SpyEye Trojan Author Pleads Guilty As Charged

SpyEye Trojan Author Pleads Guilty As Charged
SpyEye Trojan Author Pleads Guilty As Charged

SpyEye, a derivative of Zeus was, before his arrest in July 2013, the world's foremost banking malware, having infected a reputed 1.4 million computers.

It has been a long road. In February 2011 the FBI seized a SpyEye C2 server situate in Georgia and controlling more than 200 infected computers and containing information from several financial institutions. It was allegedly operated by Hamza Bendelladj, an Algerian national and now a co-defendant with Panin.

By this time a full international investigation was under way. In the UK the Police Central e-Crime Unit (PCeU) arrested three men, including a Lithuanian and a Latvian national, "in connection," said the PCeU at the time, "with an international investigation into a group suspected of utilizing malware [that is, SpyEye] to infect personal computers and retrieve private banking details."

A few months later, in the summer of 2011, FBI undercover agents communicated with Harderman (not yet known to be Panin) and purchased a full version of SpyEye. It contained, says the FBI, "features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the SpyEye malware."

In December of the same year a grand jury in Georgia returned a 23-count indictment against Harderman and Bendelladj. This includes  one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. 

Bendelladj was arrested in Bangkok, January 2013, while traveling from Malaysia to Egypt; and extradited to the US in May 2013. Ars Tecnica commented at the time, "If convicted on all counts, he could face a combination of sentences that could keep him in prison for the rest of his life, plus fines of up to $14 million."

Meanwhile, Panin had been identified, and his name added to the indictment. "Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport," says the FBI statement. "On January 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg."

The FBI investigation had been helped by private enterprise, including Trend Micro and Microsoft. Rik Ferguson, Vice President of Security Research at Trend, explained in an email to Infosecurity, "Almost 4 years ago, the FTR [Forward-looking Threat Research] team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today."

In an FBI blog post yesterday, it explained that the SpyEye investigation "is just one initiative worked under Operation Clean Slate... under Clean Slate we’re going after the major cyber players who make botnets possible."  FBI Executive Assistant Director Rick McFeely warned hackers, “The next person you peddle your malware to could be an FBI undercover employee...so regardless of where you live, we will use all the tools in our toolbox—including undercover operations and extraditions—to hold cyber criminals accountable for profiting illicitly from U.S. computer users.”

What’s hot on Infosecurity Magazine?