28
Jan 14

Feds to Charge Alleged SpyEye Trojan Author

facebooktwittergoogle_plusredditpinterestlinkedinmail

Federal authorities in Atlanta today are expected to announce the arrest and charging of a 24-year-old Russian man who allegedly created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers.

The Justice Department alleges that 24-year-old Aleksander Panin was responsible for SpyEye. Image courtesy: RT.

24-year-old Aleksander Panin is thought to be responsible for SpyEye. Image courtesy: RT.

According to sources, the U.S. Justice Department is charging Aleksander Panin of Tver, Russia with being part of a gang that robbed banks via the Internet. He was reportedly arrested in the Dominican Republic in June 2013.

Update, 4:34 p.m. ET: Panin just pleaded to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of SpyEye, according to a press release from U.S. Attorney Sally Quillian Yates.

The government alleges that Panin sold SpyEye to at least 150 “clients,” one of whom is reported to have made more than $3.2 million in a six month period using the virus. The Justice Department further states that the investigation also has led to the arrests by international authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

Panin’s attorney Arkady Bukh said his client is facing up to 30 years in prison. “We are happy with the plea,” Bukh said. “It will greatly limit the client’s exposure in this case at the time of sentencing.”

Original story:

It’s not clear why Panin was in the Dominican Republic, which has strong relations with the United States. According to Wikipedia, the Dominican Republic has worked closely with U.S. law enforcement officials on issues such as the extradition of fugitives. According to Russian news station RT, Panin was high on Interpol’s “red list,” wanted for embezzlement through Internet banking scams totaling USD $5 million.

Panin’s arrest and subsequent extradition to Atlanta, Georgia caused a minor diplomatic dust-up in July 2013, when news of his arrest first came to light in Moscow. “Of course, we are seriously concerned about the fact that it again concerns the arrest of a Russian citizen with a US warrant in a third country,” said Russian Foreign Ministry Information and Press Department Deputy Director Maria Zakharova, in a television interview aired by RT. “We think the fact that such practices are becoming a vicious tendency is absolutely unacceptable and inadmissible.”

A SpyEye version from 2011.

A SpyEye version from 2011.

The arrest caps a dramatic rise and fall of a crimeware package that evolved as a major headache for security professionals, and for Microsoft in particular. In March 2012, Microsoft executed a carefully-planned takedown of dozens of botnets powered by SpyEye and ZeuS — a competing botnet creation kit that was later briefly subsumed by SpyEye.

As part of that effort, Microsoft published email addresses and other information on the alleged SpyEye author, who went by the nicknames “Gribodemon” and “Harderman.” At the time, the software giant identified the alleged author only as an unknown “John Doe.”

Microsoft’s takedown effort was criticized by many in the security community, but SpyEye largely fell out of popular use after that action, according to data maintained by SpyEyeTracker, a Web site set up by a Swiss security expert to track the number and location of control networks for active SpyEye botnets.

seye copy

A copy of the indictment against Panin is here (PDF).

Tags: , , , , ,

88 comments

  1. The typically breathless RT has a related article titled “Moscow rips into ‘vicious practice’ of extraditing Russian nationals to US” (I won’t include the URL because Brian has set the anti-spam phaser to stun). In the article is this gem: “The Foreign Minister pointed to Russians ‘who found themselves in the United States’ because they were found guilty of serious violations of international law by US special services.”

    In the U.S. military, special services is the organization responsible for playing movies and providing other entertainment for the troops. Special forces is the organization which rides in black helicopters and shoots terrorists.

    If Russians do not want to be arrested and extradited to the U.S., there is a very simple solution: stop committing crimes against U.S. interests. Stealing money from American citizens will not be tolerated. Steal from China, Belarus, North Korea, Cambodia, Laos, and Russia, though Paunch tried that last one and got caught.

    • Oops, I read too quickly and did not see that Brian included the link in his article (look for the red RT). I just immediately went to RT and searched for “Aleksander Panin.” By the way, the comments on that article are hysterical, with most talking about the actions of the U.S. being indicative of a “new world order.”

    • “If Russians do not want to be arrested and extradited to the U.S., there is a very simple solution: stop committing crimes against U.S. interests. Stealing money from American citizens will not be tolerated. Steal from China, Belarus, North Korea, Cambodia, Laos, and Russia, though Paunch tried that last one and got caught.”

      The problem is that the United States does NOT get to unilaterally decide what counts as a “crime” and what does not; still less does it get to kidnap people in third party countries and then spirit them back to the punitive, unfair U.S. judicial system (not to mention Guantanamo!) for a show trial. (Just ask Mssrs. Snowden and Assange, all about THAT little issue.)

      Nobody, least of all myself, is sympathetic to cyber-criminals like this guy. The problem is that the United States has ZERO credibility in its demands to “render the ‘perp’ to U.S. ‘justice’”, and the U.S. cannot arrogate to itself an ability to execute these kinds of extraditions in a manner that would NEVER be accepted if attempted by any other country — how about, for example, when Russia tries to “extradite” an American gay rights protester from (say) Germany, for “passing out homosexual ‘propaganda’”?

      In IT Security, we are supposed to look not at how a system will work, if used in its intended manner; instead, we’re supposed to warn people about how it might be abused, if used in some way that the designers hadn’t anticipated. U.S.-”exceptional” extraditions, fit this bill perfectly. Be careful, America; you might not like “extraditions” of this kind, when they get turned against YOU.

      • I’m pretty sure theft, and aiding those who commit theft, is considered a crime in just about any country. Even Russia.

        • THANK YOU! Though ironically Russia is quite the hypocrite when it comes to such laws. They work extensively with the RBN…

    • In the UK, “special services” (e.g., Special Air Service or SAS) is the designation given to what in the US are named “special forces” (the Russian ‘spetsnaz’ name may also translate that same way), and whoever wrote the RT English-language article probably gained their English proficiency from a non-US source.

    • Are you actually encouraging people to commit crime against China, Belarus, North Korea, Cambodia, Laos an Russia ? Why would you do that ?
      First of all American are dumb as F …k thanks to the Fast food .
      Second of all they know nothing about IT security.
      An last but not list most of the Americans have money in the bank accounts you cant say the same about people in China, Belarus, North Korea, Cambodia, Laos an Russia .

      • I think you missed his point. The point is–’Don’t steal from Americans, and expect to get away just because you aren’t an American, and don’t live here.’

        Yes, it is likely you will not be caught if you are not identified and/or you live in a non-extradition country (such as Russia). If, however, you are identified, and choose to travel to a country which cooperates with the United States (and, oh, by the way–you choose to assist in the theft of significant amounts of money or property from U.S. citizens or companies), then you will most likely be caught and prosecuted.

        I agree on the fast food, though–definitely not healthy.

  2. If Zeus and SpyEye are essentially dead, what are the bad guys using these days to steal banking credentials?

    Or have they largely moved on to stealing credit card info from infected POS terminals?

    • Still SpyEye, still Zeus, also Citadel/Reveton, Pony/Murofet, and even still, BlackHole exploit kit despite Paunch’s arrest.

      • as far as my research goes you are wrong :) there is no black hole since “paunch” got arrested, there are several others, one of which is so called white hole :) probably took theyr name for popularity :D

        and as zeus and all the ones that were made by it are still used, they arent very harmful, as they arent updated anymore, so most dont work on new browsers that had an update…

  3. Zeus is still around and heavily working the email attachment scene.

  4. Good article, again.

    I do not watch any programs (except some sports) on TV, but check daily to see what Brian wrote.
    Much more interesting than any hokey crime show on TV.

  5. ““Of course, we are seriously concerned about the fact that it again concerns the arrest of a Russian citizen with a US warrant in a third country,” said Russian Foreign Ministry Information and Press Department. ”
    The U. S. response: “Eat my shorts”, John Bender, Bart Simpson

    • I do often find it repugnant that the Russian government is very often tolerant of such criminals. And they’ll always take an open opportunity to blame everything on the U.S., call us the bad guys, when one of their guys gets arrested. That’s Putin for you.

      Meanwhile, whether you agree with the global nature of American jurisdiction or not, it still doesn’t make distributing malware in such a way, let alone selling it to any rich buyer, a just action.

      Stick with reversing it, not spreading it.

  6. It’s cool, but turnabout is fair play. I don’t want to hear any whining when Russia grabs a U.S. citizen and takes him/her back to Russia for trial on whatever charges they find important.

    • What part of “created and maintained the SpyEye Trojan, a sophisticated botnet creation kit that has been implicated in a number of costly online banking thefts against businesses and consumers” didn’t you understand?

      • What part of “allegedly” don’t *you* understand?

        He should have been arrested and tried in Russia, where the alleged crimes took place. He won’t get a fair trial in the US, not by international standards, and US prison conditions are criminal (no pun intended).

        What if US citizens were being extradited to Iran to face heresy charges because of something they said on the internet? “If Americans do not want to be arrested and extradited to Iran, there is a very simple solution: stop committing crimes against Iranian interests.” After all, many people think heresy is much more serious than theft.

        • What part of trial don’t you understand? He’s going to have evidence presented against him, he can dispute that evidence and gain an acquittal if he’s innocent.

          However, Russia has a long track record of refusing to indict criminals who don’t target Russian citizens. So long as they solely target foreign nationals, and pay healthy bribes to the right people, Russia turns a blind eye to their activity and has done so for years.

          Until they start being a good international citizen, and enforcing the terms of the international treaties and conventions they’ve signed, this kind of activity will continue.

          • An acquittal if he’s innocent? In theory, sure. In practice, I wouldn’t count on it, particularly for a foreigner. (On the other hand, this particular foreigner may well be wealthy enough to afford a sound defense.) Even if he’s guilty, though, he shouldn’t be going to a US jail.

            You have a good point about Russian law enforcement. On the other hand, Iran could say the same thing about America, which after all very rarely prosecutes people for blasphemy. For that matter, Russia would probably like to prosecute Americans whose internet writings break Russian law about “promoting” homosexuality.

            The bottom line is that I doubt that these prosecutions are worth the bad precedent they set. Diplomatic pressure on Russia might be a better choice.

            • Alright, settle down you guys ;) He just pleaded guilty. No trial.

              Story above is updated with links to press release from DOJ and to complaint against Panin.

              • So … where will he be going to jail?

              • Pleading guilty doesn’t even necessarily mean guilty anymore, if you’re being threatened with 20-100 years+ of prison time in a country whose language you don’t know and thus can’t properly defend yourself at a “trial” that never happens (or takes years, while he’d be serving time anyway) — and you’re presented with a biased jury where, judging from this blog, every last American believes “CIS” + “cybercrime” = “guilty”. Even though Arkady is Russian-speaking and has represented a few extradited alleged cybercriminals, how does this in any way enable an alleged cybercriminal to directly answer to alleged crimes or in any way present themselves accurately; translation, especially between non-romance languages, is notoriously difficult to get precisely correct in tone. And what would they do in a trial? Have a translator relay questions between the lawyers and the alleged cybercriminal? How has this ever worked in ANYBODY’s favour regarding obtaining even a minimum amount of fairness? So let’s say he decides to have a trial with a judge instead of a jury trial — then he is stuck no doubt with a judge who already has a preconceived idea of ‘Russian cybercriminal’ and no doubt would receive incredible but subtle pressure to make an ‘example’ of the person in question.

                So what if he pled guilty? If I recall the statistics in the US show something like 98% or even 99% of people pleading guilty. Do you honestly believe ALL of those people are actually guilty, when fighting a charge effectively breaks even fairly well off people. From what I have heard, the “public defenders” (plural because over the course of years of waiting for trial you probably wouldn’t get a single one, nor would they be likely to be familiar with your case) are specifically oriented towards plea bargaining. How many people can afford to even go to trial? Eventually most people who cannot access money because they are from a foreign place do get stuck with a “public defender”. Fighting takes a particular sort of stubbornness when any legal organisation has already proclaimed you ‘guilty enough to extradite’.

                I’ve no idea why people think it’s okay to extradite an alleged *coder* to a third country. A CODER. I think this is an extremely important distinction to make, here, and for some reason it is being ignored, for the most part: Yet another time, CHARGE THE PEOPLE WHO COMMIT THE CRIME WITH THE CRIME. Or start charging not only every gun user who shoots someone and commits murder, but also charge the people who have made the guns in the factories — and for that matter the people who lead the company. And the marketers. Because if people didn’t know guns existed, then they couldn’t murder people.

                Programming code is NOT criminal, no matter WHAT sort of code it is. And as for pleading to ‘conspiracy’ you would probably be hard-pressed to find a single person in most countries now who could not be prosecuted for ‘conspiracy’ for SOMETHING in their lifetime, if “evidence” were presented in precisely the correct way.

                He wrote code. The US didn’t like that he wrote the code. But he is not and can not be held responsible for what people do with that code any more than Microsoft is held responsible for all of those horrible VB and .NET malwares that get sold on every kid forum imaginable.

                Charge HD Moore for writing metasploit, or the team who codes sqlmap; those two things are responsible for more ‘breaches’ than anything else.

                In fact, all American coders of so-called ‘penetration testing tools’ should be able to be extradited to any country that has a branch of ‘anonymous’ defacing their government websites.

                People think so small; they never see bigger pictures.

                • “So what if he pled guilty? If I recall the statistics in the US show something like 98% or even 99% of people pleading guilty. Do you honestly believe ALL of those people are actually guilty, when fighting a charge effectively breaks even fairly well off people.”

                  That’s a circular and unsupported argument. You merely assert and don’t establish that the “99%” of the people pleading guilty are actually innocent, and you make an unsupported claim as to why they’d make such a plea; that does nothing to establish that this “99%” contains a significant amount of truly innocent people. That renders that part of your argument moot, with the rest being nothing more than an appeal to emotion, thus fallacious.

                  A lot of the US citizenry would agree that this sort of snatch-and-grab arrest is unconscionable. But you won’t make conversions with hyperbolic appeals designed to denigrate the American system. US citizens recognize flaws and complain about them, but if the comparison involves a Russian national, then any attacks on the US system will do nothing more than draw cynical derision from people who believe – rightly or wrongly – that the worst you could say is that America is finally stooping to Russian standards. Yes, that would be an unfair argument since you’d mostly have to harken back to the early 20th Century Moscow Trials to actually present hard evidence, but again, that’s the belief system in place. It’ll harden arguments to the contrary unless better constructed. It’s better to point out that America is violating it’s own ideals by committing the same sorts of acts the country has criticized in the past and would be better served by working *with* other nations in prosecuting these crimes instead of going at it in the way they had.

                  • ” It’s better to point out that America is violating it’s own ideals by committing the same sorts of acts the country has criticized in the past and would be better served by working *with* other nations in prosecuting these crimes instead of going at it in the way they had.”

                    Sure, this, but you’ve deliberately read the rest of what I wrote with your own biases. Do you need me to give specific links to the studies in question? I can if need be. Why would you read that I’d ever say ’99% are innocent’, anyway? Here’s another statistic I can provide proof of: 1 in 4 American males, at some point in their life, will have a criminal record and spend time either in supervision or in prison.

                    “that the worst you could say is that America is finally stooping to Russian standard” shows your bias, right there.

                  • And congratulations on nitpicking a figure instead of the problem behind the figure. How is saying “people who are charged with crimes in the US face several years of tension, financial hardship, waiting, insecurity, inability to find work, and poor “defense counsel””, in a nut-shell, at all inaccurate?

                    You’re the one making emotional statements. Not me. And not once did I see a single actual refutation.

                    • Do you realize I’m trying to help you not come off as shrill? Do you recognize I’m trying to advise you on how to make a better impacting argument?

                      There is no refutation because there is nothing to refute. You made an assertion. And you do need to read my statement without anger; you missed the fact that my statement about the US system was a characterization of what you’d be up against and that it would be an unfair one to paint.

                      This is what I mean about your argument: You’re coming off as angry rather than rational. You could do better by being more factual and less heated.

                    • Addendum/correction:
                      “My statement about the US **stooping to Russian standards**” would be unfair. My point being that that attitude does not fairly consider the Russian legal system and makes presumptions about the US one that can be critiqued.

                      —–

                      Also: “How is saying “people who are charged with crimes in the US face several years of tension, financial hardship, waiting, insecurity, inability to find work, and poor “defense counsel””, in a nut-shell, at all inaccurate?”

                      It is not inaccurate. It is irrelevant to the case at hand. You have not established that the general trend means Panin pleaded guilty when he’s really innocent. That’s what I’m getting at. And that’s not a trivial distinction either. It’s exactly what’ll get harped on if you try that argument elsewhere.

                  • OK but my statement *is* relevant here, because if he were in the country he allegedly should have been charged in, he would be at home where he would have family, resources, support, his home language, a lawyer who could represent him properly, and proper cultural understanding (or at least a better chance at this), as well as representation he could most likely more easily afford.

                    My argument is that he is more than just disadvantaged, he is many times over disadvantaged over even the average American waiting to go to ‘trial’ or for a plea arrangement to be agreed on.

                    If there is any argument to be made as far as dual criminality, then it should be Dominican Republic’s decision to charge or not charge him, but IN Dominican Republic, based on crimes that were committed in Dominican Republic or at a minimum committed against citizens of Dominican Republic or with citizens of Dominican Republic.

                    Just like Liberty Reserve, if it should have been charged, should have been charged under Costa Rica law. These crimes were not committed IN the USA. They were committed FROM Russia. It is Russia’s case to prosecute or not prosecute.

                    By the logic of these extraditions from third-nations, it should be not only legal but REQUIRED to see every person that worked on STUXNET extradited to a specific Muslim-oriented country, for surely that was a crime — if this occurred in a US facility you know it would be perceived as terrorism. There is a parity and selectivity issue here that is bothering me more than the simple ‘he is being charged in America’ issue — it is that, quite simply, there is no parity and to expect or demand as much would be received, most likely, with the attitude of an abusive parent beating their child to death. But the rest of the world is not America’s child — or anybody else’s.

                • “I’ve no idea why people think it’s okay to extradite an alleged *coder* to a third country. A CODER.”

                  Are you dim? Or is this just a silly distraction on your part? He was not charged for the crime of coding. He was charged with being part of a criminal gang engaged in theft:

                  “Update, 4:34 p.m. ET: Panin just pleaded to conspiracy to commit wire and bank fraud ”

                  If he used his “coding skills” to knowingly aid in theft and fraud then he is a criminal.

                  • I think you lack an understanding of the legal definition of ‘conspiracy to commit’. He is being charged precisely for coding this software. That is considered him ‘conspiring to commit’. In the past few years a number of programmers have been charged precisely in this manner absent any specific contact with the actual crimes being committed or even knowledge of those crimes.

                    You do not need to know a crime is being committed to be charged with conspiracy to commit a crime. This is why a person can be (and usually will be) charged not only with conspiring to commit a crime but also charged with actually committing that crime if they are specifically responsible for certain activities involved in that crime.

                    It does not change my stance that none of this should be happening in the US; as with Paunch, he is Russia’s citizen and thus it is Russia that should be charging or not charging him with a crime committed when he was on Russian soil. If he were living in the US at the time, I would still not necessarily agree that the programming, if he did not know how the programming was used, was a crime, but I would agree that it would be subject, completely, to US laws and attempted prosecution could, should, and would be their right.

                    • *yawns* Cool story bro. You should totally get more upset about some criminal pleading guilty. That, or send Dolf Lundgren over to bust him out or some sh1t.

                • This is hilarious. How many morons are up in arms about a criminal making a dumb decision to visit a country that plays nice with the US and got caught/extradicted. More importantly, if it were your company/employer, would you feel the same after being essentially bankrupted? A crime is a crime. Please feel free to correct me if I’m wrong, but is theft NOT a crime in Russia, or is it just limited to being gay or having informed and independent thoughts in general that’s illegal over there?

            • In practice, you should stop reading RT for news. Foreign nationals get acquitted regularly in US courts. Just because foreign nationals never get acquitted in Russian courts doesn’t mean everywhere else operates the same way.

              Furthermore, if you read the latest update, you’ll see that he entered a guilty plea. That means he entered it. The US government didn’t enter it for him. That’s not how the justice system works in the US.

              Why do you have such a hang-up for blasphemy? Is it because the Russia government and the Russian orthodox church enjoy such a cozy relationship? The kangaroo court convictions of Pussy Riot are a stain on Russia’s soul.

              • I don’t even know what RT stands for. Russian Times? (I’m not Russian, if that’s what you’re assuming.)

                I’m also an atheist, so I very much oppose blasphemy convictions, including the Pussy Riot convictions. That’s the point! Russia or Iran prosecuting foreigners for “crimes” committed elsewhere would be a terrible thing to happen, but how can we tell them they shouldn’t if the US does the same thing?

        • “allegedly”

          Talk to any prosecutor, defense attorney, or judge involved in criminal law. The vast majority of defendants’ cases, in excess of 90%, are plea-bargained before reaching court to save room for the really nasty ones. Innocent people do not plea-bargain, by and large.

          And the FBI does not bother arresting someone unless it is fairly certain the person can be convicted. This is why many white color crimes in the banking sector result in large fines but no prison time.

          “arrested and tried in Russia, where the alleged crimes took place”

          He robbed American, European, and other Western businesses. He did not rob Russian businesses.

          Your assertion — that he actually committed his crime in Russia because he did it from his PC there — was discounted long ago. For example, if three people agree to rob a bank, with one staying in the car and two entering the building, and one person is shot during the robbery, the getaway driver won’t be able to say he was blameless for the shooting. In most states he will be charged with pretty much the same crime as the two robbers.

          “US prison conditions are criminal”

          Russian prisons are far worse than anything seen in the USA. Do your homework.

          “US citizens were being extradited to Iran to face heresy charges because of something they said on the internet”

          Only Islamic countries agree with that Islamist crap. The civilized world will not participate in such extraditions.

          • “Innocent people do not plea-bargain, by and large.”

            I find that very hard to believe. (For a start, how would you gather those statistics?)

            “Your assertion — that he actually committed his crime in Russia because he did it from his PC there — was discounted long ago.”

            Yes, I’m aware of that. It was a bad decision then, and it’s a bad decision now.

            “For example, if three people agree to rob a bank, with one staying in the car and two entering the building, ”

            Uh … are the car and the building in different jurisdictions? If not, I don’t see the relevance.

            “Russian prisons are far worse than anything seen in the USA.”

            I’m hardly surprised, but it isn’t as though the US only ever tries to extradite Russians. Just ask Gary McKinnon. [You knew I was going there, didn't you? I'm also trying to fit Aaron Swartz into my argument, but so far I haven't quite figured out how. :-) ]

            “The civilized world will not participate in such extraditions.”

            True by definition: any nation that does so would not, in my opinion, be civilized. But I think you’d be surprised how sympathetic some western European nations are to the concept of blasphemy; Ireland comes most readily to mind. Besides, how many travelers of any nationality restrict themselves only to the civilized world?

            (For example, how many spectators are expected at the upcoming Olympics in Russia? How many of them could be arrested under the same theory, for something they did on their PCs at home?)

            • Beautiful, and I found your way to work Aaron Swartz in: prosecutorial pressure to plead. No doubt this guy would receive 10-20 years in prison, a good portion of it (a few years, probably) in a largely segregated place where there is no sunlight or even going outside (like, my understanding, most of the ‘administrative’ federal bureau of prison facilities in the US) and far fewer ‘amenities’ than most ‘horrible Russian prisons’ — and often people are kept in facilities like this when they are foreign, beyond ‘guilty’. Which is not to say Russian prison conditions are terrific, but prior to being convicted, you will not be treated THIS inhumanely by almost any “other civilised country”; what good is ‘innocent until proven guilty’ if your life has been ruined trying to prove innocence?

              And after years in any prison, how could anybody present themselves as believably ‘innocent’? People come out of prison harder or broken — and often broke. By the time they go to trial after the lengthy crap they are put through to get there (I would point to Boa’s case — he is only just now getting sentenced after being moved around among various detention facilities in the USA for TEN YEARS), they are either ready to plead, or they appear to any ‘civilised jury’ in the US as a hardened criminal. Given long enough everybody will plead just to know it will END.

          • @saucymugwump: how do you define ‘civilized’? Because someone does not believe in something that you believes in or think otherwise made him uncivilized?

        • If American prisons are so bad, certainly a gulag in Siberia will be that much better, right?

          And since they are currently harboring person very much wanted by the US, I wouldn’t really be that surprised about the US snatching up Russian e-thugs where they can, either. Certainly our Russian friend should have considered his elevated risk of exposure before traveling to a country that works closely with the US on matters of extradition.

          Personally, if I had to do time, I’d rather do it somewhere a bit more comfortable than either above countries.

        • That’s a clear example of the logical fallacy of “False Equivalence.” In order for your comparison to not be fundamentally flawed, you would have to argue that religious heresy & the practice of homosexuality are equivalent offenses to building a tool that is used (and specifically designed) to cause millions of dollars of financial damage.

          I don’t particularly like the US practice of doing end-runs around extradition ether, but your efforts to argue against that practice just insult religious heretics & homosexuals – by lumping them in the with thieves and other criminals whose actions cause actual, tangible harm.

          What’s the tangible damage caused to Iran by someone elsewhere in the world making a heretical statement against Islam? Or the tangible damage to Russia caused by the existence of homosexuals elsewhere in the world? And no, I don’t consider “tangible harm” to mean the same thing as “religious fanatics getting their feelings hurt” or “homophobes getting irrationally upset over what other people do with their genitals,” respectively.

          • Nick,

            There’s no false equivalence here, because there’s no equivalence at all. The problem is that you’re assuming that irrational people are going to behave rationally, and that’s … well … irrational. :-)

            You and I both know neither homosexuality nor blasphemy cause anybody any harm. That’s all very well and good, but how is our knowledge going to stop the Iranian or Russian governments?

            When the rule of law breaks down, the guilty may be the first to suffer, but it never ends there.

    • And if an American citizen was harming innocent Russian citizens and stealing their money and banking credentials, I would be cheering on Russia to take the guy down.

      -an American

      • Have you ever actually compared the number of blackhat hackers in hacking forums who are americans to the number who are russians? The ratio will disappoint you. I don’t believe that a coder should be held responsible for what he codes. The one who commited the crime with the tool should be held responsible. The issue is, people don’t have the gut to trace the real criminal, so they go after the easy targets.

        • You may be voluntarily living under a rock. No, you will not find many Russian-speaking cybercriminals on English-speaking forums, but have you even LOOKED at places like HackForums lately? There is a robust and often horribly outspoken English and Western European language-speaking (but who often use English) ‘scene’. Don’t kid yourself into thinking that all of this is “A Russian Thing” just because it is more convenient and fits your world-view better.

          Remember Sabu? Busted for carding first. Remember these ‘theGod’ people? Busted for being ‘major figures’ on a sting CC board. And don’t get me started on the quantity of people from carder.su who were busted from… America. Or this plastics shop. Or so on. I can provide another several dozen instances. Even Brian himself mentioned ShadowCrew.

          Don’t confuse voluntary segregation with ‘the problem’, which has less to do with geographical location than you might like. There may be more truly skilled people in Russia but a LOT of the ‘cash-out’ people are American (or similar) and looking for quick money. This speaks to corrupt morals at a far more baseline level.

          Other than this nit-pick, I actually agree with everything else you said. I just think it’s important to not emphasise one set of people over another, even if it is fashionable to do so. It borders on xenophobic, and also says that the problem exists solely on places like forums.

  7. This story actually makes me a tad bit sad. The Feds actually caught up with a major miscreant before a full KrebsOnSecurity “Breadcrumbs” exposé was published. You’re slipping, Brian. :)

  8. Remember – Russia basically told the US to ‘sod off’ when the US asked for the extradition of Snowden, so I suspect that the US Gov’t will do what they want to whom they want when they want until Snowden is returned to the US.

    • For those of us on the other side of the pond, the expression “sod off” is defined in the Urban Dictionary. The fourth definition is quite entertaining.

      • I would have enjoyed the 4th definition in the Urban dictionary but don’t know what means “gobbed me in me eye”.

        • Have you never hacked up and then projected a gob of spit before? In that case, you must not have played much in the way of outdoor warm-weather sports (or traveled in many countries overseas, though not Singapore).

    • Yeah … bizarre, isn’t it? Russia being in the right and the US in the wrong? (Never thought I’d live to see the day, etc., etc.)

      • There can be no progress towards fairness in any geopolitical context without a proper adversarial relationship between at a minimum two (but preferably more) countries. Power, gone unchecked, will continue to suck in all the power that exists until an adversary cannot exist. Without a pushback by somebody willing to stand up (regardless of the reasons, for the most part) and capable of doing so with enough force to back its assertions up, there is no possible future but dystopia, in every sense of this word.

  9. TheOreganoRouter.onion

    Another good article

  10. “Cyber Criminal Pleads Guilty to Developing and Distributing Notorious SpyEye Malware”

    Как жаль.

  11. How the he did they manage to catch him?
    if he can be caught, can’t other botnet creators ?

  12. and why does it say a/k/a bx1 in his indictment?
    think bx1 was caught long before this?

  13. The original indictment of Bendelladj (= bx1) did not name Panin. You can read about the original case against Bendelladj at the same US Attorney of Northern Georgia website:

    http://www.justice.gov/usao/gan/press/2013/05-03-13.html

    Bendelladj (and Panin) are being tried in Georgia, USA, because one of the Command and Control servers was located there.

    To quote the original indictment:
    “… Bendelladj allegedly operated C&C servers, including a server located in the Northern District of Georgia, which controlled computers infected with the SpyEye virus. “

  14. He won’t get much time , around 5-7 years i would say. Definitely under guidelines.

    • Because he “pled guilty”. If he’d gone to trial and been “declared guilty” he’d easily get 2-3 times as much. And given the nature of these charges, chances are there would have been more superseding indictments coming if he did not plead. Which is one reason people plead in the United States: only those ignorant of the US legal system do not know there is an implicit “reward” for pleading.

      • federal cases are hard to beat, so basically all you have to do is to get a good deal and plead guilty,It is also true that the government and your attorney will presure you to plead guilty regardless of the evidence,none of them want to go to trial: for government it means extra spendings: money ,time ,resources, for your attorney(public defender or appointed by the court) its a waste of time coz they cant make more that 10K from one defendant so they rather get extra clients tha to waste time on you.There is A LOT to talk about when it comes to federal system of USA.unfortunately i have a ton of experience in that.

        • I’d like to hear your perspective of these things, but would not ask you to do so publicly. Would you like to email?

      • Google: “Ham Sandwich Nation” and read the paper “Ham Sandwich Nation: Due Process When Everything Is a Crime” by Prof. Glenn Harlan Reynolds (AKA: InstaPundit) published on the Columbia Law Review website. I would be willing to bet that Panin is cooperating with the Feds and singing like a canary, which should make some of his associates in Mother Russia very unhappy. If my supposition is correct, look for a minimal sentence at the federal penal system equivalent of Club Med. When his gets out, he will become a highly compensate consultant to the banking industry and law enforcement.

        I would like to take one exception to Voksalna comments. In addition to the “ignorant” there is a small group of innocent people who still believe in the American Justice System. I have to confess that at one time it was one of them, but not any longer. In today’s America, innocence is a crime.

        • “I would like to take one exception to Voksalna comments. In addition to the “ignorant” there is a small group of innocent people who still believe in the American Justice System. I have to confess that at one time it was one of them, but not any longer. In today’s America, innocence is a crime.”

          I know there are, and I truly extend my support to these people. That said, at some point most people, even the most stubborn, have a breaking point — they may not change their beliefs but they realise that trying to fight a corrupt system is pointless when everybody else only cheers on the aggressors (or at least tries not to anger them for fear of being the object of aggression).

          The US has a very nasty history, that continues to this day (as do the UK and a number of other countries), of investigating and infiltrating any group (of friends or allies or otherwise) that disagrees with its policies. I do not know how you can win against this, when somebody will always eventually break, and you cannot possibly know for sure somebody will not screw you over.

          There was a recent documentary on Brandon Darby that I found particularly interesting (as well as a counter one focusing more on the kids who were pulled along into things). There are innumerable records of the FBI investigating anybody that they conceive might “cause problems” including your own Martin Luther King (who now has a ‘day’ — this may say a little about the levels of hypocrisy I worry about; celebrate the person willing to fight problems, but only do so after they are dead; the same is true for many of your sexual, racial and gender-related ‘freedoms’; it seems like revisionism to me (we could not win so we will support it now so we look less bad), and it seems almost impossible now to fight anything at all — especially given current “attention spans” — and I don’t just mean in the US. The internet has fed lies to many people in many countries and most now trust these news sources more than ever. Again, not only can people not properly fight without fearing harassment, but they also can not even know if what they are fighting for is even what they think they are fighting for. It is too easy to smack disagreement down and turn it into a joke.

        • Sorry. My English here, especially in that final paragraph, could have been more understandable. Usually I re-read things to try to make sure they make sense before I click ‘Submit Comment’.

        • Looking at the original indictment and a plea deal,and considering that he will be sentenced soon i can tell that it is highly unlikely that he cooperated.

  15. To all you U.S. flag-wavers out there :

    Look, nobody is seriously suggesting that this “Panin” guy is some kind of little lost lamb who’s being persecuted for no good reason; and I’m certainly not trying to argue that (for example) the Russian penal / judicial system is “better than” the American one, etc., etc., etc..

    It is just that you Americans seem to think that you have privileges — in this case, “extraditing” citizens of a second-party country, from a third-party country, based on claims of “criminal conduct” against your own country — that you wouldn’t accept FOR SO MUCH AS ONE SECOND, if undertaken by other countries against YOUR citizens (how about if the government of Ukraine, for example, wants Americans who visit, say, France, arrested and “extradited” to face “Ukrainian justice”, for the “crime” of “inciting ‘terrorism’ against Ukraine’s democratically elected government”?)

    What if Russia identifies members of the NSA which it feels have been committing “espionage” against Russian IT systems (thank you Mr. Snowden), and then demands that a NSA worker on a vacation in Italy, be “extradited” to face trial for “computer crimes” in Moscow?

    I hate to bring you up to date with current events, but the nonsense propaganda of “U.S. exceptionalism” that is taken for granted within your country, counts for absolutely NOTHING, elsewhere. And it is “U.S. exceptionalism” that virtually all these arrogant, over-reaching legal actions, is actually based. Get off your high horse, start treating other countries like equals, and then perhaps the rest of the world will take your demands for prosecution of cyber-criminals like Panin, more seriously. But as long as you try to seriously claim that people like Snowden and Assange are in the same category as Panin and those of his ilk, and as long as you claim that “U.S. ‘justice’” over-rides every other consideration of international law and respect for national sovereignty, people (and governments) outside the United States are going to despise and resist you.

    Stop the arrogance, stop the abuse of due process, stop demanding, start listening, start co-operating, and then progress will be made. Keep doing what you’re doing now and you will simply isolate yourselves.

    • Let’s keep it to case by case, instead of hypotheticals, shall we? Yes, I get it–you don’t like America. Tough rocks. Lots of people don’t, and we Americans somehow manage to wake up, and move on with our lives (some of us are even—BIG shock—HAPPY).

      In this case, the guy plead guilty. He created malicious software that was used to steal from U.S. citizens and companies. Had the tables been turned, and you had been stolen from, and the thief was American, I’m sure you would’ve applauded your country getting the thief from a cooperative third country, and putting him (or her) on trial.

      As for U.S. ‘exceptionalism’—-you’re debating this on an English-based blog, written by an American author, on a medium (the Internet) that was largely developed by the United States. I’d say that’s pretty….what’s the word…oh yeah, EXCEPTIONAL.

      • – hey ‘John Smith’ are you being anonymous? Do you really believe this or are you attempting to troll? Of course you’re “HAPPY”. The people who benefit from abuse of power in any situation usually tend to feel empowered second-hand. Pride. That does not mean you deserve to tell everybody else what to do).

        Since when does any other country get to extradite an American, in practice? Even Americans who commit drugs crimes in places in Asia often have strong support to get out (though many/most do not) — but could you honestly ever tell me of a case where somebody American smuggled drugs successfully from Asia to the US and the US said “oh yes we will send them back to Asia now to be prosecuted”. And those are people doing crimes ON the foreign soil.

        It is far easier to be the person to control the narrative. That doesn’t mean you are right. It also does not mean it’s okay to embellish and indulge and further spread biases about all of this because it’s in English. You don’t even own English! Great Britain does. If somebody did this in a foreign language you would likely go in a rage.

        I highly suggest you read about the concept of ‘double standards’.

        Incidentally most of the people I have known who have disagreed with exceptionalism (and I have had the pleasure of speaking with quite a few Americans) have been some of the most patriotic people I know — and see what is occuring now as an affront to what their country “America” was supposed to stand for.

        • Don’t get your panties in a twist, voksalna (if that is your real name….and I’m sure everyone on the Internet uses their real name…..).

          My point is the guy is a criminal. The U.S. didn’t just randomly scoop up some innocent citizen from another country, and dump him in a U.S. jail. They grabbed a criminal who committed crimes against Americans. And frankly, yes–if seeking justice on behalf of its citizens is considered ‘pride’ and ‘abuse of power’, then I’m all for it.

          • Ken White addressed that attitude a while back. I can’t hope to express myself nearly as well, so I’ll just point you at the article:

            http://www.theagitator.com/2012/07/02/deserves-got-nothing-to-do-with-it/

          • It appears that my lengthy (but civil) reply to you has been moderated or not yet approved. I do not like double-posting, so in case this was just not approved yet I will wait another day to repost. If it was moderated, then I would like to know why. Thank you.

          • Oh sorry, that lengthy reply was to a different post.

            I defer to Mr. Johnson’s link here, because his link does the topic justice (‘justice’ such a funny word for something which certainly skirts the bounds of it).

            ” The state will always have an excuse for why the recipients of its force deserved it.

            Part of protecting rights is committing to protect them without caring too much whether the rights are held by people who are awful or wonderful.”

            Guess what? If he has been extradited to the USA then he is entitled to the same rights — which of course nobody is getting much of anywhere now. And that is despite the fact that really he should not have been extradited to the USA in the way that he was.

            I am not saying you have to change your country; you won’t and probably couldn’t even if you wanted to. What I am saying is you (as citizens of the USA) by sitting back and demanding extraterritoriality are acting hypocritical. Feel free to be be this way, and woe is it for anybody to try to stop this, apparently, but don’t try to say you’re not. If you really demand this sort of thing then stand up and be willing to set a single standard that fits for every country and every person — do no believe you deserve exceptionalism.

          • Oh sorry, that lengthy reply was to a different post.

            I defer to Mr. Johnson’s link here, because his link does the topic justice (‘justice’ such a funny word for something which certainly skirts the bounds of it).

            ” The state will always have an excuse for why the recipients of its force deserved it.

            Part of protecting rights is committing to protect them without caring too much whether the rights are held by people who are awful or wonderful.”

            Guess what? If he has been extradited to the USA then he is entitled to the same rights — which of course nobody is getting much of anywhere now. And that is despite the fact that really he should not have been extradited to the USA in the way that he was.

            I am not saying you have to change your country; you won’t and probably couldn’t even if you wanted to. What I am saying is you (as citizens of the USA) by sitting back and demanding extraterritoriality are acting hypocritical. Feel free to be be this way, and woe is it for anybody to try to stop this, apparently, but don’t try to say you’re not. If you really demand this sort of thing then stand up and be willing to set a single standard that fits for every country and every person — do not believe you deserve exceptionalism.

    • YES. Yes yes yes yes yes and yes!

      Unfortunately you cannot speak to people who are not able to be reasonable because they themselves are brainwashed by what they have been taught (like the John Smith character).

    • +1

      I personally liked it better when we just tricked them into to coming to the USA with promises of a job and arrested them at the airport.

  16. Brian, or anybody, can you please explain this for me, how BX1/Bendelladj could have been extradited two months before he was arrested in the US state he was prosecuted in? If he was not arrested before then, what was he? From FBI website:

    “Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on January 5, 2013, while he was in transit from Malaysia to Algeria. Bendelladj was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.

    Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.”

  17. The programmers responsible for Stuxnet would probably not be surprised at all if they were arrested if they visited a country allied with Iran. Espionage is a crime against whatever country you’re spying on. And fortunately for them, there’s plenty of spying on both sides, so they can usually come home in prisoner exchanges.

    Volksana is right that pleading guilty doesn’t mean someone is really guilty. If you find that surprising, you need to do some reading about how the war on drugs has turned into a mass incarceration juggernaut. I might suggest Michelle Alexander’s book, The New Jim Crow.

    On the other hand, someone who has millions of dollars in accounts the feds can’t seize can afford lawyers to fight charges. He’s not one of the 99%. They likely have been collecting data on his activities while he was out of their reach for so long that it would have been impossible to fight the charges.

  18. “It’s not clear why Panin was in the Dominican Republic, which has strong relations with the United States. According to Wikipedia, the Dominican Republic has worked closely with U.S. law enforcement officials on issues such as the extradition of fugitives. ”

    hehehe there are literal SLAVE PLANTATIONS there for sugar cane which goes to fat American mouths and bellies. The big owners all live in Florida. Glad to see everyones priorities are in order. Anyway f this kid.

    • Agree on plantations and Florida, but I thought most Americans ate corn-derived and beet-derived sugars now because cheap. Sugar cane cost a penny more and of course agricultural megacorporations benefit more from corn-based syrups because of strange laws giving farmers more money to make this (‘stimulus’) which makes disincentive to grow healthier foods for profit margin. It makes me sad to know that most Americans do not have many choices. Everyone gets fat except people who get fat on money and cheap labour instead.

      • Actually, we have so many choices that even Americans returning from staying in other countries sometimes experience culture shock, standing paralyzed in an aisle in the food market unable to decide which brand of product to buy for every item on their shopping lists. Cane sugar still sells very well despite the higher price, because many people prefer the flavor. Corn is just a popular food in the US with our without subsidies, whether processed into sweeteners or snack foods, fried or toasted until it explodes as popcorn, or boiled and eaten right off the cob.

  19. [...In March 2013, Microsoft executed a carefully-planned takedown of dozens of botnets powered by SpyEye and ZeuS...] – Krebs…, you ment March 2012; correct it…

  20. 23 from 24 charges been dropped for exchange of Panin pleading guilty and no-jury trial.

    http://itar-tass.com/mezhdunarodnaya-panorama/924471

  21. It’s not clear why Panin was in the Dominican Republic…….

    Dominican Republic all inclussive resorts are quite popular vacation spot with Russians.