The primary developer behind banking Trojan SpyEye pleaded guilty January 28 to committing wire and bank fraud, according to a statement from the Federal Bureau of Investigation. Sentencing is scheduled for April 29.
Aleksandr Andreevich Panin, a Russian national who used the handles “Gribodemon” and “Harderman,” was arrested July 1, 2013 in Hartsfield-Jackson Atlanta International Airport. A co-defendant, Hamza Bendelladj, whose handle was “Bx1,” was arrested earlier in January 2013 in Bangkok’s Suvarnnabhumi airport while he was in transit from Malaysia to Egypt.
“As this prosecution shows, cyber-criminals—even when they sit on the other side of the world and attempt to hide behind online aliases—are never outside the reach of U.S. law enforcement,” Mythili Raman, Acting Assistant Attorney General of the Northern District of Georgia, said in a statement.
SpyEye is a malware toolkit designed to automate the process of setting up campaigns to steal personal and financial information, such as login credentials, credit card information, and other personally identifiable information (PII), from infected computers. Criminals could remotely control compromised computers, log keystrokes, and silently transmit stolen data to their own command-and-control servers.
Panin developed, marketed, and sold various versions of SpyEye with Bendelladj. He allegedly sold the toolkit to at least 150 customers for prices between $1,000 and $8,500 on select, invite-only underground forums, according to federal prosecutors. One of Panin’s customers, operating under the handle “Soldier” is believed to have made over $3.2 million over a six-month period using SpyEye.
“He [Panin] commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions,” Sally Quillian Yates, the United States attorney for the Northern District of Georgia, said in a statement.
Panin started selling SpyEye in 2009 and quickly overtook the older Zeus Trojan because of its lower price tag and the ability to add custom plug-ins. While SpyEye’s popularity peaked in 2011, the malware was still used to successfully compromise more than 10,000 bank accounts in 2013. The Department of Justice said over 1.4 million computers in the United States have been infected with this malware.
Trend Micro researchers worked with the FBI on this case, according to a blog post by Loucif Kharouni, a senior threat researcher Trend Micro. The team correlated information found in the malware and C&C server’s configuration files, posts on underground forums, and domain name settings, Kharouni said.
“Cyber criminals be forewarned—you cannot hide in the shadows of the Internet. We will find you and bring you to justice,” Yates said.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.