Notorious malware kingpin convicted

Following an international investigation led by the FBI, Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected more than 1.4 million computers in the United States and abroad.

“Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned—you cannot hide in the shadows of the internet. We will find you and bring you to justice.” says United States Attorney Sally Quillian Yates.

According to Yates, the charges, and other information presented in court, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye virus facilitates this theft of information by secretly infecting victims’ computers, enabling cyber criminals to remotely control the infected computers through command and control (C2) servers. Once a computer is infected and under their control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including web injects, keystroke loggers, and credit card grabbers. The victims’ stolen personal and financial data is then surreptitiously transmitted to the C2 servers, where it is used to steal money from the victims’ financial accounts.

Panin was the primary developer and distributor of the SpyEye virus. Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market, and sell various versions of the SpyEye virus and component parts on the internet. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that targeted information about specific financial institutions including banks and credit card companies. Panin advertised the SpyEye virus on online, invite-only criminal forums. He sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500. Panin is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own C2 servers. One of Panin’s clients, “Soldier,” is reported to have made over $3.2 million in a six-month period using the SpyEye virus.

According to industry reports, the SpyEye virus was the pre-eminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, more than 10,000 bank accounts have been compromised by SpyEye infections in 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.

In February 2011, pursuant to a federal search warrant, the FBI searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the Northern District of Georgia (in the United States). That C2 server controlled more than 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.

In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames Gribodemon and Harderman, about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the SpyEye malware.

On Dec. 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, ten counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013, while he was in transit from Malaysia to Algeria. Bendelladj was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.

Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.

The investigation also has led to the arrests by international authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014, before United States District Judge Amy Totenberg.

The case is being investigated by special agents of the Federal Bureau of Investigation.

Ricky Maxwell, Acting Special Agent in Charge, FBI Atlanta Field Office, says, “This investigation highlights the importance of the FBI’s focus on the top echelon of cyber criminals. The apprehension of Mr. Panin means that one of the world’s top developers of malicious software is no longer in a position to create computer programs that can victimize people around the world. Botnets such as SpyEye represent one of the most dangerous types of malicious software on the Internet today, which can steal people’s identities and money from their bank accounts without their knowledge. The FBI will continue working with partners domestically and internationally to combat cyber crime.”

Valuable assistance was provided by the Criminal Division’s Office of International Affairs and the following international law enforcement agencies: the United Kingdom’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP).

Valuable assistance also was provided by the following private sector partners: Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team known as Underworld.no.