Russian man pleads guilty in SpyEye malware case

Panin was the primary developer of the banking fraud malware, the DOJ says

Russian Aleksandr Andreevich Panin has pleaded guilty to conspiracy to commit wire and bank fraud for his role as primary developer and distributor of the SpyEye bank fraud Trojan, the U.S. Department of Justice said Tuesday.

Panin, known as Gribodemon and Harderman, was primary developer of SpyEye, a sophisticated, malicious computer Trojan designed to automate the theft of confidential personal and financial information, including online banking credentials, credit card information, user names and passwords, the DOJ said in a press release. The virus has infected an estimated 1.4 million computers worldwide since 2009.

The SpyEye code secretly infects victims' computers, enabling cybercriminals to remotely control the infected computers through command and control, or C2, servers. After a computer is infected and under their control, cybercriminals can remotely access the infected computers, without authorization, and steal victims' personal and financial information through a variety of techniques, including keystroke loggers, and credit card grabbers, the DOJ said. The victims' stolen personal and financial data is then transmitted to the C2 servers, where it is used to steal money from the victims' financial accounts.

Panin was the primary developer and distributor of the SpyEye malware package, the DOJ said. Operating from Russia from 2009 to 2011, he conspired with others, including codefendant Hamza Bendelladj, an Algerian national also known as Bx1, to develop, market and sell various versions of the SpyEye virus and component parts on the Internet, the agency alleged.

Panin allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims' personal and financial information, and he marketed versions that specifically targeted designated financial institutions, the DOJ said. Panin advertised the SpyEye virus on online, invitation-only criminal forums. He sold versions of SpyEye for US$1,000 to $8,500.

Investigators believe he sold SpyEye to at least 150 clients, who, in turn, used them to set up their own C2 servers. One of Panin's clients, nicknamed Soldier, is believed to have made more than $3.2 million in a six-month period using SpyEye.

"Given the recent revelations of massive thefts of financial information from large retail stores across the country, Americans do not need to be reminded how devastating it is when cybercriminals surreptitiously install malicious codes on computer networks and then siphon away private information from unsuspecting consumers," Acting Assistant U.S. Attorney General Mythili Raman said in a statement.  "As this prosecution shows, cyber criminals -- even when they sit on the other side of the world and attempt to hide behind online aliases -- are never outside the reach of U.S. law enforcement."

SpyEye was the preeminent malware toolkit used from approximately 2009 to 2011, but it continues to infect computers today, the DOJ said.

In February 2011, using a federal search warrant, the U.S. Federal Bureau of Investigation searched and seized a SpyEye C2 server allegedly operated by Bendelladj in the U.S. state of Georgia, the DOJ said. The server controlled over 200 computers infected with the SpyEye virus and contained information from numerous financial institutions.

In June and July 2011, FBI covert sources communicated directly with Panin about SpyEye, the DOJ said. FBI sources then purchased a version of SpyEye from Panin that contained features designed to steal confidential financial information, initiate fraudulent online banking transactions, install keystroke loggers and initiate distributed denial of service attacks from computers infected with the malware.

On Dec. 20, 2011, a grand jury in U.S. District Court for the Northern District of Georgia returned a 23-count indictment against Panin, who had yet to be fully identified, and Bendelladj. The indictment charged one count of conspiracy to commit wire and bank fraud, 10 counts of wire fraud, one count of conspiracy to commit computer fraud, and 11 counts of computer fraud. A superseding indictment was subsequently returned identifying Panin by his name.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, on Jan. 5, 2013, while he was in transit from Malaysia to Algeria. Bendelladj was extradited from Thailand to the U.S. last May. His charges are currently pending in the Northern District of Georgia.

Panin was arrested by U.S. authorities on July 1, 2013, when he arrived on a flight at Hartsfield-Jackson Atlanta International Airport. Reports at the time said he was taken into custody in the Dominican Republic and flown to Atlanta from there. Russian authorities were reported to have been outraged by the maneuver. The investigation also has led to the arrest of four of Panin's SpyEye clients and associates in the U.K. and Bulgaria.

On Jan. 28, Panin pleaded guilty to conspiring to commit wire and bank fraud. Sentencing is scheduled for April 29.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Bureau of InvestigationAleksandr Andreevich PaninU.S. Department of JusticeMythili RamansecuritylegalmalwarecybercrimeHamza Bendelladj

More about C2Department of JusticeDOJFBIFederal Bureau of InvestigationIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place