Putting SpyEye Developers Behind Bars

By Lance James, Flashpoint

Thanks in part to research and testimony by Flashpoint, two hackers responsible for developing malware that infected over 50 million computers have been sentenced to prison. Aleksandr Andreevich Panin (aka Gribodemon) of Russia and Hamza Bendelladj (aka Bx1) of Algeria were sentenced to a combined 24 years and six months for their roles in developing and distributing SpyEye.

You might remember SpyEye as the banking Trojan from 2010-2012 that caused close to $1 billion in financial damage. The malware was designed to automate the theft of confidential personal and financial information such as online banking credentials and credit card information. In addition to specifically targeting Bank of America customers, SpyEye featured support for theft of general website credentials.

Similar to other theft-based malware, SpyEye had a web-based command-and-control backend that was divided into two tiers: a stolen data management system and a remote access administration command-and-control. The software hooked itself into victims’ browsers and stole credentials by hijacking the login session information that users submitted to banks and email service providers.

Panin, the malware’s primary developer and distributor, developed SpyEye as a successor to the notorious Zeus malware. As such, SpyEye borrowed several tricks from Zeus including HTML injection, browser hijacking, data interception code and a do-it-yourself construction kit. Unlike Zeus, however, SpyEye used many advanced tricks to hide its presence on the local system.

SpyEye was a direct competitor to Zeus in the underground market until November 2010, when Panin allegedly received from Evginy Bogachev (aka Slavik) the source code and rights to sell Zeus. Bogachev remains at large and is currently the FBI’s most wanted cybercriminal.

Operating from Russia between 2009 and 2011, Panin conspired with others, including Bendelladj, to develop, market, and sell various versions of SpyEye and component parts on the Internet. Panin allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that targeted information about specific financial institutions, including banks and credit card companies.
With Bendelladj’s help, Panin advertised and promoted SpyEye online in exclusive Russian-based and invitation-only criminal forums, such as Darkode.com. Bendelladj’s arrest in January 2013 ultimately led to the dismantling of Darkode.com through a coordinated law enforcement effort involving 20 countries in July 2015.

Bendelladj himself sent over one million spam emails containing strains of SpyEye and related malware to computers in the United States, yielding hundreds of thousands of infected computers. He used his unauthorized access into infected computers to steal personal identifying information, and credit card and bank account numbers, causing millions of dollars in losses.

Bendelladj also developed and sold malicious botnet plugins that were designed to surreptitiously automate the theft of funds from victims’ bank accounts and to proliferate the spread of malware, including SpyEye and Zeus. Bendelladj also ran a website called VCC.sc where he automated the sale of stolen credit card information to cybercriminals around the world.

Thanks to Panin and Bendelladj’s arrest, several of the world’s top malware developers can no longer create malware. Foreign authorities arrested four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

Panin’s arrest also put a halt on his plans to release a new strain of SpyEye, which would’ve been one of the most prolific and undetectable botnets distributed to date, and would’ve caused immeasurable losses to the international banking industry and individuals around the world.