Cybercrime , Fraud Management & Cybercrime , Healthcare
Zeus Banking Malware Player Gets 9-Year Prison Term
Ukrainian Hacker Vyacheslav Penchukov Was on FBI's 'Most Wanted' List for a DecadeA criminal who used Zeus and IcedID malware to steal millions of dollars from victims has been sentenced to spend nearly a decade in prison and pay millions in restitution.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
On Thursday, a Nebraska federal court judge sentenced Vyacheslav Igorevich Penchukov to serve two nine-year prison sentences concurrently, followed by three years of supervised release, as Wired first reported.
U.S. District Judge John M. Gerrard also ordered Penchukov to pay $73 million in restitution.
Penchukov, a Ukrainian national who used the hacker handles "Tank" and "Father," in February pleaded guilty to two charges - racketeering and conspiracy to commit wire fraud - and agreed to comply with additional forfeiture requirements, in return for the government dropping additional charges against him. At that time, the government listed his age as 37.
The two charges to which he pleaded guilty each carried a maximum sentence of 20 years in prison (see: Breach Roundup: Zeus Banking Trojan Leader Pleads Guilty).
Penchukov admitted to being part of what law enforcement dubbed the Jabber Zeus crew, as well as participating in attacks that used malware including Zeus, aka Zbot, to harvest bank account numbers and passwords from thousands of victims, beginning in 2009. The malware was designed to immediately route the stolen information to controllers via the Jabber instant messaging protocol. The gang used that information to drain individuals' and organizations' bank accounts. In some cases, the money was moved to domestic accounts controlled by money mules, who wired it abroad, prosecutors said.
The offender "played a crucial leadership role in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules," according to court documents.
Penchukov also admitted to a later string of thefts involving a botnet he controlled, comprised of endpoints infected with IcedID, aka Bokbot, from at least November 2018 until February 2021. His gang used IcedID to infect victims' systems, which also harvested bank account login credentials and could be used as a downloader for additional types of malicious code, including ransomware, according to court documents. Prosecutors said investigators obtained his spreadsheet of IcedID income and expenses pertaining to 2021 and found it listed annual income of more than $19.9 million.
One of the group's victims was the Vermont Medical Center, infected in October 2020 by IcedID, which the attackers used to drop ransomware, encrypting multiple systems across the hospital's network.
"As a result, the hospital was unable to provide many critical patient services for over two weeks, which created a risk of death or serious bodily injury for patients" and also caused at least $30 million in damages associated with lost revenue and cleanup costs, according to court documents.
The FBI began probing the Jabber Zeus crew in July 2009. The U.S. Department of Justice indicted Penchukov and eight other alleged co-conspirators in 2014, alleging in a criminal complaint that they used Zeus malware to steal millions of dollars from thousands of U.S. victims via their bank accounts at institutions including the Bank of Albuquerque, the Bank of America, California Bank and Trust and more.
Cybersecurity reporter Brian Krebs reported in 2022 that Penchukov, who regularly performed as DJ Slava Rich in his hometown, escaped prosecution in Ukraine for years thanks to his political connections with the family of Russia-aligned former Ukrainian President Viktor Yanukovych.
The hacker's luck ran out when he was arrested in Switzerland in November 2022, apparently having traveled there using high-quality faked identification, to meet his wife (see: Arrest of Ukrainian in Cybercrime Case Shows Patience Pays).
Swiss authorities extradited him to the U.S. in 2023. "Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI's most wanted list for nearly a decade," Nicole M. Argentieri the principal deputy assistant attorney general for the DOJ's Criminal Division, said earlier this year.
Of the allegedly nine-strong Zeus Jabber crew, many remain at large, including Maksim Viktorovich Yakubets, aka "aqua," and Evgeniy Mikhailovich Bogachev, aka "slavik," who are both Russian nationals. The U.S. Department of State is offering a reward of up to $5 million for information that leads to the arrest or conviction of Yakubets, who was born in Ukraine, and $3 million for Bogachev, who's been accused of coding both Zeus and the Gameover Zeus strains of malware.
Having a key member of the Jabber Zeus crew appear in a U.S. courtroom is something "I never thought that we would ever see," Jim Craig, a senior director at cybersecurity firm Intel 471, told Wired after he attended the defendant's sentencing hearing.
Formerly an FBI special agent, Craig helped lead the bureau's investigation into Zeus.
Zeus Reborn
Zeus malware, which was allegedly developed by Bogachev, took on new life in 2011. That's when the source code for the malware leaked online, and some experts suggested the Jabber Zeus crew was trying to throw investigators off their trail.
Subsequently, unaffiliated malicious developers began adopting the code and releasing detailed tutorials to advise less technically astute individuals about how to use it.
Numerous strains of malware based on or refined using the Zeus code subsequently appeared, including an updated version of SpyEye. In 2013, after Carberp malware source code leaked, someone combined it with the Zeus code to create a strain called Qadars. In 2016, the Zeus code became the basis for both Floki Bot and Terdot. That year, security researchers were tracking 479 command-and-control servers tied to Zeus or its derivatives, down from 1,149 in 2014.