Guests:

  • Mark Ray, former FBI Special Agent
  • Kamal Ghali, former Assistant US Attorney and current partner at Bondurant, Mixon & Elmore
  • Willis McDonald, former FBI Forensics Expert and current Technical Principal at Nisos®

The Attribution, Arrest, and Sentencing of Spyeye Malware Developers Alexander Panin and Hamza Bendellaj


In this episode of Know Your Adversary™, we discuss one of the most famous cyber criminal cases of the 21st century, the attribution and takedown of Spyeye malware developer Alexander Panin and his primary facilitator Hamza Bendallaj.

Spyeye was commodity malware that was sold on dark web marketplaces beginning in 2009. The malware was a program that ran on numerous browsers and operating systems allowing hackers to steal money from online bank accounts and initiate transactions, even while valid users were logged into the bank account. Over seven years, the losses to consumers and enterprises exceeded $500 million worldwide. The investigation and takedown of Panin and Bendallaj culminated in 2016 when they were sentenced to a combined 24 years and 6 months in prison.

Here are some of the key takeaways from the episode:

The real and fake lives of personas used by cyber criminals online often intersect. Just like an enterprise, cyber criminals consider their return on investment when engaging in malicious activity. Just like Alexander Panin and Hamza Bendellaj did when they were establishing their complex web of bots and proxy servers, current criminals want to monetize crime as quickly as possible. They want to scale their activities so they can replicate activities between numerous victims and maximize their profits. When they do this, they often make operational, security mistakes. Identifying these mistakes are key to remediation. Check out this case study >>

Criminals and Nation States purchase malicious command and control servers near their victim’s locations to reduce malicious signature. Attackers will not typically link their activity directly to their destination command and control servers in Russia or Eastern Europe. Typically, they establish C2 nodes near server farms, virtual physical locations, or individual machines physically located near their victims. In this case, Bendallaj and Panin used servers in Atlanta. Gaining access to the local infrastructure can provide critical information about the commands and signatures the attackers used in their attacks.

Tune in to hear our experts share their perspectives on this landmark case.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks