Coder Behind Notorious Bank-Hacking Tool Pleads Guilty

A Russian hacker who developed the widely used Spy Eye banking Trojan has pleaded guilty today to creating the malicious toolkit that was considered one of the most popular hacking tools for two years.
Image Interpol
Aleksandr Andreevich Panin.Image: Interpol

A Russian hacker who developed the widely used SpyEye banking trojan pleaded guilty today to creating the malicious toolkit, one of the most popular hacking tools of the past two years.

Aleksandr Andreevich Panin, known online as “Gribodemon” and “Harderman,” was convicted in Atlanta of conspiracy to commit wire and bank fraud, charging stemming from his role as the primary developer and distributor of a sophisticated toolkit that allowed thieves to steal millions of dollars from victims.

Interpol agents arrested the 24-year-old in the Dominican Republic in June, then handed him over to U.S. authorities. Documents related to the case remained sealed until today's plea hearing in the Northern District of Georgia.

SpyEye was among the most popular malware toolkits from 2009 until 2011 and is believed to have infected more than 1.4 million computers in the United States and elsewhere. The software allowed hackers to steal banking credentials, credit card data and other information, which thieves used to siphon money from the victims' banking accounts and make fraudulent charges to their credit cards.

Panin created and polished the program and customized it for more than 150 customers, charging $1,000 to $8,000 a pop. The program could be configured to grab financial information from customers of specific banks, using web injects to display a fake bank web page and trick victims into entering their account credentials. Some versions also used with a keystroke logger or datastealer to grab data.

Although antivirus and other security tools have been able to detect SpyEye for a couple of years, it remains an effective tool and authorities believe it compromised at least 10,000 bank accounts in 2013 alone.

Authorities did not say how much Panin earned from the sale of SpyEye or from using the toolkit himself, but a Russian cybergang led by someone known as "Soldier" used SpyEye to steal more than $3.2 million during a six-month period in 2011.

Hamza Bendelladj, a 24-year-old Algerian accomplice of Panin's, was taken into U.S. custody last year for allegedly operating a botnet of machines infected with SpyEye. U.S. authorities had been tracking him for three years before arresting him in January, 2013, at the Bangkok airport en route to Algeria from Malaysia. Thai authorities dubbed him the “happy hacker” because he smiled during a press conference discussing his arrest. Bendelladj, authorities say, helped refine SpyEye and worked with Panin to market it to bank thieves. The malware communicated with command-and-control servers; one which was controlled by Bendelladj and located in Georgia.

It's not clear when the investigation began, but in February 2011, the FBI obtained search warrant to seize and examine the server in Georgia; it controlled more than 200 computers infected with SpyEye. About four months later, FBI "covert sources" contacted Panin to purchase a copy of the malware.

Panin's extradition to the U.S. has brought controversy in Russia. He had been listed on Interpol's "red list" for internet banking scams that involved the theft of $5 million. But the Russian Foreign Ministry says Russian officials were not contacted before Panin was whisked off to the U.S. His mother told Russia Today that her son was visiting a friend in the Dominican Republic and claimed that he was arrested while headed home, detained just 24 hours and then quickly sent to the U.S.

“They first told him that he was detained just to get his papers checked," she told Russia Today. "Local authorities promised to send him back to Russia on the next flight. But the plane took him to the US, a country where he’s never even been to.”

The U.S. does not have an extradition agreement with Russia, so hackers and others sought for cybercrime charges are generally nabbed by authorities in those countries that do have extradition agreements with the United States or arrested as they go through such a country.