Two Major International Hackers Who Developed the “SpyEye” Malware get over 24 Years Combined in Federal Prison
ATLANTA – Two international computer hackers; Aleksandr Andreevich Panin, a/k/a Gribodemon, of Russia, and Hamza Bendelladj, a/k/a Bx1, of Algeria, have been sentenced to a combined 24 years, six months in prison for their roles in developing and distributing the prolific malware known as SpyEye, which caused hundreds of millions of dollars in losses to the financial industry around the world.
“It is difficult to over state the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” said U.S. Attorney John Horn. “The outstanding work by our law enforcement partners, both domestically and internationally, as well as terrific cooperation from the private sector, serves as a blueprint on how to combat complex cyber-crime syndicates around the world.”
“Through these arrests and sentencing, the risk the public unknowingly faced from the threat posed by the imminent release of a new highly sophisticated version of SpyEye was effectively reduced to zero. The FBI led investigation that brought one of the world’s most nefarious malware developers to justice and significantly disrupted the prolific SpyEye botnet demonstrates the power of focused investigations that combine the skills and talents of global law enforcement and private industry partners. Furthermore, the arrests and sentences serve as a strong deterrent to future malware developers and their customers, regardless of where they are located,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office.
According to U.S. Attorney Horn, the charges and other information presented in court: Until dismantled by the FBI, SpyEye was the preeminent malware banking Trojan from 2010-2012, used by a global syndicate of cybercriminals to infect over 50 million computers, causing close to $1 billion in financial harm to individuals and financial institutions around the globe.
SpyEye was designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The malware facilitated its theft of personal and confidential information by secretly infecting victims’ computers, enabling cybercriminals to remotely control the infected computers through command and control (“C2”) servers. Once a computer was infected and under their control, cybercriminals remotely accessed the infected computers, without authorization, and stole victims’ personal and financial information through a variety of techniques, including “web injects,” “keystroke loggers,” and “credit card grabbers.” The victims’ stolen personal and financial data was then surreptitiously transmitted to the C2 servers, where it was used to, among other things, steal money from the victims’ financial accounts.
Panin was the primary developer and distributor of SpyEye. Panin developed SpyEye as a successor to the notorious Zeus malware that had, since 2009, wreaked havoc on financial institutions around the world. In November 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, a/k/a Slavik, and incorporated many components of Zeus into SpyEye. Bogachev remains at large and is currently the FBI’s most wanted cybercriminal.
Operating from Russia between 2009 and 2011, Panin conspired with others, including co-defendant Hamza Bendelladj, to develop, market, and sell various versions of SpyEye and component parts on the Internet. Panin allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that targeted information about specific financial institutions, including banks and credit card companies.
With the assistance of Bendelladj, a/k/a Bx1, Panin advertised and promoted the SpyEye malware on online, invite-only criminal forums, such as Darkode.com and other exclusive Russian-based criminal forums. The arrest of Bendelladj in January 2013 was a contributing factor that ultimately led to the dismantling of Darkode.com through a coordinated law enforcement effort involving 20 countries in July 2015.
For his part, Bendelladj transmitted over one million spam emails containing strains of SpyEye and related malware to computers in the United States, yielding hundreds of thousands of infected computers. He also developed and sold malicious “plugins” or add-ons for botnets, such as a “spreader”, Automated Transfer System (“ATS”), and “web injects”. These malicious tools were designed to surreptitiously automate the theft of funds from victim bank accounts and to proliferate the spread of malware, including SpyEye and Zeus. Bendelladj used his unauthorized access into infected computers to steal personal identifying information from close to half a million people, hundreds of thousands of credit card and bank account numbers, causing millions of dollars in losses to individuals and financial institutions around the world. Bendelladj also ran a website called VCC.sc where he automated the sale of stolen credit card information to cybercriminals around the world.
On December 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his true name.
Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport. On January 28, 2014, Panin pleaded guilty to conspiring to commit wire fraud and bank fraud. Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on January 5, 2013, while he was in transit from Malaysia to Algeria. Bendelladj was extradited from Thailand to the United States on May 2, 2013. On June 26, 2015, Bendelladj pleaded guilty to all 23 counts of the superseding indictment.
The apprehension of Panin and Bendelladj has resulted in several of the world’s top malware developers no longer being in a position to create malware that can victimize people in the U.S. and abroad. The FBI discovered that within months of his arrest, Panin was planning to release a new strain of SpyEye, called “SpyEye 2.0”, which, if released, would have been one of the most prolific and undetectable botnets distributed to date, and cause immeasurable losses to the international banking industry and individuals around the world. The investigation has also led to the arrests by foreign authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.
Aleksandr Andreevich Panin, a/k/a Gribodemon, 27, of Tver, Russia, was sentenced by United States District Court Judge Amy Totenberg, to nine years, six months in prison to be followed by three years of supervised release.
Hamza Bendelladj, a/k/a Bx1, 27, of Tizi Ouzou, Algeria, was also sentenced by Judge Totenberg, to 15 years in prison to be followed by three years of supervised release.
This case was investigated by Special Agents of the Federal Bureau of Investigation. The FBI disrupted and dismantled the organizational structure behind SpyEye by utilizing unprecedented levels of cooperation with private industry and 26 international law enforcement agencies, demonstrating international boundaries no longer offer safe havens for cyber criminals.
Assistant United States Attorneys Steven D. Grimberg, Kamal Ghali, and Scott Ferber prosecuted the case. Trial Attorneys from the Criminal Division’s Computer Crime and Intellectual Property Section provided valuable assistance. The Justice Department’s Office of International Affairs also provided assistance with this case.
Assistance throughout the investigation was also provided by a number of international law enforcement agencies, including the United Kingdom’s National Crime Agency, the Royal Thai Police, the National Police of the Netherlands - National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP).
Private sector partners also provided valuable assistance, including Trend Micro’s Forward-looking Threat Research (FTR) Team, Microsoft’s Digital Crimes Unit, Flashpoint, PhishLabs, Dell SecureWorks, Damballa, and the Norwegian Security Research Team known as “Underworld.no”.
For further information please contact the U.S. Attorney’s Public Affairs Office at USAGAN.PressEmails@usdoj.gov or (404) 581-6016. The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga