A man arrested in Thailand this week on charges of stealing millions from online bank accounts fits the profile of a miscreant nicknamed “bx1,” a hacker fingered by Microsoft as a major operator of botnets powered by the ZeuS banking trojan.
As reported by The Bangkok Post, 24-year-old Hamza Bendelladj, an Algerian national, was detained this weekend at Bangkok’s Suvarnnabhumi airport, as he was in transit from Malaysia to Egypt. This young man captured news media attention when he was brought out in front of Thai television cameras handcuffed but smiling broadly, despite being blamed by the FBI for hacking into customer accounts at 217 financial institutions worldwide.
Thai investigators told reporters that Bendelladj had amassed “huge amounts” in illicit earnings, and that “with just one transaction he could earn 10 to 20 million dollars. He’s been travelling the world flying first class and living a life of luxury.”
I didn’t fully appreciate why I found this case so interesting until I started searching the Internet and my own servers for his email address. Turns out that in 2011, I was contacted via instant message by a hacker who said he was operating botnets using the Zeus and SpyEye Trojans. This individual reached out to me repeatedly over the next year, for no apparent reason except to brag about his exploits. He contacted me via Microsoft’s MSN instant message platform, using the email address email@example.com. That account used the alias “Daniel.” I later found out that Daniel also used the nickname bx1.
According to several forums on which bx1 hung out until very recently, the man arrested in Thailand and bx1 were one and the same. A review of the email addresses and other contact information bx1 shared on these forums suggests that bx1 was the 19th and 20th John Doe named in Microsoft’s 2012 legal suit seeking to discover the identities of 39 alleged ZeuS botmasters. From the complaint Microsoft submitted to the U.S. District Court for the Eastern District of Virginia, and posted at Zeuslegalnotice.com:
“Plaintiffs are informed and believe and thereupon allege that John Doe 19/20 goes by the aliases “Daniel,” “bx1,” “Daniel Hamza” and “Danielbx1” and may be contacted at messaging email and messaging addresses “565359703,” firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, daniel.h.b@universityof sutton.com, email@example.com, firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org. Upon information and belief, John Doe 19/20 has purchased and used the Zeus/SpyEye code.”
The Daniel I chatted with was proud of his work, and seemed to enjoy describing successful attacks. In one such conversation, dated January 2012, bx1 bragged about breaking into the systems of a hacker who used the nickname “Symlink” and was renowned in the underground for writing complex, custom Web injects for ZeuS and SpyEye users. Specifically, Symlink’s code was designed to automate money transfers out of victim banks to accounts that ZeuS and SpyEye botmasters controlled. Here’s an excerpt from that chat:
(12:31:22 AM) Daniel: if you wanna write up a story
(12:31:34 AM) Daniel: a very perfect
(12:31:34 AM) Daniel: even Interpol will get to you
(12:31:35 AM) Brian Krebs: ?
(12:31:42 AM) Daniel: i hacked the guy who fucked most banks
(12:31:48 AM) Daniel: symlink the guy who made ATS
(12:31:49 AM) Daniel:
(12:32:02 AM) Daniel: ATS = Auto Transfer System
(12:32:15 AM) Daniel: and get his Backups + Pictures and all his details
(12:32:37 AM) Daniel: Recent Job etc etc
(12:33:06 AM) Brian Krebs: what’s his name?
(12:33:17 AM) Daniel: full name ?
(12:34:03 AM) Brian Krebs: yeah
(12:34:10 AM) Daniel: hmmmm
(12:34:50 AM) Daniel: besliu vasile
(12:35:01 AM) Brian Krebs: what kind of name is that?
(12:35:11 AM) Brian Krebs: romanian?
(12:35:13 AM) Daniel: Moldovian name
(12:35:53 AM) Daniel: he is ugly motherufcka.
(12:36:18 AM) Daniel: after i hacked him he said that i destroyed his life (
(12:36:27 AM) Brian Krebs: aww
(12:36:55 AM) Daniel: yea because i spoke to him
(12:37:10 AM) Daniel: i said how much u pay for ur info to stay private
(12:37:19 AM) Daniel: then he said he destroyed his [hard drive]
(12:37:28 AM) Daniel: i said i dont care i got Backup
(12:37:32 AM) Daniel: it tooks me months to download all
(12:37:48 AM) Daniel: his Previous job..ats..proof video
(12:37:55 AM) Daniel: his picture with Zeus botnet showing up money
(12:38:12 AM) Daniel: his car Plate number
(12:38:17 AM) Daniel: Girls Friends
(12:38:23 AM) Daniel: his workshop. he is mechanic
(12:40:49 AM) Brian Krebs: huh. how come it took you months to [download]?
(12:41:43 AM) Daniel: i waiting for him
(12:41:46 AM) Daniel: if he don’t [pay] then i share just his personel info
(12:41:57 AM) Daniel: and videos that proof :) abt his jobs etc etc
It’s not clear whether bx1 had anything to do with it, but according to a lengthy thread on Mazafaka, one of the Underweb’s most exclusive cybercrime forums, Symlink was arrested late last year in Moldova. In a post on Oct. 11, 2012, forum regulars said Symlink had been arrested the day before, and that he got caught because he flaunted his ill-gotten wealth with fancy cars (a fully loaded Land Cruiser 200, valued at more than $100,000) and ostentatious lifestyle choices that were apparently considered far beyond the means of a local auto mechanic. As they do anytime a forum member gets arrested, the forum administrators banned Symlink’s account to distance themselves from the former member.
“Economic police came to symlink yesterday. All computers were seized, one was encrypted and two not, all jabbers at the moment of seizure were online. Ban him temporarily, but better permanently. He was received adultly [meaning, arrested seriously]. Idiot overplayed.”
It’s safe to say that bx1 had his share of enemies, and its possible that Symlink and/or his buddies got the last laugh. According to information obtained by KrebsOnSecurity, attackers recently targeted bx1 in a successful hack to break into his computer, making off with many files, email messages, screenshots and images from his machine.
Among them were scanned copies of two identity cards, both bearing the name and likeness of Hamza “Daniel” Bendelladj; one from a “University of Sutton,” and another that appears to be some kind of international ID card. It’s not clear whether these documents are legitimate or manufactured, but probably the latter: the domain attached to bx1′s MSN email address — universityofsutton.com — is registered with the following contact data:
domain: universityofsutton.com owner: Daniel Delcore organization: VIRUS & Malware Scanner email: email@example.com address: 522 8th street city: Columbus state: IN postal-code: 47201 country: US phone: +1.7573011758 admin-c: CCOM-1611324 firstname.lastname@example.org tech-c: CCOM-1611324 email@example.com billing-c: CCOM-1611324 firstname.lastname@example.org
Tags: ats, automated transfer system, Bangkok Post, bx1, email@example.com, Daniel Hamza, firstname.lastname@example.org, Danielbx1, Hamza Bendelladj, email@example.com, John Doe 19-20, Mazafaka, microsoft, firstname.lastname@example.org, spyeye, symlink, web injects, zeus, zeuslegalnotice.com