US charges nine with distributing Zeus malware

Two defendants face arraignment in federal court Friday

The U.S. Department of Justice has brought charges against nine alleged members of a criminal organization that distributed the Zeus Trojan used to steal millions of dollars from bank accounts nationwide.

The DOJ's charges, unsealed Friday in U.S. District Court for the District of Nebraska, include conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.

Two defendants, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36, are scheduled to be arraigned Friday at the federal courthouse in Lincoln, Nebraska, the DOJ said in a press release. The two were recently extradited from the U.K. after a federal grand jury charged them in August 2012.

The Zeus Trojan infected thousands of business computers and captured passwords, account numbers and other information necessary to log into online banking accounts, the DOJ said.

"The Zeus malware is one of the most damaging pieces of financial malware that has ever been used," Acting Assistant Attorney General David O'Neil said in a statement. "As the charges unsealed today demonstrate, we are committed to making the Internet more secure and protecting the personal information and bank accounts of American consumers."

The defendants are charged with using Zues, or ZBot, to capture bank account numbers, passwords, personal identification numbers, RSA SecureID token codes and similar information necessary to log into online banking accounts. The defendants told banks that they were employees of the victims and authorized to make transfers of funds from the victims' bank accounts, according to the indictment.

Among the victims of the Zeus scheme were Bank of America, First National Bank of Omaha, Nebraska, the Franciscan Sisters of Chicago and Key Bank, according to the indictment.

The defendants allegedly used U.S. residents as money mules who received funds transferred from the victims' bank accounts into their own accounts, the DOJ said. The money mules then withdrew some of those funds and wired the money overseas to conspirator, the agency alleged.

Kulibaba allegedly operated the conspirators' money laundering network in the U.K. by helping money mules launder the money withdrawn from U.S. victim accounts, the DOJ said. Konovalenko allegedly provided money mules' and victims' banking credentials to Kulibaba and facilitated the collection of victims' data from other conspirators, the agency said.

Four identified defendants remain at large. They are:

-- Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules;

-- Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme;

-- Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney;

-- Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.

The indictment also charges three other unnamed people.

The Metropolitan Police Service in the U.K., the National Police of the Netherlands' National High Tech Crime Unit and the Security Service of Ukraine assisted with the DOJ's investigation.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is

Join the CSO newsletter!

Error: Please check your email address.

Tags David O'NeilYuriy KonovalenkoAlexey Dmitrievich BronIdentity fraud / theftFranciscan Sisters of ChicagomalwareU.S. District Court for the District of NebraskaAlexey TikonovVyacheslav Igorevich PenchukovBank of AmericasecurityYevhen KulibabaIvan Viktorvich KlepikovlegalKey BankspywareFirst National Bank of OmahacybercrimeU.S. Department of Justice

More about Department of JusticeDOJFirst NationalIDGRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts