SpyEye Creator Got 'Sloppy,' Then Got Nabbed

Russian national behind the infamous crimeware kit pleads guilty to conspiracy to commit wire and bank fraud in his role as primary developer and distributor of SpyEye

Turns out the key player behind the development and distribution of the infamous SpyEye data-stealing Trojan wasn't so careful about covering his tracks. Aleksandr Andreevich Panin, a.k.a. "Gribodemon" and "Harderman," inadvertently left a trail that ultimately led to his arrest last summer.

The U.S. Attorney's Office yesterday announced that Panin had pleaded guilty to charges associated with his role as the main developer and distributor of SpyEye. Panin, 24, who was arrested by U.S. authorities at Georgia's Hartsfield-Jackson Atlanta International Airport on his way back from a trip to the Dominican Republic, left clues of his identity while engaged in underground forums, and inadvertently leaked the email address of a SpyEye server's controller -- which helped investigators unmask him.

Researchers at Trend Micro who tracked Panin and other associates online were able to glean some valuable information from Panin's online postings, as well as SpyEye files that provided valuable intelligence about his identity. "Once we decrypted the files, we had access to a bunch of other files ... including a configuration file" with SpyEye customer names that Panin apparently had created, Loucif Kharouni, senior threat researcher with Trend Micro, told Dark Reading. "That was a mistake."

Panin, a Russian national, had become a bit too confident and became "sloppy" in his operations, Kharouni says.

The Trend Micro team, who assisted the FBI in the investigation, correlated key information and clues from the SpyEye configuration files with other intelligence they had on hand. They joined underground forums where Panin and his cohorts frequented, and were able to obtain their email addresses and ICQ and Jabber chat numbers that the suspects disclosed to prospective customers.

"But that was 2010 and 2011. From that point, things changed. Now you rarely see cybercriminals disclosing this type of information," says Kharouni, who posted details of Trend Micro's findings in a blog post today.

The binaries and configuration files used with the Trojan led Kharouni and his team to a key clue: The decrypted configuration files had the handle "Bx1," Panin's partner in the enterprise: Hamza Bendelladj, an Algerian national who was arrested in January 2013 in an airport in Bangkok while in transit from Malaysia to Algeria. He was extradited to the U.S. in May, and faces pending charges in the Northern District of Georgia for his alleged role in SpyEye.

Panin was definitely not as savvy as ZeuS creator Slavik, who remains at large. "Slavik wouldn't disclose that type of information in an underground forum. And he hasn't been caught yet," Kharouni says. "[Panin's] mistake was that he was [new] and wanted to make an impression, and he wasn't careful at first."

Meanwhile, Panin and Bendelladj eventually became more guarded and cautious with their online communications. "But it was too late," Kharouni says. "They didn't expect to get caught traveling."

Aside from his carelessness online, Panin -- like Bx1 -- made the mistake of traveling outside of Russia or another nation without a U.S. extradition agreement.

"Panin suffered the same fate as Bx1. He traveled and got picked up crossing borders ... Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These 'border crossing' arrests have led the Russian government to issue a rather strange travel advisory: 'If you are wanted for crimes in the United States, don't visit Extradition Friendly Countries!'" notes Malcovery researcher Gary Warner in a post today.

The SpyEye Trojan has infected more than 1.4 million computers around the world, and according to financial services industry data, more than 10,000 bank accounts were hacked via SpyEye infections in 2013. The malware -- which steals online banking credentials, credit card data, user names, passwords, PINs, and other sensitive personal information, and then sends that information to command-and-control servers -- remains in use today.

Panin and other associates in Russia developed, marketed, and sold versions of the SpyEye malware kit online between 2009 and 2011, selling the malware for anywhere from $1,000 to $8,500 to at least 150 different customers who, in turn, deployed the Trojan in cyberattacks. According to the U.S. Attorney, one of Panin's clients, known as "Soldier," reportedly netted more than $3.2 million via SpyEye in six months.

International authorities also have arrested four of Panin's SpyEye clients and associates in the U.K. and Bulgaria as a result of the investigation into his activities.

"Authoring malware today is so lucrative and easy to do that catching these criminals is just putting a finger in the dyke, and I anticipate more malware authors will always be popping up to cash in on this cybercrime gold rush," says Branden Spikes, CEO, CTO, and founder of Spikes Security. "It's reassuring to see law enforcement successfully deterring the cybercriminal, but to effectively stifle the hacker we need a paradigm shift from detection to isolation. Certainly, the prosecution of malware authors is an important effort and one that will reduce the power of botnets, DDoS attacks, and spam for a while."

The FBI in February 2011 seized a SpyEye command-and-control server run by Bendelladj in Georgia. That server had control over more than 200 bots infected with SpyEye and included stolen information from various financial institutions. In June and July of that year, FBI undercover agents were able to make contact with Panin online and purchase a version of the Trojan that steals financial information. The Trojan also includes keylogging and distributed denial-of-service features.

Panin's case likely signals the end of the SpyEye era. "Only beginners use SpyEye now. Everyone knows it's not really safe to use anymore, so most have moved on to others like Citadel," Trend Micro's Kharouni says.

[A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can't see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye 'Automatic Transfer' Module Masks Online Banking Theft .]

There are still plenty of unknowns about the SpyEye case, however. "What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody," Malcovery's Warner notes. Where are the clients who purchased SpyEye from Bx1, what are their botnets, and how much did they make, he asks.

Aside from U.S. authorities, the U.K.'s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic's Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP) all had a hand in the investigation, as well as Trend Micro, Microsoft's Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team.

"As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation's economic security," said U.S. Attorney Sally Quillian Yates. "Today's plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned -- you cannot hide in the shadows of the Internet. We will find you and bring you to justice."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights