Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims.
Atlanta Judge Amy Totenberg handed down a sentence of nine years, six months for Aleksandr Andreevich Panin, a 27-year-old Russian national also known by the hacker aliases “Gribodemon” and “Harderman.”
Convicted of conspiracy to commit wire and bank fraud, Panin was the core developer and distributor of SpyEye, a botnet toolkit that made it easy for relatively unsophisticated cyber thieves to steal millions of dollars from victims.
Sentenced to 15 years in jail was Panin’s business partner — 27-year-old Hamza “Bx1” Bendelladj, an Algerian national who pleaded guilty in June 2015 to helping Panin develop and market the SpyEye kit. Bendelladj also admitting to running his own SpyEye botnet of hacked Windows computers, a crime machine that he used to harvest and steal 200,000 credit card numbers. By the government’s math (an assumed $500 loss per card) Bx1 was potentially responsible for $100 million in losses.
“It is difficult to over state the significance of this case, not only in terms of bringing two prolific computer hackers to justice, but also in disrupting and preventing immeasurable financial losses to individuals and the financial industry around the world,” said John Horn, U.S. Attorney for the Northern District of Georgia.
THE HAPPY HACKER
Bendelladj was arrested in Bangkok in January 2013 while in transit from Malaysia to Egypt. He quickly became known as the “happy hacker” after his arrest, in which he could be seen smiling broadly while in handcuffs and being paraded before the local news media.
In its case against the pair of hackers, the government presented chat logs between Bendelladj and Panin and other hackers. The government says the chat logs reveal that although Bendelladj worked with Panin to fuel the rise of SpyEye by vouching for him on cybercrime forums such as “Darkode,” the two had an antagonistic relationship.
Their business partnership imploded after Bx1 announced that he was publicly releasing the source code for SpyEye.
“Indeed, after Bendelladj ‘cracked’ SpyEye and made it available to others without having to purchase it from Panin, the two had a falling out,” reads the government’s sentencing memo (PDF) to the judge in the case.
The government says that while Bendelladj maintained he was little more than a malware analyzer working for a security company, his own chat logs put the lie to that claim, noting in November 2012 Bx1 bluntly said: “if they pay me the whole money of the world . . . I wont work for security.”
Bx1 had a penchant for marketing to other thieves. He shrewdly cast SpyEye as a lower-cost, more powerful alternative to the Zeus botnet creation kit, plastering cybercrime forums with animated ads pimping SpyEye as the “Zeuskiller” (in part because SpyEye was designed to remove Zeus from host computers before infecting them).
In Oct. 2010, KrebsOnSecurity was the first to report on rumors in the underground that the authors of Zeus and SpyEye were ending their rivalry and merging the two crimeware products into one software stack and support structure for existing clients.
“Panin developed SpyEye as a successor to the notorious Zeus malware that had, since 2009, wreaked havoc on financial institutions around the world,” the Justice Department said in its statement today. “In November 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, a/k/a Slavik, and incorporated many components of Zeus into SpyEye. Bogachev remains at large and is currently the FBI’s most wanted cybercriminal.”
It’s not clear whether Bendelladj had any intention of honoring the sanctity of the merger agreement with the author of the Zeus Trojan. Not long after the supposed merger, copies of the Zeus source code were available for sale online, and the code went fully public and free not long after that. My money is on Bendelladj for that leak as well.
Apparently Bx1 was not a big fan of KrebsOnSecurity, either. According to the government’s sentencing memo:
“At various points, [Bendelladj] has expressed contempt for Brian Krebs, the author of the “Krebs on Security,” and claims that he has credit cards (‘ccs’) of Mr. Krebs’s family and that Bendelladj will be ‘after him until he die.’ He even suggests inflicting a Distributed Denial of Service attack against Mr. Krebs.”
Maybe that antagonism had something to do with this story, in which I repost chat logs from a conversation I had with Bx1 back in January 2012. In it, Bx1 brags about hacking one of his competitors and to getting the guy arrested.