- [Narrator] Imagine your passion for transhumanism is the operational security mistake that gets you 10 years in prison. That's the story for the mastermind of SpyEye malware Aleksandr Panin, who was arrested in 2016 along with his primary facilitator, Hamza Bendelladj. Both were arrested for the development, facilitation, and deployment for SpyEye, which was a malware family that started to be seen emanating out of Russia in 2009. The malware was a program that ran on numerous browsers and operating systems, allowing hackers to steal money from online bank accounts and initiate transactions even while valid users were logged in the bank account. The losses numbered into the hundreds of millions that occurred over many years. The take down of the SpyEye Malware developers and facilitators was a landmark investigation to set the precedent for future international cyber criminal cases. This is the story of the attribution and sentencing of the developers of SpyEye malware. This is the first episode of Know Your Adversary. - [Mark] The folks we're gonna talk about specifically today Aleksandr Panin and Hamza Bendelladj were what we would call kind of the you know, the head of the snake, if you will - [Narrator] This is Mark Ray, the special agent in charge for this investigation based out of the Atlanta field office. He worked tirelessly on this case for over six years. Mark's primary task was to attribute and eventually take down the threat actors behind SpyEye who we now know is Aleksandr Panin, Hamza Bendelladj . - [Mark] Aleksandr Panin was the primary developer and businessman if you will, behind SpyEye and Hamza Bendelladj was also you know, a pretty significant member of that development team, but also a user himself. And when I say user, he goes, you know, unlike Aleksandr Panin, he was actually operating very active SpyEye botnet campaign. You know, the mid 2000s, right? Everything was coming off the heels of, the Carting world and Carting was still a huge thing back then, malware stealing credit card information being sold online. It was botnets. So SpyEye, quickly Rose to the top in the 2010 timeframe as a big competitor to Zeus - [Narrator] For background Zeus is a Trojan horse malware package that runs on the versions of Microsoft windows. While it can be used to carry many malicious criminal tasks. It is often used to steal banking information by Manning the browser key logging strokes informed grabbing. Its also used to install CryptoLocker Ransomware. Zeus is spread mainly through drive by downloads and fishing schemes. Zeus is often known to the competitor SpyEye and was first identified in July of 2007. - [Mark] So like any investigation we said look we could go and chase these, all these little incidents of fraud or malware or losses, you know, one by one that the whack-a-mole approach, but just didn't feel like we were gonna get anywhere in the investigation. So we chose to try to cut the head off the snake behind these botnets specifically SpyEye in this case. it was being advertised like a lot of malware those days on a lot of the dark web forums that we know the term we know love. And that's when an individual by the name of Gribodemon rose to the top. So like any good malware developer at the time he had a pretty good marketing on those websites even got pretty fancy in terms of describing his competitive advantage over Zeus. So a very good businessman, as well as a technical developer Hamza Bendelladj on the other hand was pretty noisy in the world of malware at the time, not just specific to SpyEye. He was a very well-known entity on darkode. And again, just, you know, in that timeframe, darkode was one of the premier criminal forums out there for everything. So he was there. He was already a well known entity in this world. And around the same time that Gribodemon appeared up on on the forums. So to BX1 promoting SpyEye talking about SpyEye and offering his services and his his connections with Gribodemon. - [Narrator] So from the beginning of Mark's investigation, they wrote a find that BX1 and Gribodemon were both working together to distribute SpyEye malware. But they did not have the identities of these individuals as they were both intentionally masking their whereabouts and trying to evade investigators. - [Mark] As you can imagine, you know, these individuals they're trying to mask their identity. You know, they do a pretty good job. Their OPSEC at the time was decent for the time if you will. But the key is that their past could not escape them. So in Panin's case, he was as we said, he was known by Gribodemon. Not only that he used a ton of throwaway Gmail accounts and other various email accounts for registering domains. Everything, all the stuff you would do if you think of running a you know, a botnet right, or botnet service. - [Narrator] So often the first mistake of a lot of hackers because they reuse a lot of these emails for numerous types of fraudulent domains to use in their callback infrastructure or better yet known as command and control. - [Mark] You know, as you'd expect a lot of legal process served on those accounts to try to get the registration information getting the details behind it trying to read all of those email accounts. So, you know, with Panin he was very good. All of them were backstopped really well. Now the IP addresses came back to garbage proxies. There was nothing we were gonna get from there. There was no real name information at all but at some point, at some point, you know, they do slip up. - Attribution is often a tricky game that leads down numerous rabbit holes that come up empty. However, commodity malware developers also have a return on investment concerns and often make mistakes along the way in order to be efficient. Being unable to keep the stream separate is exactly what would point investigators towards who is responsible and would eventually lead to their downfall. But while they were waiting for them to slip up they're also working their way up the ladder. - [Mark] I used the narcotics analogy many, many times in this case because it really was like the Pablo Escobar's. You start with a guy in the street and roll them up. We're talking about just Panin and Bendelladj today but there was a whole other team behind it, People that were designed designing the logos for them, people that were designing weapon jacks. Again, it was a very commoditized out there. The very first, you know individual we pinched for this was here in the US. I'll leave his name out of it because, you know he ultimately was under agent didn't get arrested. So we started out with this kid in Wisconsin, search warrant, 6:00 AM, you know on a cold December morning. At his house was in the food chain if you will and definitely involved in communicating with Panin and others in the SpyEye community started with him. And it led to others, obviously debriefing interviewing those people. You just start there and you make your way up. Lead to a couple of other developers, all leading, you know ultimately to the head of the snake. So we had little breadcrumbs of lettuce to a possible name of Aleksandr Panin as, as Gribodemon but we just didn't have that solid link that at least from a US legal perspective or even in international perspective for extradition that was a really, really solid connection. - [Narrator] Now that they had identified a potential suspect. They needed to gather information to confirm their suspicions. They dug into his personal life where he was born where he went to university, the places he's lived but nothing seemed to jump out but something caught their attention. - [Mark] One of the things that he really was into was something called transhumanism. This is kind of the belief of being able to control the body of the mind through technology. So in one of the accounts that, that I mentioned the throwaway Gmail accounts, we had found a reference to the transhumanism society of Russia or something like that. He had obviously registered on that site and maybe didn't want to give his real personal information. So it gave away one of his throwaway accounts that he happened to use in his criminal activity. And so he had just slipped up one little bit there - [Narrator] I can't tell you the thrill of the hunt When a cybersecurity analyst pours over logs and data and email addresses and selectors for months all to slip up in one of his throwaway Gmail address registration. - [Mark] You can't make this stuff up. You know, the point is that you don't get that lucky. - [Narrator] So they still didn't have enough evidence to make an arrest but now they have the intelligence of likely who is behind SpyEye. It's time to get to work. - [Mark] So it was, it was an uphill battle. So to get over that hump, if you will. So to find that evidence that we really, really needed to make it an equivocal, we needed something more. We had the link to transhumanism but then what we had was a series of, I guess I'll call them clickware or other Navy kind of re ish areas in terms of criminal versus just click fraud stuff that that Aleksandr was into many years ago prior to his SpyEye life, it's just software that he had developed for various reasons. And he had put them out there. And again, one of the domains he had registered came up in these Gmail accounts and it was also linked to his real name. So once had those two things that was a solid connection we needed. Hamza made it a little easier for us. And as I mentioned to you, you know, he was, you know he's known as the happy hacker but he was very, very boisterous. And you will see if you will from a cyber criminal perspective, right? Not real good with his OPSEC but not because he was sloppy or, or, or unsmart but because it was pretty bold. So we quickly had that name Hamza Bendelladj and quickly had the nickname BX1 which he was known for in the SpyEye community. So it was just really kind of putting the pieces together you know, looking for other things. A lot of it came through those search warrants that I mentioned for email accounts. Like a lot of these criminals they have throwaway accounts, his were pretty well known and even some in his real name. So it was really just kind of like putting in an order in a logical way that we could explain it to a court or to a jury to say, look, this nickname BX1 because of all of these factors, he is Hamza Bendelladj and he is responsible for these things related to SpyEye. - [Narrator] So due to limited resources for such a massive investigation, the FBI turned to the private sector for help. - [Mark] This is where the power of the private sector really came in to help. Right? Cyber is the one violation that is really kind of you know, something that both the private and public sector are out there trying to fight right now, right? Counter-terrorism, counter-intelligence, you know, drugs there's not a big private sector like a group of threat researchers. Like there are in cybersecurity out there doing a lot of the same stuff that law enforcement is doing. The private sector was just absolutely pivotal in this case for providing intelligence. - [Narrator] It makes sense to use the private sectors help for research and malware reverse engineering as they will have more collection in the federal government oftentimes. But many people think you need a subpoena for seasoned command and control servers. And all of that is sometimes the case. There are many times that is not the case especially for private servers outside the United States. What's to take anybody from working with a partner to go gather a collection of private servers outside of the United States simply by calling and asking the private server that you're in doing a cybersecurity investigation. We've seen that all the time. And as a side note, if any company truly wants context for attribution around the who, why and how behind an actor whether it's cyber crime information or disinformation having a partner who can gain legal access to command and control servers is often a treasure trove of great intelligence. And that was clearly the case here that ultimately led to the subpoena. Now back to how they were able to arrest Panin and Bendelladj. - [Mark] Don't use some of that information. That again, it was open source. So we had to kind of recreate it ourselves, but we did. I'm trying to get our hands on some of those command and control servers serving the search warrant and within Bendelladj's case, I think we got a little fortunate that he had a lot of infrastructure all over the world. Some of it here in the US and specifically some of it in the Atlanta Georgia area, which was the, you know the area of our responsibility and where we had established venue for this case. So by seizing several of its command and control servers one of them was based here in Georgia and you know had all the evidence to show that there was a botnet running on that server that we had seized and that it was tied to BX1. And that BX1 was tied to Hamza Bendelladj. So that was the start of it. And then once we had everything we needed in terms of charging him with wire fraud, with conspiracy to commit wire fraud with computer intrusion then it was the waiting game, you know, waiting him out trying to get our hands on him. As he moved around the world. - [Narrator] At this point in the investigation, they know who they need to arrest. However, they didn't live in the continental United States and international law must be followed - [Mark] Back then. They were moving around a lot, all of our information that we had indicated that Panin was in Russia and did not travel a lot but we were ready to wait it out. You know, we had everything we needed. We have the charging documents, we have the indictments we have the arrest warrants and the crazy crazy part about all this is you don't know where they're gonna travel. And when they travel, if you are lucky enough to find out that they do travel, where the heck are they going? And hey, does the US government have good relations with that country? Will their law enforcement help us will their judicial system help us out? Panin we got lucky and obtained information that he was traveling to the Dominican Republic. This guy had not left Russia, almost his whole life. And basically we were ready. So great Dominican Republic, Holy crap. What do we do? Who do we know? What are our relationships? Do We even have an extradition treaty with them? So all these things come into play and not to sound too James Bondish, but I, you know, something that I really can't get into in terms of how we were able to get him from the Dominican Republic, but let's just say that his flight happened to connect through Atlanta, Georgia on his way back to Russia. And he is here to based his charges and serving his jail sentence. Bendelladj, he moved around a lot and also had some pretty lavish places that he lived in around the world. But at one point, traveling from Malaysia back to Algeria. He was on a believable, was in Egypt air flight which actually made a stop, not a connection but made a stop in Bangkok, Thailand. So we arrested him in January 5th of 2013, when that flight landed in Bangkok. And about six months later he was extradited here to the US - [Narrator] Remember that server that Mark Ray discussed that was used as a command and control server for Panin and Bendelladj's activity in Georgia? Not only did that provide the technical means to attribute and provide the context behind their attacks but it was also used to establish venue for prosecuting the case. This is incredibly important right now because sophisticated actors are not going to come out of a command and control server in Eastern Europe. Enterprise security defenses are going to flag and alert on that kind of activity. As we saw with the solar winds intrusions, much of the initial C2s were geographically located near the offices of the victims. This will certainly establish venue for future prosecutions against not only cyber crime, but also nation state espionage to computer network exploitation. So to recap, Panin was caught and arrested in the Dominican Republic and his flight was diverted to the United States while Hamza Bendelladj was arrested and jailed upon landing in Bangkok for months before he was extradited to the United States. - [Willis] After he was arrested was kind of where I came in sort of on the tail end. - [Narrator] This is Willis MacDonald. - [Willis] At least with Panin one of the things that really kind of drove it home with him was that he had communications from the beginning along with all of the source code revisions from the beginning, really of SpyEye. - [Narrator] Willis was a former forensics expert with the FBI and a current teammate Nisos. He was tasked with analyzing Panin's devices after they were confiscated in Atlanta, after his arrest - [Willis] We were actually able to, from his devices, pull out that he had credentials to all of his aliases online as well as chat records from his computer of him actually using those aliases in order to market, in order to communicate with in one case BX1 and develop those features and use all of those aliases online just to show that he was in fact, the developer. and he was actively involved and intent was really important. So through some of his chat records, through some of his private communications, we were able to show that he knew exactly what this was being used for and how it was going to be used, and that others were using this, you know, for personal gain through criminal lax, with some of those comms where he was actually marketing the tool as malware. That was one of the things that kind of drove it home was that he did actually know what this was being used for and what his intent was behind developing some of the features for the tool - [Narrator] Panin's chat showed communications between him and Bendelladj and revealed their relationships to each other. And the role that was played by Bendelladj - [Willis] From the evidence that we're able to gather through Panin we're actually it shows, the comms between the two and that really drove home that case as well being able to show that he was involved he knew what was going on. He was more of a, I would say, I guess the marketer or the mastermind behind growing this really. Panin was more of the developer and knew what was being done. But I would say BX1 was really the driving force behind getting the software out there and using it. - [Mark] Like a lot of criminals in the US just they get caught up in the US justice system. They saw the evidence that was in front of them and it was overwhelming. And so a plea deal was made, you know, he did plead guilty. He had a lawyer just like Panin, and they both had lawyers here, but they understood the evidence was overwhelming. they chose not to go to trial but their lawyers had worked out a plea agreement with the prosecutors. And really the only thing that came down to in terms of court hearings was the sentencing. - [Narrator] Let's talk sentencing and losing on this case. This is Kemal Golly. - [Kemal] I basically joined the team after the take-down of both Panin and Bendelladj. - [Narrator] Kemal was one of the assistant United States attorneys toward the end of the case when it came time to sentencing Bendelladj. He's now in private practice, working trade secret theft with Bonderant mixing and no more. He was instrumental in working with the FBI and the courts to determine the appropriate sentencing for Bendelladj. - [Kemal] So by that time, Mr Panin had already pled guilty but Hamza Bendelladj was set on going to trial basically one day, Steve Greenberg who was the cyber supervisor at the time walked in and said, congratulations, you've got to get ready for one of the first cyber trials in the country. A lot of my work ended up being the preparation for trial in the lead up to what we thought was going to be a pretty lengthy jury trial that would have required showing everything that Hamza Bendelladj had done but it ended up evolving into a very complicated four day sentencing hearing. - [Mark] There was a long discussion over the losses, right? How much, of the world's victims that were out there from SpyEye are these two individuals responsible for causing damage to you know, we haven't even quantified that, right? Those were some of the challenges quantifying the losses, right? Is it all about the dollars that were actually stolen out of the bank account? Is it the dollars at risk? Is it the, you know, the amount of damage that they caused to someone's identity getting stolen? It was, we were up in uncharted territory, if you will in terms of how sentencing for crimes like this should occur. - [Kemal] We had to take everything that the investigative team had uncovered, and basically package it into something that a jury can understand. - [Narrator] The results, opinions, actions were easier to quantify. He's the author of SpyEye. And there was hard evidence of that which means the sentencing was easy to define. There were an estimated 50 million computers all over the world infected with this malware and the charges brought against him reflected that as he was sentenced to nine years. For Bendelladj things were a little trickier. His lawyer argued that since there was no financial harm done a lesser sentence should be given, but harm was done. And the part was tricky was defining what the harm was, providing how much loss had occurred and figuring out how much the law Bendelladj, is actually responsible for. - [Willis] There was essentially three ways that we were able to demonstrate loss. One was just trying to demonstrate, Hey, this was the amount of financial loss in terms of actual money that was stolen. The best Avenue we had to show that in terms of Bendelladj in particular, was the data on his computer. The second is essentially cost of repair. We introduced evidence from the financial services and information sharing analysis center. So just estimated like, look every time you've got a strip malware out of a computer that's at least 75 to $300. So you could do kind of a rough analysis and, you know multiply the number of infections times number of repairs but again, it was challenging to try and identify how many infections Bendelladj was specifically responsible for. There was some evidence from threat researchers that identified 59 strains of malware that had the words BX1 embedded in the binary which was Hamza Bendelladj nickname. And at least those particular strains looked like the configuration files had it worked so that it was designed to target 253 different financial institutions. So there's ways to at least show when he was trying to do when that you're seeing instances of SpyEye in the wild. But again, in terms of pinning him to a specific number of infections that might've required a lot of guesswork. So the quickest and easiest path that we had to showing the amount of harm that he caused involved stolen access devices which is essentially the sentencing guidelines like fancy word for what a credit card numbers and on the computers that Bendelladj had with them a review of what was on there showed that there were 200,000 credit card numbers. And that was sort of at, at the first go that it was 200,000 and it almost was like every time the investigative team and the run-up to sentencing did a second pass at the computer. Another a hundred thousand credit card numbers would fall out. So in the run-up to sentencing, even when you controlled for duplicates and other factors to try and make sure, Hey is this 200,000 unique people there ended up being several hundred thousand. So a lot of trying to approximate the loss got at least cleaner from being able to rely on stolen access devices or stolen credit card data that was on Bendelladj's computer in particular. The judge actually did something just sort of conservative and kind of back of the envelope math to deal with some of that and said, look, even if you conservatively say SpyEye costs about $700 million in harm around the world, and you divide it by 150. If Bendelladj uses one of 150 SpyEyes users you get 5 million in loss there. So her approach at the end ended up being, look we can easily get to over 65 million. In the end the judge sentenced Bendelladj to 180 months in prison and said I think that you're responsible for over $65 million in losses. And she said that that was being conservative. And that was based on just a fraction of SpyEye financial losses. It was based on the amount of credit card theft that was on his computer. She said, looking at everything, I don't really see mitigating factors here. This was frenetic behavior. It was constant. There were victims around the world. - [Narrator] Kemal, mentioned earlier about this being one of the first international cyber crime investigations. That's such a massive scale, which forge new investigative and legal methods. - [Kemal] So in terms of a precedent, in terms of it effecting an dictating what another court would do you know, I think it just helps sort of create a background on what are the types of sentences that individuals can expect. And so to have this kind of sentence, I think, contributed to deterrence overall, in terms of making it clear this kind of conduct translates into this amount of prison time. - [Willis] It's kind of a landmark ruling from the judge where Bendelladj received 14 years. And a Panin and had received a little under 10 years. So combined the 24 years together. And a message was sent by the US government in my opinion, those sentences, not just, Hey the book says here that for your crimes in the model lawsuit you caused it's, you know it's 14 years in 10 years for each of you but it's like the damage you caused globally sending a precedence of like, Hey, if you're responsible for these crimes to US citizens and others abroad there's a price to be paid. And U S government will come after you. Yeah. Tirelessly and, and bring you to justice. - [Narrator] We do what we do to protect the world from the threats of cyber criminals. It's important to identify those people who are responsible for cyber attacks and end the threat. While Bendelladj had caused more damage. It wouldn't have been possible without the tools developed by Gribodemon. Revealing him as Aleksandr Panin was crucial to taking down SpyEye getting justice for his actions and preventing any harm that he could have been responsible for in the future. - [Willis] It was a smart guy and he was top of his game for a little bit there. I think it's a good thing that they picked him up when they did, because he was on the path of being top level and could have caused a lot more damage if he had continued down that path, just because he was that intelligent to continue to develop better and better tools. - [Narrator] Thank you for listening to Know Your adversary. Every other week we will bring you a new cyber crime attribution investigation that is representative of the work of Nisos operators past, present, and future. If you have any good stories to pitch please reach out as new two investigations are the same and simultaneously fascinating how digital clues come together to bring context to crimes that victimize enterprise. For more information please visit www.nisos.com. Thank you for listening.