Hamza Bendelladj, a.k.a. Bx1, was the subject of a three-year manhunt that ended in Bangkok in January. He is suspected of co-developing the trojan as well as selling it (for as little as $2,000) and using it to create a reportedly highly successful theft botnet. Bendelladj was arraigned in Atlanta, where he is accused of leasing a server from a local internet company as part of his ring.
If convicted, Bendelladj faces a maximum sentence of up to 30 years in prison for the main charges, as well as sentences of five to 20 years for related charges. He also faces fines of up to $14 million.
According to security researcher Brian Krebs, a redacted copy of the indictment accuses Bendelladj of developing and customizing components of SpyEye. It also says that Bx1 was an active member of darkode.com, an underground fraud forum.
“Bx1′s core focus in the community was selling ‘web injects’ — custom add-ons for SpyEye that can change the appearance and function of banking websites as displayed in a victim’s web browser,” said Krebs. “More specifically, Bx1 sold a type of web inject called an automated transfer system or ATS; this type of malware component was used extensively with SpyEye — and with its close cousin the ZeuS Trojan — to silently and invisibly automate the execution of bank transfers just seconds after the owners of infected PCs logged into their bank accounts.”
According to Krebs, Bx1 was far from quiet about his SpyEye activities. In addition to contacting the researcher numerous times to brag about his success, he was also an avid poster. “Zeus/SpyEYE/Ice9 ATS for Sale,” Bx1 announced in a post on darkode.com thread dated Jan. 16, 2012. “Hey all. I’m selling private ATS’s. Working and Tested. We got IT / DE / AT / UK / US / CO / NL / FR / AU. Contact me for bank. can develop bank ATS from your choice.”
Krebs also reported another thread titled “Feds, Feds, Feds,” wherein Bx1 pastes an excerpt from an online chat with an interloper who describes himself as an information broker who is seeking clues about the identities of his business partner, Gribodemon, and a hacker who went by the screen name “jam3s,” and who is suspected of leaking the source code to the ZeuS trojan.
He seemed to feel the manhunt tightening. “In that thread, Bx1 urges fellow forum members to ‘double encrypt’ their computer hard drives and to ‘make a contact with a good lawyer.’ Most of the forum members simply dismiss Bx1 as paranoid,” Krebs said.
Prosecutors have said that Bendelladj is a flight risk and requested that he be held without bail.