SpyEye Malware Creator Sentenced: Gets 9.5 Years for Wire and Bank Fraud

The United States District Court for the Northern District of Georgia has convicted Russian national Aleksandr Andreevich Panin of conspiracy to commit wire and bank fraud for developing and distributing SpyEye, the notorious banking Trojan. The 24-year-old Panin, also known as “Gribodemon” and “Harderman” in underground forums, now faces 9 ½ years in federal prison after agreeing to a deal with prosecutors.

Within a span of five years since its creation in 2009, SpyEye is estimated to have infected 1.4 million computers, compromised over 100 thousand bank accounts, and stolen roughly half a billion dollars in the US and abroad.

[Read: SpyEye Abbreviated Case Summary]

In January 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud for his role as the primary developer and distributor of the malware. The plea bargain was considered “a great leap forward” in the campaign against cyber-attacks that threaten economic security by United States Attorney Sally Quillian Yates. 

Algerian national Hamza Bendelladj, known as “Bx1”, also gets a sentence of 15 years. Known for helping Panin “develop, market, and sell various versions of SpyEye and component parts on the Internet,” the 27 year-old Algerian was charged for selling SpyEye and using the malware to steal financial information.

An Eye for an Eye

Investigations into Panin’s involvement in bank-stealing operations started in 2009, when a new botnet was found to have rivaled the infamous ZeuS botnet (ZBOT) with its use of rootkit technology and use of keyloggers to steal from bank accounts.

The Trend Micro Forward-Looking Threat Research (FTR) team has since provided technical support for the Federal Bureau of Investigation (FBI), international law enforcement agencies, and other private sector partners to find the instigators of the SpyEye botnet, as well as other individuals who used it to steal from banking accounts. FTR correlated the information obtained from configuration files with information gathered from other sources, such as the various underground forums where both Panin and Bendelladj were known to visit, and looked into information (email address, ICQ number, or Jabber number) that might reveal their actual identities.

[Read: Investigating SpyEye and Gribodemon]

The following timeline shows the development of the SpyEye malware and the investigation that led to the arrests of the individuals connected to it:

Casualized Crime

This conviction is a milestone in the history of banking heists.

First, it establishes the benchmark on the technical knowledge needed to steal money from online accounts. These days, all that's needed to steal from victims online—besides an internet connection—is enough capital to purchase a kit specifically designed for that purpose, as well as the knowledge of where to buy it from. Operations can then be done from anywhere, hidden behind the anonymity afforded by the electronic barriers of the internet.

Second, it sends a message that criminals who hide in the recesses of the Internet are not invisible to law enforcement. There are existing anti-cybercrime initiatives and precedents that can be used to punish cybercriminal activities such as creating exploit kits and using malware botnets.

“Panin was the architect of a pernicious malware known as ‘SpyEye’ that infected computers worldwide.  He commercialized the wholesale theft of financial and personal information.  And now he is being held to account for his actions,” US Attorney Yates stressed in a news release.

Third, it sets a concrete case study of how collaborations between public and private groups can be effective in catching cybercriminals.

“Many police agencies don’t have the skills to effectively track down and investigate cybercrime. Tracking down cybercriminals requires a very different skill set from traditional policing, which limits the abilities of law enforcement to go after cybercriminals. It also takes resources and trained personnel, which are, in many cases, in very short supply,” says Martin Roesler, director for threat research at Trend Micro.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.