Aleksandr Panin, the 27-year-old Russian creator behind the malware banking Trojan that allowed cybercriminals to infect millions of computers and drain bank accounts worldwide, has been sentenced to nine and half years in a US federal prison. The US Justice Department said on 20 April that his accomplice, Algerian Hamza Bendelladj, who sold versions of SpyEye online and used it to steal financial information, was sentenced to 15 years.
"Until dismantled by the FBI, SpyEye was the preeminent malware banking Trojan from 2010-2012, used by a global syndicate of cybercriminals to infect over 50 million computers, causing close to $1 billion [£700m] in financial harm to individuals and financial institutions around the globe," the department said in a statement.
Released in 2009, SpyEye was a type of Trojan virus that secretly implanted itself onto a victim's computer to steal personal information including bank account details, credit card information, passwords and PINs. It also allowed hackers to trick victims into surrendering personal information using fake bank account pages, once the virus took over a computer. The stolen information was then relayed to criminals and the control server was used to access the victim's accounts.
FBI Special Agent Mark Ray said that the malware was "more user-friendly [for criminals]" than its predecessor, Zeus malware, and functioned like a "Swiss army knife of hacking". It allowed hackers to customise and tailor methods to steal personal and financial information.
Panin, who went by aliases "Gribodemon" and "Harderman" online, allegedly received the source code and rights to sell Zeus from Evgeniy Bogachev – the alleged author of the Zeus malware – in November 2010, encorporating many components of Zeus into his own SpyEye kit.
Between 2009 and 2011, Panin conspired with others, including Bendelladj or "Bx1", to develop, market and sell versions of the malware on invite-only cybercrime forums online such as Darkode.com for prices ranging between $1000 to $10,000. According to Ray, Darkode.com was the most sophisticated of cybercrime forums and was frequented by the elite in the cybercrime world before it was taken down.
Bendelladj also transmitted more than one million spam emails containing strains of SpyEye and related software to computers in the United States, resulting in hundreds of thousands of computers getting infected.
In February 2011, FBI agents seized a SpyEye server in the Atlanta area that they say Bendalladj used to control more than 200 infected computers and contained information from several financial institutions. In June and July 2011, covert FBI sources communicated with Panin directly to buy a version of SpyEye that contained the kit's full suite of features.
Panin, who had yet to be fully identified, and Bendalladj were indicted by a Georgia grand jury in December 2011.
In January 2013, Bendalladj was arrested in Bangkok while in transit from Malaysia to Algeria and was extradited to the United States later that year. In July 2013, Panin was arrested at Atlanta airport and subsequently pleaded guilty to all 23 charges in the indictment including wire fraud and bank fraud in January 2014. Bendalladj also pleaded guilty to all counts in June 2015. Four of Panin's SpyEye clients and associations in the UK and Bulgaria have also been arrested by foreign authorities.
FBI officials discovered that Panin was planning to release a new strain of SpyEye dubbed "SpyEye 2.0" within months of his arrest. If launched, officials said it "would have been one of the most prolific and undetectable botnets distributed to date, and could cause immeasurable losses to the international banking industry and individuals around the world."