“In the criminal justice system, the people are represented by two separate yet equally important groups: the police who investigate crime and the district attorneys who prosecute the offenders. These are their stories.” – Introduction, Law & Order
This week in the United States, the Federal Bureau of Investigation (FBI) in Atlanta, Georgia announced that Aleksandr Andreevich Panin, a Russian national also known as “Gribodemon” and “Harderman” had pled guilty before a federal court to charges related to creating and distributing the SpyEye family of malware.
While news of convictions for cybercriminal activities aren’t frequent enough for us in this industry, they do occur regularly enough that people can sometimes tune out the news and fail to appreciate their importance. And there’s a real risk of failing to appreciate how important the SpyEye conviction is. This conviction represents a significant victory against cybercriminals on multiple levels. First, it takes off the streets and holds accountable not just a foot solider in this criminal enterprise, but essentially its creator and CEO. Second, it strikes a blow against a malware family that had been highly successful since its introduction in 2009 (so much so that it essentially merged with and absorbed its chief rival ZeuS in October/November 2010). Finally, it showcases how when the public/private partnership comes together most successfully, justice can be swift and decisive.
Today’s malware and crime toolkits today bear as much similarity to the old image of one or two people toiling in their basement as the Microsoft of Windows 8 does to the Microsoft of Windows 3.1. The same growth and maturity that has come to legitimate software development over the years can be found in malware and crime toolkit development as well. Today’s malware threats aren’t just a boot sector virus that can ruin your day: they’re sophisticated, multilayered solutions that require sophisticated planning and development. And they’re increasingly responsive to customer needs. Add-ons, feature requests and even support are regular offerings these days. In this context, SpyEye was one of the most professional and sophisticated offerings on the black market. Since its introduction in 2009, SpyEye was one of the most professional and successful malware families. It offered regular version updates and even betas. With that in mind we can get a better feel for the role the FBI says Panin played in this operation: “Panin was the primary developer and distributor of the SpyEye virus.” In other words, Panin wasn’t a lone malcontent in his basement writing viruses, he was the founder and CEO of SpyEye, Inc.
And SpyEye, Inc. was a very successful endeavor for Panin and the clients who bought his offerings. Some numbers from the FBI’s statement give context. According to them, Panin sold versions of SpyEye for between US$1,000 and US$8,500. He is believed to have sold SpyEye to at least 150 “clients,” which would net him anywhere between US$150,000 and US$1,275,000. And many of these clients did very well for themselves. For instance “Solider,” one of Panin’s clients, is reported to have made more than $3.2 million in a six-month period using SpyEye (Trend Micro also assisted in that case: you can learn more about that operation here and how “Solider’s” operation worked here.). While it’s hard to ever know how successful Panin and his clients were, more than 1/4 million computers were estimated to be infected by SpyEye and more than 10,000 bank accounts compromised in 2013 alone. A further sign of the success of SpyEye (and helped boost its success even further) came in October 2010 when the maker of rival ZeuS, arguably as successful as SpyEye, decided to retire and go underground and handed his wares over to Panin. SpyEye, Inc. merged with and absorbed ZeuS, Inc. It would be similar to Steve Jobs deciding to retire and giving Apple over to Bill Gates and Microsoft.
With that context, you can see how Panin is no small fish; he’s one of the biggest fish out there. Arresting him on July 1, 2013 alone is a huge win: it took him off the streets and has effectively decapitated SpyEye, Inc. But we’re not just talking about an arrest here; we’re talking about a conviction.
Fans of the TV Show Law & Order are familiar with how the show’s premise is on the importance of cooperation between the police, who secure arrests (the “order” part) and the district attorneys, who secure convictions (the “law” part). The arrest is only the end of the first chapter: the conviction ends the story. In that vein the FBI’s announcement this week that Panin has pled guilty means the Law & Order story of Panin and SpyEye, Inc. has come to its conclusion. And it’s important to look at the fact that this is a plea and not a trial and comes a mere six months after the arrest to appreciate how this story demonstrates the success that’s possible with successful broad public/private partnerships.
One thing you learn from watching Law & Order is that the chances of conviction are directly related to the strength of the footwork and investigation leading up to the arrest. In the case of SpyEye, the FBI and Trend Micro as well as others have been working together and separately on the case since SpyEye first emerged in 2009. The SpyEye case is an example of a complex case that spans multiple countries, jurisdictions and involves many public and private players. Bringing them all together like this is an incredible feat. And in the SpyEye case in particular, being able to bring everything together to secure an arrest on US soil and not need to deal with extradition was even more advantageous.
It’s worth noting that Panin chose to plead guilty rather than take the case to trial. We can’t know for sure the reasons he chose this. But it is a reasonable supposition that he and his attorneys saw the strength of the US Government’s case and felt it too strong to reasonably fight. The strength of their case is strongly grounded in the strength of the investigation and the evidence gathered by the FBI and their partners like Trend Micro.
To further appreciate how swift justice has been in SpyEye, it helps to compare another major arrest (which Trend Micro was also involved with): Esthost or DNSChanger. In that case, seven people were arrested and charged on November 9, 2011. As of this writing four of the seven have been extradited to the US to face trial. A little over six months from arrest to conviction for SpyEye, 50 months since arrest and still counting for Esthost.
Taken all together, SpyEye stands as a high water mark for what’s possible in combating cybercrime and holding those responsible accountable. Here’s hoping that this is a sign of things to come in cases like this.