“Free Hamza Bendellaj”: Why SpyEye Co-Developer Bx1 is Causing a Stir

On May 17, administrators of the Old Dominion University (ODU) in Virginia were alarmed when its student-run news site, Mace & Crown was hacked. This incident was the latest in a string of petty hacking incidents that vandalized many others sites like those of Air France and the Isle of Wight County.

A screenshot of the hacked page shows the site’s normal content replaced with politically charged statements, including “#Free Hamza Bendellaj.” Image via wavy.com

Bendellaj, also known as Bx1, is one of the co-developers and distributors of the infamous SpyEye banking Trojan. Trend Micro had a hand in his arrest in 2013.

#Free Hamza Bendelladj: Decoding the Happy Hacker

On January of 2013, images of a lanky, bearded, young gentleman—handcuffed and escorted by a group of Thai police officers—surfaced and garnered media attention. The identified Algerian national was photographed beaming at cameras as he was arrested in Bangkok’s Suvarnabhumi Airport. The so-called “Happy Hacker” would later on be identified as Bendelladj.

In May of the same year, the United States extradited the then-24-year-old Bendelladj and charged him with 23 counts of computer hacking and fraud. He was accused of being one of the brains that spearheaded the development, marketing, and sale of SpyEye, the Trojan responsible for stealing the customer information of more than 250 financial organizations, and one that reportedly allowed him to earn $10-20 million on a single transaction.

SpyEye succeeded in compromising over 1.4 million computers worldwide. In 2013 alone, recorded hacks reached the 10,000 mark, stealing financial information such as online banking credentials, credit card data, and PINs from infected computers. These were all transmitted to command-and-control servers to enable stealing money from compromised accounts. Bendelladj was known to have operated at least one of these servers.

During the investigation, Trend Micro researchers unearthed the real identities of those involved in the malware operation, and the FBI has duly recognized Trend Micro’s active participation in uncovering the tracks that led to the arrest of Bendelladj, and later on, the SpyEye creator and Russian national, Aleksandr Adreevich Panin (also called Griboden or Harderman).

Email addresses, ICQ and Jabber chat numbers sloppily disclosed to potential customers led to the discovery of the handle, “Bx1”, which in turn revealed the identity of Bendelladj and his role in SpyEye’s growing operations. In July of 2013, Panin was arrested and suffered the same fate as Bendelladj. He would later plead guilty for his role as the master creator of the banking malware in January of 2014, while Bendelladj’s charges remain pending.

#FreePalestine: The Palestinian Connection

A closer look at the recent ODU hack would also lead us to past events that involved Palestine.  The Trend Micro research paper Operation Arid Viper looked into two separate but closely linked operations—Operation Arid Viper and Operation Advtravel.

Operation Arid Viper is a highly-targeted attack on high-profile organizations in the government, transportation, infrastructure, military, and academic sectors in Israel and Kuwait. These targeted attacks, along with a number of unidentified Israeli individuals, have been connected to C&C servers found in Germany.

Upon close monitoring, this C&C infrastructure also left trails that connected researchers to a much less targeted but also highly-effective attack named Advtravel. The perpetrators behind this operation are led by Egyptian hackers that appear to be less skilled and sophisticated than the ones in Arid Viper. The victims are mostly owners of personal laptops. The attackers’ intent, as our researchers have seen, is to look for incriminating information they can use for blackmail.

The two operations may have differed in terms of the malware used, target victims and information, but both Arid Viper and Advtravel share notable commonalities including the C&C server based in Germany, domains registered by the same individuals, and activities tied to Gaza, Palestine.

Conclusions have not been reached yet on who the real culprits are or, more importantly, if these separate operations have been fueled by an overarching organization with a common goal. However, evidence points to a burgeoning generation of hackers and cyber attackers with a mission. Like Operation Arid Viper, the launched cyber attacks on Israel are regarded as politically-motivated by nature.

What this means

Be it threats developed for financial gain, like SpyEye, or politically-motivated targeted attack campaigns like Arid Viper and Advtravel, one fact is constant: the war against cybercriminals and threat actors continues.

Fighting cybercrime entails collaboration between law enforcement and security experts.  Researchers provide law enforcement agencies the crucial threat intelligence they need to fuel their investigations, and Trend Micro researchers continue to assist law enforcement agencies to take down high-profile cybercriminals like Bendelladj and Panin.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.