Skip to main content
Press Release

Nine Charged in Conspiracy
to Steal Millions of Dollars Using “Zeus” Malware

For Immediate Release
Office of Public Affairs
Two Defendants Extradited to U.S. Will Make Initial Court Appearance Today


Nine  alleged members of a wide-ranging racketeering enterprise and conspiracy who infected thousands of business computers with malicious software known as “Zeus” have been charged in an indictment unsealed today in Lincoln, Neb.

Acting Assistant Attorney General David A. O’Neil of the Justice Department’s Criminal Division, U.S. Attorney Deborah R. Gilg for the District of Nebraska and Special Agent in Charge Thomas R. Metz of the FBI’s Omaha Division made the announcement.

The indictment alleges that the “Zeus” malware captured passwords, account numbers, and other information necessary to log into online banking accounts.  The conspirators allegedly used the information captured by “Zeus” to steal millions of dollars from account-holding victims’ bank accounts.

The indictment was unsealed in connection with the arraignment this afternoon at the federal courthouse in Lincoln of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36.  Konovalenko and Kulibaba were recently extradited from the United Kingdom.  All of the defendants were charged by a federal grand jury in August 2012 with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.

“The ‘Zeus’ malware is one of the most damaging pieces of financial malware that has ever been used,” said Acting Assistant Attorney General O’Neil.  “As the charges unsealed today demonstrate, we are committed to making the Internet more secure and protecting the personal information and bank accounts of American consumers.  With the invaluable cooperation of our foreign law enforcement partners, we will continue to bring to justice cyber criminals who steal the money of U.S. citizens.”

“In this case, the victims included a Nebraska bank and a Nebraska company,” said U.S. Attorney Gilg.  “This demonstrates the global reach of cybercrime and the significant threat to our financial infrastructure.  We are grateful for the collaboration of our international and federal law enforcement partners in this complex financial fraud crime."

This case illustrates the vigorous cooperation between national and global law enforcement agencies and sends a strong message to cyber thieves,” said FBI SAC Metz.  “The FBI and our international partners will continue to devote resources to finding better ways to safeguard our systems, fortify our cyber defenses and stop those who do us harm."

According to the indictment, the defendants participated in an enterprise and scheme that installed, without authorization, malicious software known as “Zeus” or “Zbot” on victims’ computers.  The defendants are charged with using that malicious software to capture bank account numbers, passwords, personal identification numbers, RSA SecureID token codes and similar information necessary to log into online banking accounts.  The indictment alleges that the defendants falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims’ bank accounts, causing the banks to make unauthorized transfers of funds from the victims’ accounts.

As part of the enterprise and scheme, the defendants allegedly used as “money mules” residents of the United States who received funds transferred over the Automated Clearing House network or through other interstate wire systems from victims’ bank accounts into the money mules’ own bank accounts.  These “money mules” then allegedly withdrew some of those funds and wired the money overseas to conspirators.

According to court documents unsealed today, Kulibaba allegedly operated the conspirators’ money laundering network in the United Kingdom by providing money mules and their associated banking credentials to launder the money withdrawn from U.S.-based victim accounts.  Konovalenko allegedly provided money mules’ and victims’ banking credentials to Kulibaba and facilitated the collection of victims’ data from other conspirators.

The following four identified defendants remain at large:

• Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
• Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.
• Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.
• Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

The indictment also charges three other individuals as John Doe #1, John Doe #2 and John Doe #3.

The case was investigated by the FBI’s Omaha Cyber Task Force.  The Metropolitan Police Service of the United Kingdom, the National Police of the Netherlands’s National High Tech Crime Unit and the Security Service of Ukraine provided significant assistance in the investigation.

The case is being prosecuted by Trial Attorney William A. Hall, Jr. of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Steven A. Russell of the District of Nebraska. The Office of International Affairs in the Justice Department’s Criminal Division provided valuable assistance with the extradition.

The charges contained in the indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty. 

Related Materials:

Konovalenko Complaint
Konovalenko Superseding Indictment

Updated October 8, 2014

Press Release Number: 14-375