Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:45 PM
Connect Directly

US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts

Maksim Yakubets and his crew stole tens of millions using Zeus and Dridex, with victims including Bank of America, Key Bank, GenLabs, and United Dairy, DoJ says.

The US State Department in collaboration with the US Department of Justice and the FBI Thursday announced an unprecedented $5 million reward for information leading to the arrest or conviction of a Russian hacker allegedly responsible for stealing tens of millions of dollars from banks and consumers over the past decade.

In a criminal complaint unsealed today in federal court in Lincoln, Nebraska, the US charged Moscow-based Maksim Yakubets, 32, of running the notorious Zeus banking malware operation since at least 2009. Yakubets and multiple co-conspirators are alleged to have installed Zeus on thousands of business computers and captured information that allowed them to later log into online banking accounts belonging to the victims and initiate fraudulent wire transfers.

Yakubets and other members of his group attempted to steal a staggering $220 million using Zeus and ending up netting at least $70 million from victim bank accounts. Among the numerous organizations that were victimized in the Zeus campaign were Bank of America, Bank of Albuquerque, Key Bank, Bullitt County Fiscal Court, GenLabs, and United Dairy.

Source: FBI
Source: FBI

Federal authorities on Thursday separately also charged Yakubets and another Russian national, Igor Turashev, 38, with stealing and attempting to steal money from online bank accounts belonging to thousands of individuals and businesses using Bugat - aka Dridex - malware.

The Dridex campaign began around 2009, and as with the Zeus scheme, resulted in millions of dollars being siphoned out of the online bank accounts of consumers and businesses. A representative list of victims included at least two banks and four companies. Attacks involving Dridex continued until as recently as March 2019, the DoJ said in a statement announcing the indictment.

"For over a decade, Maksim Yakubets and Igor Turashev led one of the most sophisticated transnational cybercrime syndicates in the world," said US Attorney Scott Brad of Western District of Pennsylvania. The Dridex operation was one of the most widespread malware campaigns the Justice Department has ever encountered, he said.

Yakubets is alleged to have managed the development, distribution, and maintenance of Dridex and also oversaw the actual financial theft and the use of money mules to receive wire transfers and ACH payments. Turashev served as the systems administrator and was in charge of Dridex botnet operations. NPR on Thursday quoted senior Treasury Department officials describing Yakubets as also working separately for Russia's domestic intelligence agency the Federal Security Service (FSB).

"Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollars of losses to victims worldwide," said Assistant Attorney General Brian Benczkowski. The $5 million reward for his arrest or conviction is the largest ever the US government has offered in connection with a cybercrime.

Tens of Millions in Losses

According to charging documents unsealed this week in connection with both indictments, Yakubets, Turashev, and others involved in the Dridex campaign infected systems by tricking victims into opening malicious attachments or clicking on rogue links in phishing emails. They used the malware to collect usernames and passwords to bank accounts either via keystroke logging or by hijacking computer sessions and directing victims to spoofed bank login pages. The stolen credentials were then used to initiate fraudulent wire transfers to overseas accounts and to an extensive network of money mules in the US.

As one example, the indictment points to an attack in September 2012, where Yakubets and Turashev managed to illicitly transfer some $2.2 million from an online account at Commonwealth Bank belonging to Penneco Oil to an account in Krasnodar, Russia. The same day the duo attempted to steal another $76,000 from Penneco's account at the same bank.

Source: FBI
Source: FBI

Yakubets employed a similar tactic with the Zeus campaign, which was more targeted at businesses than Dridex.

For the moment both individuals remain at large in Russia. While it's highly unlikely the Russian government will willingly extradite the two individuals to face the charges against them, their ability to travel outside Russia likely has been severely curtailed by the indictments. In the past, US law enforcement authorities have been quite successful in arresting and extraditing indicted individuals from countries like Russia who made the mistake of traveling to nations friendly to US interests.

Some notable examples include Vadim Polyakov, a Russian hacker who in 2014 was arrested while vacationing in Spain, and then extradited and subsequently convicted on charges related to an attack on StubHub. Another example is Roman Seleznyov, another Russian hacker currently serving a concurrent 27-year and 14-year sentence for his role in two separate hacking schemes that resulted in over $70 million in losses to US businesses. Seleznyov, was arrested while vacationing in the Maldives and extradited to the US in July 2014, prompting accusations of kidnapping from his father Valery Seleznev, a Russian lawmaker.

"If they are indeed found to reside in Russia, it is likely that they might never be brought to trial in the United States," says Chris Morales, head of security analytics at Vectra. Diplomacy is one possible avenue he says. "The alternative is through the US government finding its own way to bring the defendants to the United States against their will, forcibly."

Fausto Oliveira, principal security architect at Acceptto, says the indictments are a clear warning that the US is committed to prosecuting cybercriminals across borders. It also serves as a reminder for the public that this type of crime is not forgotten, he says.

The $5 million award is significant at as well, Oliveira says. "[It] may tempt some other threat actors or casual connections to denounce them as a way to either take down the competition or obtain some financial gain," he says.

Like Morales, he too fears that the biggest challenges for the DoJ is if the indicted persons remain or have escaped to a territory that does not have an extradition agreement. "In those cases it becomes hard, if not impossible, for the suspects to be brought in front of a judge."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.