February 27, 2018

It’s been a busy few weeks in cybercrime news, justifying updates to a couple of cases we’ve been following closely at KrebsOnSecurity. In Ukraine, the alleged ringleader of the Avalanche malware spam botnet was arrested after eluding authorities in the wake of a global cybercrime crackdown there in 2016. Separately, a case that was hailed as a test of whether programmers can be held accountable for how customers use their product turned out poorly for 27-year-old programmer Taylor Huddleston, who was sentenced to almost three years in prison for making and marketing a complex spyware program.

First, the Ukrainian case. On Nov. 30, 2016, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime. Hundreds of malicious web servers and hundreds of thousands of domains were blocked in the coordinated action.

The global distribution of servers used in the Avalanche crime machine. Source: Shadowserver.org

The alleged leader of the Avalanche gang — 33-year-old Russian Gennady Kapkanov — did not go quietly at the time. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony. He was later released, after police allegedly failed to file proper arrest records for him.

But on Monday Agence France-Presse (AFP) reported that Ukrainian authorities had once again collared Kapkanov, who was allegedly living under a phony passport in Poltav, a city in central Ukraine. No word yet on whether Kapkanov has been charged, which was supposed to happen Monday.

Kapkanov’s drivers license. Source: npu.gov.ua.


Lawyers for Taylor Huddleston, a 27-year-old programmer from Hot Springs, Ark., originally asked a federal court to believe that the software he sold on the sprawling hacker marketplace Hackforums — a “remote administration tool” or “RAT” designed to let someone remotely administer one or many computers remotely — was just a benign tool.

The bad things done with Mr. Huddleston’s tools, the defendant argued, were not Mr. Huddleston’s doing. Furthermore, no one had accused Mr. Huddleston of even using his own software.

The Daily Beast first wrote about Huddleston’s case in 2017, and at the time suggested his prosecution raised questions of whether a programmer could be held criminally responsible for the actions of his users. My response to that piece was “Dual-Use Software Criminal Case Not So Novel.

Photo illustration by Lyne Lucien/The Daily Beast

The court was swayed by evidence that yes, Mr. Huddleston could be held criminally responsible for those actions. It sentenced him to 33 months in prison after the defendant acknowledged that he knew his RAT — a Remote Access Trojan dubbed “NanoCore RAT” — was being used to spy on webcams and steal passwords from systems running the software.

Of course Huddleston knew: He didn’t market his wares on some Craigslist software marketplace ad, or via video promos on his local cable channel: He marketed the NanoCore RAT and another software licensing program called Net Seal exclusively on Hackforums[dot]net.

This sprawling, English language forum has a deep bench of technical forum discussions about using RATs and other tools to surreptitiously record passwords and videos of “slaves,” the derisive term for systems secretly infected with these RATs.

Huddleston knew what many of his customers were doing because many NanoCore users also used Huddleston’s Net Seal program to keep their own RATs and other custom hacking tools from being disassembled or “cracked” and posted online for free. In short: He knew what programs his customers were using Net Seal on, and he knew what those customers had done or intended to do with tools like NanoCore.

The sentencing suggests that where you choose to sell something online says a lot about what you think of your own product and who’s likely buying it.

Daily Beast author Kevin Poulsen noted in a July 2017 story that Huddleston changed his tune and pleaded guilty. The story pointed to an accompanying plea in which Huddleston stipulated that he “knowingly and intentionally aided and abetted thousands of unlawful computer intrusions” in selling the program to hackers and that he “acted with the purpose of furthering these unauthorized computer intrusions and causing them to occur.”


Bleeping Computer’s Catalin Cimpanu observes that Huddleston’s case is similar to another being pursued by U.S. prosecutors against Marcus “MalwareTech” Hutchins, the security researcher who helped stop the spread of the global WannaCry ransomware outbreak in May 2017. Prosecutors allege Hutchins was the author and proprietor of “Kronos,” a strain of malware designed to steal online banking credentials.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

On Sept. 5, 2017, KrebsOnSecurity published “Who is Marcus Hutchins?“, a breadcrumbs research piece on the public user profiles known to have been wielded by Hutchins. The data did not implicate him in the Kronos trojan, but it chronicles the evolution of a young man who appears to have sold and published online quite a few unique and powerful malware samples — including several RATs and custom exploit packs (as well as access to hacked PCs).

MalwareTech declined to be interviewed by this publication in light of his ongoing prosecution. But Hutchins has claimed he never had any customers because he didn’t write the Kronos trojan.

Hutchins has pleaded not guilty to all four counts against him, including conspiracy to distribute malicious software with the intent to cause damage to 10 or more affected computers without authorization, and conspiracy to distribute malware designed to intercept protected electronic communications.

Hutchins said through his @MalwareTechBlog account on Twitter Feb. 26 that he wanted to publicly dispute my Sept. 2017 story. But he didn’t specify why other than saying he was “not allowed to.”

MWT wrote: “mrw [my reaction when] I’m not allowed to debunk the Krebs article so still have to listen to morons telling me why I’m guilty based on information that isn’t even remotely correct.”

Hutchins’ tweet on Feb. 26, 2018.

According to a story at BankInfoSecurity, the evidence submitted by prosecutors for the government includes:

  • Statements made by Hutchins after he was arrested.
  • A CD containing two audio recordings from a county jail in Nevada where he was detained by the FBI.
  • 150 pages of Jabber chats between the defendant and an individual.
  • Business records from Apple, Google and Yahoo.
  • Statements (350 pages) by the defendant from another internet forum, which were seized by the government in another district.
  • Three to four samples of malware.
  • A search warrant executed on a third party, which may contain some privileged information.

The case against Hutchins continues apace in Wisconsin. A scheduling order for pretrial motions filed Feb. 22 suggests the court wishes to have a speedy trial that concludes before the end of April 2018.

8 thoughts on “Bot Roundup: Avalanche, Kronos, NanoCore


    ukraine its very corrupted country anyways.
    but..how come those guys did not fight?
    why they did hire best lawers?
    as we know money can buy everything.

  2. second

    how come the law enforecement knows names??
    did those ukraine hackers hacked along witht their…face and passports?? lol:D funny.. cmon..its internet.
    they can say it their internet connection was just hacked and used fir bad purposes:) they can just say this,simple,they dont need to admit,they did crime

    1. Reader

      Typically, the police find that bad people use the same computer and Internet connection for their personal accounts and hacking accounts, some at the same time.
      Other bad people tell friends and colleagues about their crimes. The police listen.

  3. Yerucham Krustofsky

    Allow me to tell you, Everything was dubbed later: dialogue, music and all ambient sounds. In addition, recording facilities in Ukraine were primitive (this was only 2 years after the catastrophe ), resulting in the canned quality of most of the dialogue.

  4. Blue Critter

    Now that the Russians have been indicted, how is that Facebook and Twitter are not guilty of facilitating criminal activities? According to this conviction, aren’t these companies responsible for how their service is used?

    1. Reader

      The Twitter, the Facebook, the MySpace, et cetera are publishers, not creators.

      They don’t hold the copyright to original works and are exempt from copyright claims, as long as they respond to takedown requests by creators and copyright holders.

      This is important because it gives them safe harbor — legal protection against prosecution and lawsuits — for most of what they publish. [1]

      They lose their safe harbor if it can be proven that they exercised editorial control, inserting opinion, changing content, or taking sides, like a newspaper. And that’s covered by free speech protection.

      Basically, the way to bring them down is to prove they KNOWINGLY accepted money from, or KNOWINGLY facilitated activities of, Treasury-designated terrorists, child abusers, treasonous traitors, major crime ringleaders, or enemy governments.

      Simply taking some money to publish some “Russian’s” [2] political advertising isn’t a crime. It’s an ordinary business expense, protected by safe harbor and free speech.

      [1] https://en.m.wikipedia.org/wiki/Online_Copyright_Infringement_Liability_Limitation_Act
      [2] Evidence of Russian government involvement is extremely weak. Evidence of involvement by someone (or some group) residing in Russia or speaking Russian is not much better, nor is it proof of a crime.

    2. abetancort

      Because they got enough money to challenge the prosecutor in any courts. When you see a plea guilty in US courts (specially in the Federal ones) don’t assume neither that the person is guilty or that if the case were put up to trial would hold itself.

      Many times, it’s just that the defendant doesn’t have the resources to put up a decent defense (the fees for hire a top law firm are extremely high, specially in the US) and have to stick will a public defendant who it’s not specialized in cybercrime or the Internet and on advise of council they see no other way than take the deal the prosecutor has put on the table…

      Plead guilty cases don’t make Case Law because the issues have not been subject to a trial, and of course they never get to the courts of appeal.

      The writer should be more careful to avoid his own confusion. A guilty plea doesn’t proof anything beyond that the defendant has thrown the towel, and agrees not to contest the charges put in that moment by the prosecutor.

Comments are closed.