Apr 16

SpyEye Makers Get 24 Years in Prison

Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims.

The Justice Department alleges that 24-year-old Aleksander Panin was responsible for SpyEye. Image courtesy: RT.

Aleksander Panin developed and sold SpyEye. Image courtesy: RT.

Atlanta Judge Amy Totenberg handed down a sentence of nine years, six months for Aleksandr Andreevich Panin, a 27-year-old Russian national also known by the hacker aliases “Gribodemon” and “Harderman.”

Convicted of conspiracy to commit wire and bank fraud, Panin was the core developer and distributor of SpyEye, a botnet toolkit that made it easy for relatively unsophisticated cyber thieves to steal millions of dollars from victims.

Sentenced to 15 years in jail was Panin’s business partner —  27-year-old Hamza “Bx1” Bendelladj, an Algerian national who pleaded guilty in June 2015 to helping Panin develop and market the SpyEye kit. Bendelladj also admitting to running his own SpyEye botnet of hacked Windows computers, a crime machine that he used to harvest and steal 200,000 credit card numbers. By the government’s math (an assumed $500 loss per card) Bx1 was potentially responsible for $100 million in losses.

“It is difficult to over state the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” said John Horn, U.S. Attorney for the Northern District of Georgia.


Bendelladj was arrested in Bangkok in January 2013 while in transit from Malaysia to Egypt. He quickly became known as the “happy hacker” after his arrest, in which he could be seen smiling broadly while in handcuffs and being paraded before the local news media.

Photo: Hamza "BX1" Bendelladj, Bangkok Post

Photo: Hamza “Bx1” Bendelladj, Bangkok Post

In its case against the pair of hackers, the government presented chat logs between Bendelladj and Panin and other hackers. The government says the chat logs reveal that although Bendelladj worked with Panin to fuel the rise of SpyEye by vouching for him on cybercrime forums such as “Darkode,” the two had an antagonistic relationship.

Their business partnership imploded after Bx1 announced that he was publicly releasing the source code for SpyEye.

“Indeed, after Bendelladj ‘cracked’ SpyEye and made it available to others without having to purchase it from Panin, the two had a falling out,” reads the government’s sentencing memo (PDF) to the judge in the case.

The government says that while Bendelladj maintained he was little more than a malware analyzer working for a security company, his own chat logs put the lie to that claim, noting in November 2012 Bx1 bluntly said: “if they pay me the whole money of the world . . . I wont work for security.”

Bx1 had a penchant for marketing to other thieves. He shrewdly cast SpyEye as a lower-cost, more powerful alternative to the Zeus botnet creation kit, plastering cybercrime forums with animated ads pimping SpyEye as the “Zeuskiller” (in part because SpyEye was designed to remove Zeus from host computers before infecting them).

Part of a video ad for SpyEye.

Part of a video ad for SpyEye.

In Oct. 2010, KrebsOnSecurity was the first to report on rumors in the underground that the authors of Zeus and SpyEye were ending their rivalry and merging the two crimeware products into one software stack and support structure for existing clients.

“Panin developed SpyEye as a successor to the notorious Zeus malware that had, since 2009, wreaked havoc on financial institutions around the world,” the Justice Department said in its statement today. “In November 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, a/k/a Slavik, and incorporated many components of Zeus into SpyEye.  Bogachev remains at large and is currently the FBI’s most wanted cybercriminal.”

Bogachev, the alleged Zeus Trojan author, in undated photos.

Bogachev, the alleged Zeus Trojan author, in undated photos.

It’s not clear whether Bendelladj had any intention of honoring the sanctity of the merger agreement with the author of the Zeus Trojan. Not long after the supposed merger, copies of the Zeus source code were available for sale online, and the code went fully public and free not long after that. My money is on Bendelladj for that leak as well.

Apparently Bx1 was not a big fan of KrebsOnSecurity, either. According to the government’s sentencing memo:

“At various points, [Bendelladj] has expressed contempt for Brian Krebs, the author of the “Krebs on Security,” and claims that he has credit cards (‘ccs’) of Mr. Krebs’s family and that Bendelladj will be ‘after him until he die.’ He even suggests inflicting a Distributed Denial of Service attack against Mr. Krebs.”

Maybe that antagonism had something to do with this story, in which I repost chat logs from a conversation I had with Bx1 back in January 2012. In it, Bx1 brags about hacking one of his competitors and to getting the guy arrested.


  1. oh how these clowns they come and go.
    so, so many clowns, and so, so little time.
    but in the end, as we begin their show.
    from arrest, trial, and bars are all they find.

    i wonder if they ever thought that they’d get away with it?

    and if life as it is now is what they imagined it would be, when they were a child?

    life is what you make it.


    • Just Passing Through

      I’m a (private) fraud investigator and in my time watching this stuff unfold it never ceased to amaze me how BX1 basically turned on every side and every one. Looking at the sentencing memo it seems fairly obvious that he’d also kept logs of every conversation and transaction he did. From that perspective I find it almost humorous that he didn’t get a negotiated plea deal and wound up with 15 years. I bet nobody was more surprised by that than himself. Flamboyant backstabbers? Surprised he lasted as long as he had, from what I’ve seen.

  2. Great to see the stakes and risks for being a cyber criminal going up. Thanks to Brian for his efforts to expose these guys!

  3. Hope they have some tea for Gribo in prison. It’s going to be boring :)

  4. Agree with Keith’s comment. Mr. Krebs, thanks as always for your work on these issues and for keeping us more informed. And to the others who help you in the fight against such criminal activity.

  5. This guy should have been thrown in jail for the way he dressed…

  6. Charming how RT describes the extradition of these criminals as being part of a “vicious trend.”

  7. That picture though. He looks like the love child between Blofeld and Rick James.

  8. Devils advocate

    For all i know Writing a malware is not a crime in US nor its a crime in many other county’s .

    • Right, but if your business is helping other cybercrooks set up their malware and botnets, then that shows intent, which is all the prosecutors need.

      • How is what they did any different than what gun manufacturers do every day? Or Hacking Team for that matter?

        • It’s different because there’s a law in the US shielding gun manufacturers from liability.

          Those who provide financial support to politicians get their backs scratched as well — as Eastern European malware creators are well aware, given what we know of their contributions to politicians’ money-laundering operations like volleyball teams.

        • @Jonas:

          Because there’s this thing in the US called the Second Amendment. Furthermore, gun manufacturers don’t sell to dealers or wholesalers with the INTENT that the gun be used in the commission of a crime. Rather, firearms dealers are prosecuted if they KNOWINGLY sell a gun to a person who passes the required background check to be then transferred to a convicted felon (called a “strawman” purchase). Similarly, private sellers are held liable if they KNOWINGLY sell or transfer a firearm to another person specifically for the INTENT for it to be used in the commission of a crime by that person.

          • So the difference between a successful and wealthy businessman and a person spending his youth in jail, is what his intentions were at the time of the transaction? I find that rather ridiculous since one’s intentions are only known by yourself.

      • What about financial institutions then ? They sure do helping criminal .,i see allots of intent right there !!!

  9. As my Grandpappy once said, “There’s no honor among thieves.” He said a lot of stuff, most of which is true.

  10. The criminal penalties and fines, etc., need to be higher.
    Much higher. Make ’em pay a very high price.
    I’m fed up with this crap. No mercy.

  11. Brian,

    Which prisons (or types of prisons) are guys like Paunch and BX1 typically going to?

  12. Good read. Prison time couldn’t happen to a nicer couple of scrawny thieves. Now they truly aren’t working for anyone, at any price.

    • What makes you think they can’t get internet access in prison? For that matter why would they wind up anywhere except a plush federal prison for business executives since these are nonviolent crimes? Since both of these guys racked up so much $$$ that was never seized… what would stop them from operating during their “hotel” a/k/a not really “prison” stay.

  13. 1 thing i dont undestood ,if the cybercriminals claim to be part of secret societies,part of gloabal elite, and so on, thats how they use names like trotsky, inc and so on so how the heck they can go to jail then? what is the cath here??

    • random russian guy

      >if the cybercriminals claim to be part of secret societies,part of gloabal elite, and so on
      this blog audience is getting more and more delusional it seems

      • Say it on our face. Do you really have an idea on working of FR? These guys may claim to work for global hidden hand, but then do they really know what are they talking about? Also, it means to worship Satan.

        • random russian guy

          What the fuck man? What the fuck are you talking about? Where are you getting this things from?

          This blog is not called “krebsonsecretsocieties.com”, “krebsondelusions.com” or “icantfindajobbecausehiddenhandwontletmeto.com”.

          Can you please provide some examples of cybercriminals claiming to be part of “global elite”/worshiping satan(rofl)?

          • The commenter ‘lum’ said – “if the cybercriminals claim to be part of secret societies,part of gloabal elite, and so on”
            And I replied “These guys may claim to work for global hidden hand, but then do they really know what are they talking about?” However, I myself haven’t read anything about it (that they claim to work secret socities), I just simply replied if they really said or this guy read somewhere, if so, they brag about the things that doesn’t meet to their sense (things of the core). Why would they say openly who they work for?!
            Also, about the evidence you could search it for yourself.

            • I am not saying proof about cyber criminals work for S socities. But may about the other things related to it.

      • There’s a secret organisation running the world…Only the top 1% of the top 1% know…

        I personally believe that the sentencing is crazy, even though they helped steal millions… people get a fraction of that time for real/violent crimes. I’m not saying that cyber crime shouldn’t have penalties… but you can look at BX1 and see a low life, Syrian terror hacker or you can see a talented hacker that’s on the wrong side. Went the wrong way. It will be interesting to see what he has to say, guess we’ll have to wait a while.
        Obviously this was a big case and examples had to be set.
        I found all this very interesting, thank you for the read Brian.

  14. Brian, thanks for reporting this – it made my day! Big KUDOs to the prosecutors and the judge in this case. And in reply to the other responders, I am absolutely confident that while these two thieves are in prison, their girlfriends / partners / competitors will steal all their money.

  15. Forget About Me

    12 years is crazy, unnecessary, over the top and will do nothing to rehabilitate these guy into the “model” citizens you all want them to be.

    • Or give them enough time to study, study, study and become legendary malware coders while they wait to be released.

      • If the same languages, technologies, base crimeware and techniques still exist in 10.5 years when they’re released (and if you think they care by then), then we’re seriously way more screwed up than you can even imagine.

        Get real. These people will wind up sent back to their home countries and the rest of the world will have changed phenomenally by the time that happens. All of their contacts will be either in prison, retired, informing, or dead and they will have NO clue what’s going on in the world, having been thoroughly institutionalized and allowed, at best, access to the metered email-only systems where they pay by the minute just to type short plaintext emails to pre-approved names/addresses.

        It’s time people realize that if you go to prison for 10-12 years in the US, you’re NOT going to come out having ANY tech savvy whatsoever. If you’re lucky, you might be able to keep up to date with Wired and its ilk (and the occasional person coming in after them who have a clue) on the *basics* of what’s going on in the world. But that’s about it.

        Also, as far as I know, camps are only available to people who are sentenced up to 10 years, and that, only if they want you to be there that long. More likely than not, that’s not the case here.

        And even if it were, 12 years (or 10.5-11 given the slight adjustment and halfway house that a federal prisoner might hope to get) is no walk in the park, no matter where you are — especially if you’re not even a citizen and have no family in the States to visit.

        I’m not saying you should feel sympathy, per se. I’m saying, you need to learn how to view this stuff empathetically: these people are NOT getting off lightly by ANY stretch of the imagination, and if they do go on to reoffend, it certainly won’t be by writing SpyEye or Zeus injects (or whatever).

  16. Au contraire, mes amis…

    When was the last time an Algerian had international impact on the advanced world’s daily activities?

    (Bendelladj may be due for an Algerian postage stamp, so perhaps he always smiled for the photographers to present a good model. Hollywood used to make genre movies around unarmed, roguish cat burglars; why not him?)

    And just look at some of the (relatively) secure jobs he’s created in the advanced world…

    Without him and those of his ilk, would the US have the very lucrative cyber-security industry we currently have (some of whom daily peruse this blog)?
    Would Apple even have an encryption division as a profit center?
    Would we even care that 3 billion Third World computers are running on stolen OS software?
    Without him and his fellows, would we have a Brian Krebs to report this stuff?

    All this, and very unlike US-born thieves, no evidence he ever used a gun or ever killed anyone, for his stash.

    What would be interesting is to learn if he also had the brains to follow the example of much wealthier miscreants to spread his stash among a few of the world’s better tax-shelters/hidden asset sites, including DE, NV and WY.

    For now it’s a CV-enhancing, US-subsidized, DNA-recorded sabbatical (three daily hots, a cot, full medical and dental care) until at just age 42, ready to resume the criminal challenge. N’est-ce pas?

  17. The Zeus Trojan hacker looks exactly what I would picture a cyber criminal to look like … hope they get him behind bars as soon as well!

  18. You’re a snitch Krebs.

  19. why they use secret symols? sacred numbers ? car licence plates? and specific words, and nick names online, why would they do so? then? guess its dirty game that they been promised by satan himself that they will not get cath and will remain free…without sentence, but 1 thing for sure there is no DEALS with devil devil can give you only for short time pleasures,after he will take everything from you when he use you. thats how its explained!

  20. same thing with all the big drug lords,they been met with devil lucifer himfself and promised gamaourus nice life,but you cant trust devil and every material valuations,are created from humen souls,thats why devil want your soul as we know some extrastiosls being are here on planet earth we think they are humens? but they are not they are demons,criminals are victims there is no reason to ruin lifes like this. all this criminals being promised they will never go prison.or if they go only short time but its all lia its devil game

  21. ross been promised aswell,by the devil lias, but never trust devil. or fight back like escobar did 😀

  22. Looks like the secret society advocates and the Illuminati Conspiracy Theorists came to visit and comment in some of the posts above.

    All-in all the original news story by Brian was interesting. It indicates even in areas considered somewhat safe for nefarious hackers/coders one still has to ‘Pay the Piper’ or one can get arrested.

  23. Brian, do you ever get concerned when you see your name in reports like the one that the government brought against Bendelladj?

  24. Absurd. This Jew, Totenberg… how many child rapists has she sentenced to less than half that time? These guys, especially the Algerian should have their hands cut off like they do under Sharia law. That would be fitting and more humane. Instead this is a death sentence.

    If you understand banking and how money is created then you know that no money was lost as it never existed in the first place.

  25. “If you understand banking and how money is created then you know that no money was lost as it never existed in the first place.” Sign Totally Agreed !

  26. I live in a small rural community in Northern CA. A neighbor has hacked into our desktop, laptop (2) and our cell phones. He has even managed to somehow control our home phone thru suddenlink. He has activated the mics and records everything. I am beyond going crazy. No law enforcement agency will hekp me. I have lots of his scripts and log files. I just need help putting him behind bars so he can not do this again to anyone else, Can you help,