SpyEye creator pleads guilty

Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman,” has pleaded guilty to conspiracy to commit wire and bank fraud for his role as the primary developer and distributor of the SpyEye banking Trojan.

Operating from Russia from 2009 to 2011, Panin conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as “Bx1,” to develop, market and sell various versions of the SpyEye virus and component parts on the Internet.

Panin allowed cyber criminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information, as well as marketed versions that specifically targeted designated financial institutions. He advertised the SpyEye virus on online, invitation-only criminal forums, and sold versions of the SpyEye virus for prices ranging from $1,000 to $8,500.

He is believed to have sold the SpyEye virus to at least 150 “clients,” who, in turn, used them to set up their own command and control (C&C) servers. One of his clients, “Soldier,” is reported to have made more than $3.2 million in a six-month period using the SpyEye virus.

In February 2011 the FBI searched and seized a SpyEye (C&C) server allegedly operated by Bendelladj in the Northern District of Georgia. That server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.

In June and July 2011, FBI covert sources communicated directly with Panin, who was using his online nicknames “Gribodemon” and “Harderman,” about the SpyEye virus. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service attacks from computers infected with the malware.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013 and was extradited from Thailand to the United States on May 2, 2013. His charges are currently pending in the Northern District of Georgia.

Panin was arrested by U.S. authorities on July 1, 2013, when he flew through Hartsfield-Jackson Atlanta International Airport.

The investigation also has led to the arrest of four of Panin’s SpyEye clients and associates in the United Kingdom and Bulgaria.

On Jan. 28, 2014, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing for Panin is scheduled for April 29, 2014.

According to industry estimates, the SpyEye virus has infected more than 1.4 million computers in the United States and abroad, and it was the preeminent malware toolkit used from approximately 2009 to 2011. Based on information received from the financial services industry, over 10,000 bank accounts have been compromised by SpyEye infections since 2013 alone. Some cyber criminals continue to use SpyEye today, although its effectiveness has been limited since software makers have added SpyEye to malicious software removal programs.