- Mark Ray, former FBI Special Agent
- Kamal Ghali, former Assistant US Attorney and current partner at Bondurant, Mixon & Elmore
- Willis McDonald, former FBI Forensics Expert and current Technical Principal at Nisos®
The Attribution, Arrest, and Sentencing of Spyeye Malware Developers Alexander Panin and Hamza Bendellaj
In this episode of Know Your Adversary™, we discuss one of the most famous cyber criminal cases of the 21st century, the attribution and takedown of Spyeye malware developer Alexander Panin and his primary facilitator Hamza Bendallaj.
Spyeye was commodity malware that was sold on dark web marketplaces beginning in 2009. The malware was a program that ran on numerous browsers and operating systems allowing hackers to steal money from online bank accounts and initiate transactions, even while valid users were logged into the bank account. Over seven years, the losses to consumers and enterprises exceeded $500 million worldwide. The investigation and takedown of Panin and Bendallaj culminated in 2016 when they were sentenced to a combined 24 years and 6 months in prison.
Here are some of the key takeaways from the episode:
The real and fake lives of personas used by cyber criminals online often intersect. Just like an enterprise, cyber criminals consider their return on investment when engaging in malicious activity. Just like Alexander Panin and Hamza Bendellaj did when they were establishing their complex web of bots and proxy servers, current criminals want to monetize crime as quickly as possible. They want to scale their activities so they can replicate activities between numerous victims and maximize their profits. When they do this, they often make operational, security mistakes. Identifying these mistakes are key to remediation. Check out this case study >>
Criminals and Nation States purchase malicious command and control servers near their victim’s locations to reduce malicious signature. Attackers will not typically link their activity directly to their destination command and control servers in Russia or Eastern Europe. Typically, they establish C2 nodes near server farms, virtual physical locations, or individual machines physically located near their victims. In this case, Bendallaj and Panin used servers in Atlanta. Gaining access to the local infrastructure can provide critical information about the commands and signatures the attackers used in their attacks.
Tune in to hear our experts share their perspectives on this landmark case.