan

SpyEye's developers had at least 150 customers, who paid $1,000 to $8,500 for the malware, which Panin advertised and sold via invitation-only cybercrime forums, according to the Justice Department.

SpyEye and its infrastructure were targeted and disrupted as part of an international effort, involving the FBI and 26 other law enforcement agencies, as well as private industry assistance from Microsoft, Trend Micro and others, authorities say. SpyEye incorporated numerous features that are now standard in banking malware, including web injections customized for many different banks, keystroke loggers and card-data grabbing capabilities, as well as the ability to control infected endpoints - and exfiltrate data - via botnet command-and-control servers.

In recent years, however, many cybercrime gangs have begun adopting exploit kits - such as the now-defunct Blackhole exploit kit developed by Dmitry "Paunch" Fedotov - that can be used to infect PCs with a range of malicious code, including multiple types of banking Trojans as well as click-fraud software and ransomware. The exploit kit also has the ability to turn "zombie" endpoints into distributed denial-of-service attack launching points.

Arrest Led to Darkode Bust

Authorities say Bendelladj's arrest helped a task force composed of 20 countries' law enforcement agencies shutter the cybercrime forum in July 2015 (see How Do We Catch Cybercrime Kingpins?).

Panin was SpyEye's primary developer and distributor, authorities say, noting that he developed the malware to be the successor to the Zeus banking Trojan after allegedly receiving the Zeus source code and sales rights from Evginy Bogachev - a.k.a. Slavik, lucky12345 - and adding many aspects of the Zeus code base into new versions of SpyEye. Authorities allege Panin was in charge of marketing SpyEye and operated from Russia.

Panin's arrest prevented him from releasing a new strain malware - "SpyEye 2.0" - that had been in development, the Justice Department says. The investigation also led to the arrest by authorities in the United Kingdom and Bulgaria of four of Panin's SpyEye clients and associates (see Europol Targets Ukrainian Botnet Gang).

At Large: Alleged Zeus Creator

Bogachev, however, remains at large. He's currently at the top of the FBI's Cyber Most Wanted list, and has been blamed for creating both Zeus and GameOver Zeus.

The U.S. Department of State's Transnational Organized Crime Rewards Program has offered a reward of up to $3 million for information leading to his arrest or conviction (see FBI Hacker Hunt Goes 'Wild West').

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.