Original URL: http://www.theregister.co.uk/2013/05/09/spyeye_suspect_extradited/

Alleged SpyEye big fish hauled in for US trial

Suspected banking botmaster extradited from Thailand

By John Leyden

Posted in Security, 9th May 2013 15:29 GMT

Alleged SpyEye kingpin Hamza Bendelladj now faces a 23-count computer hacking and fraud indictment following his extradition from Thailand to the US last week.

Bendelladj, a 24-year-old Algerian national, is suspected by the FBI of making millions from selling the SpyEye banking Trojan toolkit to cybercrooks through various underground online marketplaces and carding forums.

SpyEye is a customisable Trojan with varying components that is widely used to steal bank account login information from compromised PCs. The malware ranks alongside ZeuS as the two worst pathogens of their kind. The developers of SpyEye and Zeus started out as rivals, but since April 2011 evidence in the malicious code itself as well as posts on underground cybercrime forums suggest the two groups are collaborating.

Often cybercrime arrests net phishing mules, low-level crooks who are paid to run bank accounts designed to receive looted funds from compromised accounts. The Feds allege that Bendelladj operated much higher up the food chain.

Bendelladj (alleged to operate under the handle Bx1) faces 11 counts of computer fraud, 10 counts of wire fraud and two conspiracy charges. US investigators alleged that between 2009 to 2011, Bendelladj and unnamed cohorts "developed, marketed and sold various versions of the SpyEye virus and component parts on the internet and allowed cybercriminals to customise their purchases to include tailor-made methods of obtaining victims’ personal and financial information."

Bendelladj is also alleged to have operated Command and Control (C&C) servers linked to the banking botnet. One of the files on a SpyEye C&C server hosted in Georgia contained information from approximately 253 unique financial institutions, the FBI said.

If convicted on all counts, Bendelladj faces a theoretical maximum of up to 30 years in prison for conspiracy to commit wire and bank fraud along with fines of up to $14m.

It's not clear how much any leader of SpyEye would have made from its nefarious activities or how far the FBI have got in tracking down ill-gotten loot connected to sales of the Trojan and botnet herding.

Court papers contain allegations that Bendelladj's main role in the scam was two-fold: advertising sales of SpyEye licences on underground forums and running botnets of compromised hosts.

Bendelladj was apprehended at Suvarnabhumi Airport in Bangkok, Thailand, while he was in transit from Malaysia to Egypt back in January. In a DoJ statement on Bendelladj's extradition, FBI officials and prosecutors were both keen to ram home the message that they were keen to haul alleged cybercrooks in for trial wherever they operated from or travelled to across the world.

The indictment charges Bendelladj and his co-conspirators with operating servers designed to control the personal computers of unsuspecting individuals and aggressively marketing their virus to other international cybercriminals intent on stealing sensitive information," said acting assistant attorney General Raman. "The extradition of Bendelladj to face charges in the United States demonstrates our steadfast determination to bring cybercriminals to justice, no matter where they operate.

FBI Special Agent in Charge Mark Giuliano added: “The FBI has expanded its international partnerships to allow for such extraditions of criminals who know no borders.”

Additional security-related comment on the extradition can be found in a post by Lisa Vaas on Sophos' Naked Security blog here. ®