Two men who built and sold a banking trojan that infected more than 50 million computers around the world and caused almost $1 billion in losses have been sentenced to a combined 24 years in prison.
Aleksandr Andreevich Panin, the chief developer and distributor of SpyEye, received a sentence of nine years and six months in federal prison, according to a statement issued by the US Department of Justice. In underground forums where the trojan was sold, the 27-year-old Russian national went by the hacker aliases “Gribodemon” and “Harderman.” In 2010, prosecutors said, he received the source code to a crimeware platform dubbed ZeuS. From 2009 to 2011, he conspired with others to develop SpyEye, which is believed to have borrowed liberally from ZeuS.
Prosecutors said Panin conspired with Hamza Bendelladj, aka Bx1, an Algerian man who received a 15-year prison term during the same Wednesday sentencing in federal court in Atlanta. Prosecutors said Bendelladj transmitted more than one million spam e-mails containing SpyEye and related malware to computers in the United States. The feat infected hundreds of thousands of computers. Bendelladj also developed SpyEye add ons that automated the theft of funds from victim bank accounts and further spread malware, including SpyEye and Zeus. Authorities said he stole personal information from almost 500,000 people and caused millions of dollars in losses to individuals and financial institutions around the world.
SpyEye sold for $500 to $10,000, depending on the features it included. Panin allowed customers to customize the software to choose from a list of available components. Options included methods for obtaining victims’ personal and financial information and data that helped target specific financial institutions, including banks and credit card companies. SpyEye was considered more user-friendly than other banking malware platforms. Bendelladj's arrest was also a contributing factor in last July's dismantling of Darkode.com, an online crime forum where SpyEye and other malware were sold. At least 60 people are suspected of carrying out hacking crimes in that operation.
“It is difficult to overstate the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” John Horn, US Attorney for the Northern District of Georgia, said in the statement.
The takedown was the result of a collaboration between prosecutors and members of the security industry. According to a blog post from Trend Micro, company researchers infiltrated what was supposed to be a members-only crime forum to monitor the activities of Panin and Bendelladj. The researchers eventually uncovered posts that revealed information such as the criminals' e-mail addresses and ICQ and Jabber numbers and helped lead to the discovery of their actual identities. Also providing assistance were researchers from Microsoft’s Digital Crimes Unit, Flashpoint, PhishLabs, Dell SecureWorks, Damballa, and the Norwegian Security Research Team known as "Underworld.no."
The arrests came as both men brazenly traveled through places subject to US law-enforcement extradition. Bendelladj was arrested in early 2013 at Bangkok’s Suvarnabhumi Airport as he was on his way from Malaysia to Egypt. He was extradited in May of that year. Panin, whose country of origin has no extradition agreement with the US, was arrested two months later during a stopover at Hartsfield-Jackson International Airport in Atlanta.
Critics in security circles often complain that law enforcement authorities don't do enough to stop and deter online financial fraud despite how rampant it is. That may be true, but the arrest, conviction, and sentencing of Panin and Bendelladj are likely to severely limit the regions that international criminals feel comfortable visiting. And that counts for something.