SpyEye: Aleksandr Andreevich Panin Pleads Guilty to Developing and Distributing Notorious Malware

In summer last year, Moscow voiced outrage over the arrest of a Russian national in the Dominican Republic and his swift transfer to a US jail without Russia’s consent or knowledge and deemed Aleksander Panin’s extradition “unacceptable." Panins friend Anton Pilyugin, who was traveling with him at the time of his arrest stated: “We don’t even know what he has been accused of.  We have no clue about what to expect,”. Now, Pilyugin has closure: Aleksandr Panin, also known as “Gribodemon” and “Harderman”, pleaded Guilty to developing and distributing the infamous SpyEye Malware.

Mean, mean Boy: Aleksandr Panin

Therewith Panin acknowledged before United States District Judge Amy Totenberg, on January 28th, 2014, to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the malicious software known as “SpyEye,” which, according to industry estimates, has infected more than 1.4 million computers in the United States and abroad.

Sally Quillian Yates

United States Attorney Sally Quillian Yates said: “As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation’s economic security,” and “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned - you cannot hide in the shadows of the Internet. We will find you and bring you to justice.” (I tend to say: You can run, but you cannot hide)

Mythili Raman

“Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cyber criminals surreptitiously install malicious code on computer networks and then siphon away private information from unsuspecting consumers,” said Acting Assistant Attorney General Mythili Raman.“Today, thanks to the tireless work of prosecutors and law enforcement agents, Aleksandr Panin has admitted to his orchestration of this criminal scheme to use SpyEye to invade the privacy of Americans by infecting their computers through a dangerous botnet. As this prosecution shows, cyber criminals - even when they sit on the other side of the world and attempt to hide behind online aliases - are never outside the reach of U.S. law enforcement.”

According to United States Attorney Yates, SpyEye is a sophisticated malicious computer code that is designed to automate the theft of confidential personal and financial information, such as online banking credentials, credit card information, usernames, passwords, PINs, and other personally identifying information. The SpyEye Malware facilitates this theft of information by secretly infecting the victims’ computer, enabling cyber criminals to remotely control the infected computer through command and control (C2C) servers. Once a computer is infected and under control, cyber criminals can remotely access the infected computers, without authorization, and steal victims’ personal and financial information through a variety of techniques, including malicious injections, keystroke logging, and credit card grabbing. The victims’ stolen personal and financial data is then stealthily transmitted to the C2C server, where it is used to steal money from the victims’ financial accounts.

Not Panins eye...

Panin was the primary developer and distributor of SpyEye. Operating out of Russia, from 2009 to 2011, Panin cooperated with other Cybercriminals, including co-defendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market, and sell various versions of the SpyEye Trojan. Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that targeted information about specific financial institutions including banks and credit card companies. Panin advertised the SpyEye virus on online, invite-only criminal forums. He sold those versions for prices ranging from 1.000 to 8.500 USD. Panin is believed to have sold the Malware packet to at least 150 “clients” who, in turn, used them to set up their own C2C servers. One of Panin’s clients, “Soldier” is reported to have made over 3.2 million Dollars in a six-month period.

As on the pictures you can see, Hamza Bendelladj seems to enjoy the attention he received after his arrest in Thailand

SpyEye was the most dominant Malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, more than 10.000 bank accounts have been compromised by SpyEye infections in 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since Anti-Virus Vendors makers have added SpyEye to their AV-programs.

In February 2011, compatible to a federal search warrant, the FBI searched and seized a SpyEye C2C server allegedly operated by Bendelladj in the Northern District of Georgia, that controlled more than 200 computers infected with SpyEye and contained information from numerous financial institutions.

In June and July 2011, the FBI covert sources communicated directly with Panin, who was using his online nicknames Gribodemon and Harderman, about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (DDoS) attacks from computers infected with the SpyEye malware.

On December 20, 2011, a Northern District of Georgia grand jury returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj.

The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A overruled indictment was subsequently returned, after identifying Panin by his true name.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on January 5th, 2013, while he was in transit from Malaysia to Algeria. "The smiling Hacker" was extradited from Thailand to the United States on May 2nd, 2013. His charges are currently pendin. 

The investigation also has led to the arrests by international authorities of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

Sentencing for Panin is scheduled for April 29th, 2014.