By Emma Winer – Edited by Sheri Pan
On April 11, 2014, the Department of Justice (“DOJ”) released a previously sealed indictment against nine alleged conspirators in an international malware scheme that stole millions of dollars from online bank accounts. First Superseding Indictment at 6, United States v. Penchukov, No. 11-03074 (D. Neb. Aug. 22, 2012). The indictment alleged that the conspirators infected thousands of business computers with the “Zeus” malware, which captured passwords, bank account numbers, and other information required to log into online banking systems. Two of the defendants, Yuriy Konovalenko and Yevhen Kulibaba, were arraigned in Nebraska federal court on Friday, after being extradited from the United Kingdom.
According to the DOJ announcement, the grand jury charged the defendants with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud. In addition to the two defendants in custody, the indictment named four defendants who are still at large and three defendants that have only been identified by their usernames. Id. at 1. All nine individuals were identified by the online nicknames that they used while participating in the alleged cybercrime scheme. Id. at 1–2.
The malware, which is referred to as both “Zeus” and “Zbot,” operated in infected computers to obtain personal information, such as bank account numbers and passwords. Id. at 6. The defendants allegedly used this information to gain unlawful access to the online bank accounts of victims and improperly transfer funds through the Automated Clearing House network, or similar wire systems, to so-called “money mules,” third parties who aided the defendants. Id. at 7. Upon receiving the stolen funds, the mules withdrew some of the money and transferred the rest to conspirators overseas. Id. The FBI arrested 90 of these purported “mules” in October of 2010.
According to the now unsealed complaint, the defendants each played distinct roles in the conspiracy. Complaint at 5–7, United States v. Penchukov, No. 11-03074 (D. Neb. July 13, 2012). Konovalenko allegedly sent the necessary banking credentials of the money mules and victims to Kulibaba, who operated the money laundering network in the United Kingdom. Id. at 4. The alleged coders, systems administrator and financial manager remain at large. Id. at 4–5.
The indictment was filed in Nebraska, where overt acts took place against banks such as the First National Bank of Omaha. First Superseding Indictment at 9. However, Konovalenko and Kulibaba, who are both of Ukrainian origin, ran their cyber-operations from the United Kingdom. Complaint at 3–5. British authorities assisted in the investigation and extradition, with the aid of Ukrainian and Dutch law enforcement agencies, Reuters reports.
In a speech on the arraignment of Kulibaba and Konovalenko, the Acting Assistant Attorney General David O’Neil commented that the Zeus malware was “one of the most damaging pieces of financial malware that has ever been used.” Ars Technica has previously described Zeus as providing “do-it-yourself cybercriminals with the platform to configure, package, and manage botnets, then to dynamically reconfigure them once they’ve been deployed.” The news site also reports that the security company RSA estimated in 2010 that up to 88% of Fortune 500 companies may have been infected with versions of the Zeus botnets.
As PC Magazine notes, the unsealing of the indictment in U.S. v. Penchukov followed soon after the exposure of the “Heartbleed” bug, a vulnerability in the encryption systems of many Internet websites. The Wall Street Journal adds that the flaw in the popular OpenSSL encryption tools has threatened the security of vulnerable personal information transmitted through websites and has cast national attention on issues of cybersecurity.