A 24-year-old Algerian man arrested in Thailand earlier this year on suspicion of co-developing and selling the infamous SpyEye banking trojan was extradited this week to the United States, where he faces criminal charges for allegedly hijacking bank accounts at more than 200 financial institutions.
Hamza Bendelladj, who authorities say used the nickname “Bx1” online, is accused of operating a botnet powered by SpyEye, a complex banking trojan that he also allegedly sold and helped develop. Bendelladj was arraigned on May 2, 2013 in Atlanta, where he is accused of leasing a server from a local Internet company to help manage his SpyEye botnet.
A redacted copy of the indictment (PDF) against Bendelladj was unsealed this week; the document says Bendelladj developed and customized components of SpyEye that helped customers steal online banking credentials and funds from specific banks.
The government alleges that as Bx1, Bendelladj was an active member of darkode.com, an underground fraud forum that I’ve covered in numerous posts on this blog. Bx1’s core focus in the community was selling “web injects” — custom add-ons for SpyEye that can change the appearance and function of banking Web sites as displayed in a victim’s Web browser. More specifically, Bx1 sold a type of web inject called an automated transfer system or ATS; this type of malware component was used extensively with SpyEye — and with its close cousin the ZeuS Trojan — to silently and invisibly automate the execution of bank transfers just seconds after the owners of infected PCs logged into their bank accounts.
“Zeus/SpyEYE/Ice9 ATS for Sale,” Bx1 announced in a post on darkode.com thread dated Jan. 16, 2012:
“Hey all. I’m selling private ATS’s. Working and Tested.
We got IT / DE / AT / UK / US / CO / NL / FR / AU
Contact me for bank.
can develop bank ATS from your choice.”
The government alleges that Bx1/Bendelladj made millions selling SpyEye, SpyEye components and harvesting financial data from victims in his own SpyEye botnet. But Bx1 customers and associates on darkode.com expressed strong doubts about this claim, noting that someone who was making that kind of money would not blab or be as open about his activities as Bx1 apparently was.
In my previous post on Bx1, I noted that he reached out to me on several occasions to brag about his botnet and to share information about his illicit activities. In one case, he even related a story about breaking into the networks of a rival ATS/web inject developer named Symlink. Bx1 said he told Symlink to expect a visit from the local cops if he didn’t pay Bx1 to keep his mouth shut. It’s not clear whether that story is true or if Symlink ever paid the money; in any case, Symlink was arrested on cybercrime charges in Oct. 2012 by authorities in Moldova.
The redacted portions of the government indictment of Bendelladj are all references to Bx1’s partner — the author of the SpyEye Trojan and a malware developer known in the underground alternatively as “Gribodemon” and “Harderman.” In a conference call with reporters today, U.S. Attorney Sally Quillian Yates said the real name of the principal author of SpyEye was redacted from the indictment because he had not yet been arrested.
Interestingly, several lengthy discussion threads on darkode.com show that Bx1 himself tried to warn fellow forum members that he had been approached by individuals either working for the FBI or acting as intermediaries for U.S. federal law enforcement.
In another thread posted Jan. 21, 2011 and titled “Feds, Feds, Feds,” Bx1 pastes an excerpt from an online chat with an interloper who describes himself as an information broker who is seeking clues about the identities of Gribodemon and a hacker who went by the screen name “jam3s,” and who is suspected of leaking the source code to the ZeuS Trojan. In that thread, Bx1 urges fellow forum members to “double encrypt” their computer hard drives and to “make a contact with a good lawyer.” Most of the forum members simply dismiss Bx1 as paranoid.
On Nov. 29, Bx1 posted an urgent thread on darkode.com titled, “FBI are after some members.”
“I spoke today with a friend working on FBI. he said there is an operation to find some hackers, we spoke deeply and he mention darkode. so guys, please be careful.” [see screen shot below]
If convicted, Bendelladj faces a maximum sentence of up to 30 years is prison on charges of conspiracy to commit wire and bank fraud, as well as sentences of five to 20 years for related charges. He also faces fines of up to $14 million.
“He also faces finds of up to $14 million.” in the last paragraph — I believe you mean ‘fines’.
Oh you and your nitpicking.
No, I just would like to find 14 million dollars. Best punishment ever? 🙂
Oh, you crazy kid you!
Contributing as always I see.
Brian, if those screenshots from darkode were taken from your own screen then you should probably have blanked out the logged-in user information at top right in each screenshot. Same goes if they were sent to you by someone else – I don’t think you’re the person identified in the third screen, at least.
Thanks for the opsec tip, Hayton. I’m well aware of the presence of the nicks in the screen shots. If you look really closely at one of them, you’ll see it was taken when logged in as the admin of darkode (sp3cial1st).
That’s the one I thought might have been sent to you by someone else. ‘sp3cial1st’ has made an appearance in the Comments section before now. I won’t ask how you came to have that screenshot, but he might have something to say about it 🙂
Oh Brian, you make me blush! You still haven’t seen my webcam yet.
Or could sp3cial1st be helping Brian and pretending to be the hero of all these hacker/spammers/crackers etc lol, did you turn him Brian? lol
hello brian … is that true that israel asked help from bx1 to counter the “opisrael”attack in exchange of his liberty ?
No, I haven’t, but that seems like a laughable claim. Israel has some fairly strong hackers working for the country and their security firms there.
30 years in prison is less than the maximum Aaron Schwartz was facing (35 years) for downloading publicly-funded research publications at MIT.
And this guy, allegedly, actually stole stuff and victimized real people.
You can block SpyEye C&C servers using abuse.ch blocklists:
I believe the punk is also facing life in prison due to the number of charges, lets hope so, its about time “The time fits the crime!”
Hope he gets life in prison? Yes, he stole a lot of a money, but you know a fair amount of the time even murders get far less than life in prison, right?
He’s a young man, and what he did was deplorable, but his entire life is way past `fair`. Just too easy for people to think throwing away the key is the right thing. That should be only for the worst of the worst.
Way past fair, how so? Its time the laws match the crimes, yes I know some murders get less and I disagree with that also! But on this subject, they are waging financial war on the world and it is hurting all of us and they laugh about it everyday, some guys I track don’t care about getting caught with the threat of only a few years. Make them totally fear getting caught!
By comparison, the majority of armed bank robbers get less time. In this case nobody is physically threatened, held up at gunpoint, or otherwise taken hostage, so it seems illogical to have his sentence exceed theirs. Yes, it was a gross inconvenience, and a crime, but suggesting sentencing guidelines higher than eg highly violent serial rapists get is a rather naive assessment of what is ‘fair’, even from a victim standpoint. What would be more traumatic, after all?
voksalna quote “What would be more traumatic, after all?” Having repeat myself to you dolts, yes sentencing guidelines are screwed up across the board ON ALL CRIMES, I say put him in dark hole and be done with it! Will it happen probably not, he’ll probably be working for the feds.
I agree – there appears to be little relationship between incarceration rates and time and crimes being committed.
While I think there of course needs to be cdonsequences I’m not sure that prison helps either society at large or the offender in many cases.
Invite a friend(one invite left),(from 3 screenshot) LOL!
Well quite frankly I am glad we don’t live in a society where policy is determined by you. Perhaps you would be better off in Southeastern Asian countries or the middle east, where their rule of law is raw, harsh and absolute.
Anyway, good reporting Brian, as always.
Agreed. Mm in some parts thieves lose hands. In general “a civilized society” considers this cruel punishment just as deep dark holes are. But digitalspecops probably sees no shades of grey in the world at all… I can not understand how he could say sentencing guidelines are messed up ‘across the board’ and at the same time say he should get a deep dark hole, unless he is suggesting all criminals should get this.
My guess is that bx1 will not get as much good FBI treatment as some other recent arrestees have gotten, by the way. Cooperation, maybe, but he was arrested very publicly, which would automatically lower his value in future operations; his value to them is in his past, unlike many ‘busts’ where ‘assets’ are kept in place in order to have many more busts in future. I will not discuss this much here, but I am sure Brian knows of at least several cases where forums have been created or turned in order to obtain an ongoing series of arrests and assets.
Brian, by the way, do you know what the status of bx1’s technical equipment is? Did the FBI get this before Thailand could have ruined chain of evidence, and do you know if he encrypted? The documents I have seen are very vague, although they seem to suggest that this ‘darkode’ place was used to set up the purchase of the SpyEye codes he bought? Or were they able to get more evidence from his machinery? Thank you.
It’s been a long time. I found a very interesting post by our friend Xylitol. Maybe this is how he got caught?
Er..no. Bx1 was arrested in Thailand in January.
It is still a very interesting post. I was hoping you’d do a follow up on it, as I love to see these guys especially in their cocky glory get taken down. Luckily for me I’m just a over interested spectator, who knows from years of doing infosec how bad these cretins can be. Xylitol was brave posting that leak.
While he was arrested in January, I have heard there were leaked out copies of these forums BDs for some time before his arrest.