A Russian man accused of involvement in developing and distributing the Citadel malware, which at its peak infected nearly 11 million computers and caused over $500m in losses, has pleaded guilty to charges related to computer fraud. Mark Vartanyan, 29, who went by the pseudonym "Kolypto", was arrested in October 2014 in Norway and extradited to the US in December 2016.
According to US attorney John Horn, Citadel was designed to steal financial account credentials and PII (personally identifiable information) from victims. The malware was sold on an unspecified and popular "invite-only" Russian-language underground forum. The malware's operators targeted "major financial and government institutions around the world", according to the US Justice Department.
Vartanyan was allegedly involved in distributing the malware while residing in Ukraine, between August 2012 and January 2013. However, the malware's source code was reportedly leaked, which helped antivirus firms to identify and block it, according to former FBI special agent Mark Ray, who now serves as the director of cyber investigations at PricewaterhouseCoopers in Atlanta.
Ray, who travelled to Norway to interview the Russian hacker in 2014 after his arrest, told AP: "What made Citadel so unique is that it was the first one that really incorporated this concept of a customer relationship development module, where the developers wanted feedback from the users on improvements and additions and new features."
Vartanyan is not the only one charged for his alleged involvement in Citadel attacks. In September 2015, another Russian, Dimitry Belorossov, who went by the name Rainerfox, was arrested and sentenced to serve four years and six months after pleading guilty to charges related to Citadel's distribution.
According to the Justice Department, Belorossov, 22, operated a 7,000-strong botnet leveraging the Citadel malware. His botnet contained data from infected computers, which included "online banking credentials for US-based financial institutions with federally insured deposits, credit card information, and other personally identifying information".
Meanwhile, federal prosecutors have agreed to not seek a sentence of more than five years for Vartanyan after he reached a deal to cooperate with the prosecutors, ABC News reported. He is slated to be sentenced on 21 June.
Despite the two arrests, the Justice Department claims that its investigation into the creator of the Citadel malware is ongoing, indicating that more actors were likely involved in the cybercrime operation.