For two years, SpyEye was the world's most destructive piece of malware targeting banks and financial institutions, infecting more than 50 million PCs and causing estimated damage of $1 billion. The malware, created by a young Russian hacker who liked to brag of its malevolence, was secretly installed on victims' computers, spread via spam emails and malicious websites, and worked by silently stealing the banking and credit card details of millions of people.
Now its victims finally have some closure. On Wednesday, Aleksandr Andreevich Panin, the 27-year-old creator of the pernicious computer program, was sentenced in an Atlanta court.
This is the story of how Panin was tracked.
Panin profited handsomely from SpyEye, licensing the malware to more than 150 criminals around the world for up to $10,000 each time. These criminals, in turn, used the malware to steal millions from unsuspecting victims while its creator publicly boasted about his creation, safe in the knowledge that he remained immune from prosecution, in Russia anyway. However one of those who purchased his toolkit brought unwanted attention to Panin, by stealing millions of dollars in a very short space of time.
In January 2011, a Russian criminal in his early 20s known only by his dark net pseudonym “Soldier” purchased a SpyEye kit and, over the course of the next six months, proceeded to steal $3.2 million from tens of thousands of people, the vast majority of whom were in the United States, with the help of accomplices based in West Hollywood and Los Angeles.
Panin had created SpyEye just months earlier but it was an almost instant hit. In November 2010, he had been gifted the source code for another banking trojan called Zeus, a hugely popular piece of malware developed by Evgeniy Mikhailovich Bogchev, another Russian cybercriminal, known by the moniker Slavik. (Bogchev, who at the time was unknown and claimed he was retiring, has since been identified by the FBI and is the agency’s most wanted cybercriminal, with a $3 million bounty on his head.)
Panin, who went by the names “Gribodemon” and “Harderman,” took the Zeus source code and altered it so it was easier to use, even for those who didn’t have a high degree of technical expertise.
“He made it very easy,” Jon Clay, of the security firm Trend Micro, told International Business Times. “It had its own administrative console that would track everything for you; you could pick and choose what components you wanted to install and utilize.”
Panin had a hit on his hands. Criminals quickly sought out SpyEye on dark web markets like Darkode, and soon the Russian criminal partnered with an Algerian called Hamza Bendelladj — or “Bx1,” as he was known online — who became SpyEye’s chief marketing officer. Bendelladj used to called SpyEye the "Zeus Killer" in ads placed on dark web forums, casting the tool as a cheaper and more powerful version of what was then the preeminent banking trojan.
Clay told IBT that around this time researchers at Trend Micro began tracking the online activities of Panin and Bendelladj, who were known to openly communicate through online forums and even on social media about their activities.
“We were able to track them because, just like anybody, they are human and they want to brag and tell the world of what they are doing.” It was through monitoring of their communications that Trend Micro was able to build up a profile of the two hackers. These profiles included email addresses, ICQ numbers and Jabber handles.
In addition to information the pair were sharing on the surface web, researchers from Trend Micro were able to infiltrate dark web forums where the pair were selling their wares to any criminal willing to pay.
Having built up its profile of the two hackers, Trend Micro handed all the information over to the FBI. Using this information, the FBI set about infiltrating Darkode, the most notorious dark web markets where Panin and Bendelladj regularly marketed SpyEye.
A key aspect of the success of the investigation was the realization that Bendelladj was not only selling SpyEye but also using it himself to infect a zombie army of 200,000 computers (80,000 of whom were located in the U.S.). This led FBI agents in February 2011 to identify and seize a SpyEye server which Bendelladj allegedly operated in the Atlanta area. That server controlled more than 200 infected computers and contained information from many financial institutions.
In June and July 2011, undercover FBI operatives communicated directly with Panin (who was using his online aliases) on a dark web market and bought a version of SpyEye.
In December 2011, months after “Soldier” used SpyEye to devastating effect, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud.
The noose was tightening around Panin and Bendelladj, but the creator of SpyEye would continue to elude the authorities for another 18 months.
One of the reasons Panin and Bendelladj remained at large for so long, even after the FBI had tricked them into selling their malware to undercover agents, was their location. It is well known that the Russian government does not take much interest in clamping down on cybercriminals operating in the country, and so Panin believed he was immune to prosecution.
“A lot of these guys are in countries where they are immune to law enforcement, so they can somewhat brag about it, they are a little more open versus a cybercriminal here in the U.S., who would be tracked very quickly,” Clay said.
However, when Panin decided to use some of his ill-gotten gains to take a holiday in the Dominican Republic, his immunity disappeared. According to Panin’s lawyers, the hacker was detained by Dominican police before being flown to Atlanta without a formal extradition hearing being launched. According to the Department of Justice, “Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.” In January 2014, Panin pleaded guilty to conspiring to commit wire fraud and bank fraud.
Prior to this, Bendelladj had been apprehended at Suvarnabhumi Airport in Bangkok, on Jan. 5, 2013, while he was in transit from Malaysia to Algeria. Bendelladj was extradited from Thailand to the United States on May 2, 2013. On June 26, 2015, Bendelladj pleaded guilty to all 23 counts of the superseding indictment.
On Wednesday, Judge Amy Totenberg handed down a sentence of nine years, six months to Panin and a longer sentence, 15 years, to Bendelladj, with U.S. Attorney John Horn, saying “it is difficult to overstate the significance of this case, not only in terms of bringing two prolific computer hackers to justice but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world.”