Account Takeover Fraud , Fraud Management & Cybercrime
Arrest of Ukrainian in Cybercrime Case Shows Patience PaysSuspect in JabberZeus Banking Malware Gang Nabbed in Geneva
The arrest of a Ukrainian national long wanted on cybercrime charges in the U.S. shows that with much patience, law enforcement can nab suspects.
See Also: Faster Lives Need Faster Payments: Where Do Midmarket and Small Banks Stand?
The Ukrainian national, Vyacheslav Igorevich Penchukov, was allegedly deeply entwined in one of the most successful cybercriminal gangs on record. Dubbed JabberZeus, the operation stole upward of $70 million, according to U.S. prosecutors.
Penchukov was arrested in the last three weeks or so in Geneva, according to computer security writer Brian Krebs, who wrote an in-depth piece on his website.
Penchukov, known by the nickname "Tank," was charged in secret in 2012 for his alleged role using the Zeus malware and botnet to collect login credentials for bank accounts, draining those accounts of money and then sending the money outside the U.S. using a network of money mules.
Although Penchukov has long been wanted by U.S. authorities, officials have been reluctant to triumph his apprehension for unclear reasons. FBI officials contacted on Tuesday had no comment, and Swiss officials couldn’t immediately be reached.
It is believed Penchukov visited Uzhgorod, a city in western Ukraine on the border with Slovakia, before Russia invaded Ukraine. It is rumored that Penchukov acquired high-quality fake identification and traveled to Geneva to meet his wife.
Nonetheless, the arrest of Penchukov underscores a strategy Western law enforcement has been forced to adopt: waiting for alleged cybercriminals to travel to jurisdictions where they can be apprehended and, eventually, extradited.
Jason Passwaters is a former contractor for the FBI who spent years tracking Penchukov. Passwaters said Penchukov is one of the “old wolves” of cybercrime who ushered in a new era where cybercriminals professionalized their operations.
"His arrest is noteworthy as it will have immediate tactical impact given a sophisticated cybercriminal has been removed from play," says Passwaters, who co-founded Intel 471, a cybercrime intelligence firm. "It's a strong and clear message to other cybercriminals that you can't hide forever -- unless you are willing to remain in a sheltered country forever. "
The strategy is one that countries would prefer not to have to adopt. Last Friday, Australian authorities claimed those responsible for a devastating extortion and data breach against Medibank, a large health insurer, were in Russia (see: Australia Blames Russian Hackers for Medibank Hack).
Australian Federal Police Commissioner Reece Kershaw said, "We'll be holding talks with Russian law enforcement about these individuals." Kershaw did not reveal the attackers' names. Russia has long been accused of giving safe harbor to ransomware actors.
Although Kershaw stopped short of directly making that accusation, Australian Prime Minster Anthony Albanese said earlier that day that "the nation where these attacks are coming from should also be held accountable."
Penchukov: Nearly Caught Before
Penchukov has been closely watched by cybercrime analysts since at least 2009, says Alex Holden, founder and chief information security officer of Hold Security, a Milwaukee-based cybercrime intelligence company.
Holden says his firm lost track of Penchukov around Oct. 23 and then heard a few days later that he'd been arrested somewhere in Europe.
"There is a lot of merit to the FBI putting him on the most wanted list, and it is great to see that he is in custody," Holden says. "With inside knowledge of his partners in crime, I sincerely hope that his arrest will bring down other threat actors and shed their veil of anonymity."
Penchukov was indicted in August 2012 in federal court in Nebraska along with four other Ukrainians and one Russian man. The men were indicted on conspiracy to participate in racketeering activity, three counts of bank fraud, aggravated identity theft and other fraud-related counts.
It's alleged the men were part of the JabberZeus gang, which used the Zeus malware and its variants - sometimes also known as Zeus, Zbot or Gameover Zeus - to fraudulent ends.
Once it infected a computer, the Zeus malware collected bank account numbers, passwords, PIN numbers, RSA SecureID tokens and other information that allowed fraudsters to log into bank accounts. The money was then transferred to "mule" accounts, or interim ones held by people recruited for that risky job, before it was transferred outside the U.S.
Just a month after the indictment against Penchukov was unsealed, the Justice Department announced an indictment against Evgeniy Mikhailovich Bogachev of Russia.
Bogachev, who remains on the FBI's most wanted list for cybercrime, is accused of developing the Gameover Zeus code. Penchukov is believed to have had a close relationship with Bogachev, using Bogachev's malware and botnet.
By the early 2010s, the Gameover Zeus botnet began distributing CryptoLocker, a ransomware program. It encrypted files on a person’s computer and asked for upward of $700 for a decryption key. CryptoLocker launched a new era for ransomware, a ploy that dates back to the 1980s, and it remains a massive problem for enterprises today.
The allegations against all of the men were boosted by their poor operational security. The FBI and other private investigators had access to the logs of a Jabber server used by the group. Jabber is a chat protocol. The indictment cites messages allegedly sent between Penchukov and others, often trading login credentials for bank accounts they planned to plunder.
Penchukov was nearly apprehended in a complex law enforcement operation called Operation Trident Breach in 2010. The operation involved the SBU, Ukraine's chief security and intelligence service; the FBI and even the FSB, one of Russia's security agencies.
One of the FBI agents who participated in raids in Ukraine was Jim Craig, who was acting cyber assistant legal attache for the agency in Kiev. Craig tells Information Security Media Group he entered Penchukov’s apartment after it was raided in October 2010.
"Allegedly, he [Penchukov] slipped away during surveillance," says Craig, who is now senior director for the Intelligence Fusion Team at Intel 471. "However, I remember going into his apartment that evening/early morning and thinking he hadn't been there in a while."
After the raids, the FBI issued a news release saying the Zeus-related attacks had caused at least $70 million in losses in the U.S. Many of those victims were small to medium-sized companies, municipalities and churches.
Although the raids did net many offenders in the Gameover Zeus operation, Penchukov managed to get away, perhaps due to a tipoff from Ukrainian law enforcement. Craig says Penchukov was well-connected with high-ranking officials.
Penchukov's arrest now "is a great win for all of the law enforcement entities involved, especially the FBI," Craig says. "This is a great case that's by no means closed. However, a big piece of the puzzle was just put into place."
The 2010 raids in Ukraine are recounted in a riveting story that features recollections of Craig and a FBI contractor in the MIT Technology Review in July 2021.