Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian chief of a prolific cybercriminal group that stole tens of tens of millions of {dollars} from small to mid-sized companies in the USA and Europe, has been arrested in Switzerland, in response to a number of sources.
Needed Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (proper) was arrested in Geneva, Switzerland. Tank was the day-to-day supervisor of a cybercriminal group that stole tens of tens of millions of {dollars} from small to mid-sized companies.
Penchukov was named in a 2014 indictment by the U.S. Division of Justice as a prime determine within the JabberZeus Crew, a small however potent cybercriminal collective from Ukraine and Russia that attacked sufferer firms with a strong, custom-made model of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to remark for this story. However in response to a number of sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks in the past as he was touring to satisfy up along with his spouse there.
Penchukov is from Donetsk, a historically Russia-leaning area in Japanese Ukraine that was just lately annexed by Russia. In his hometown, Penchukov was a well known deejay (“DJ Slava Wealthy“) who loved being seen using round in his high-end BMWs and Porsches. Extra just lately, Penchukov has been investing fairly a bit in native companies.
The JabberZeus crew’s identify is derived from the malware they used, which was configured to ship them a Jabber on the spot message every time a brand new sufferer entered a one-time password code right into a phishing web page mimicking their financial institution. The JabberZeus gang focused largely small to mid-sized companies, and so they had been an early pioneer of so-called “man-in-the-browser” assaults, malware that may silently siphon any knowledge that victims submit by way of a web-based kind.
As soon as inside a sufferer firm’s financial institution accounts, the crooks would modify the agency’s payroll so as to add dozens of “cash mules,” folks recruited via work-at-home schemes to deal with financial institution transfers. The mules in flip would ahead any stolen payroll deposits — minus their commissions — by way of wire switch abroad.
Tank, a.okay.a. “DJ Slava Wealthy,” seen right here performing as a DJ in Ukraine in an undated photograph from social media.
The JabberZeus malware was custom-made for the crime group by the alleged writer of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a prime Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of working the Gameover Zeus botnet, an enormous crime machine of 500,000 to 1 million contaminated PCs that was used for big DDoS assaults and for spreading Cryptolocker — a peer-to-peer ransomware risk that was years forward of its time.
Investigators knew Bogachev and JabberZeus had been linked as a result of for a few years they had been studying the non-public Jabber chats between and amongst members of the JabberZeus crew, and Bogachev’s monitored aliases had been in semi-regular contact with the group about updates to the malware.
Gary Warner, director of analysis in pc forensics on the College of Alabama at Birmingham, famous in his weblog from 2014 that Tank advised co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her delivery weight.
“A search of Ukrainian delivery data solely confirmed one woman named Miloslava with that delivery weight born on that day,” Warner wrote. This was sufficient to positively determine Tank as Penchukov, Warner mentioned.
Finally, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for a few years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would function godfather to Tank’s daughter Miloslava. By his connections to the Yanukovych household, Tank was in a position to set up contact with key insiders in prime tiers of the Ukrainian authorities, together with legislation enforcement.
Sources briefed on the investigation into Penchukov mentioned that in 2010 — at a time when the Safety Service of Ukraine (SBU) was getting ready to serve search warrants on Tank and his crew — Tank acquired a tip that the SBU was coming to raid his dwelling. That warning gave Tank ample time to destroy necessary proof towards the group, and to keep away from being dwelling when the raids occurred. These sources additionally mentioned Tank used his contacts to have the investigation into his crew moved to a distinct unit that was headed by his corrupt SBU contact.
Writing for Expertise Evaluation, Patrick Howell O’Neil recounted how SBU brokers in 2010 had been trailing Tank across the metropolis, watching carefully as he moved between nightclubs and his house.
“In early October, the Ukrainian surveillance group mentioned they’d misplaced him,” he wrote. “The Individuals had been sad, and a bit stunned. However they had been additionally resigned to what they noticed because the realities of working in Ukraine. The nation had a infamous corruption drawback. The working joke was that it was straightforward to seek out the SBU’s anticorruption unit—simply search for the car parking zone stuffed with BMWs.”
AUTHOR’S NOTE/BACKGROUND
I first encountered Tank and the JabberZeus crew roughly 14 years in the past as a reporter for The Washington Submit, after a trusted supply confided that he’d secretly gained entry to the group’s non-public Jabber conversations.
From studying these discussions every day, it grew to become clear Tank was nominally answerable for the Ukrainian crew, and that he spent a lot of his time overseeing the actions of the cash mule recruiters — which had been an integral a part of their sufferer cashout scheme.
It was quickly found that the phony company web sites the cash mule recruiters used to handle new hires had a safety weak spot that allowed anybody who signed up on the portal to view messages for each different consumer. A scraping software was constructed to reap these cash mule recruitment messages, and on the top of the JabberZeus gang’s exercise in 2010 that scraper was monitoring messages on near a dozen completely different cash mule recruitment websites, every managing a whole lot of “staff.”
Every mule was given busy work or menial duties for a couple of days or perhaps weeks previous to being requested to deal with cash transfers. I imagine this was an effort to weed out unreliable cash mules. In spite of everything, those that confirmed up late for work tended to price the crooks some huge cash, because the sufferer’s financial institution would normally attempt to reverse any transfers that hadn’t already been withdrawn by the mules.
When it got here time to switch stolen funds, the recruiters would ship a message via the faux firm web site saying one thing like: “Good morning [mule name here]. Our consumer — XYZ Corp. — is sending you some cash as we speak. Please go to your financial institution now and withdraw this fee in money, after which wire the funds in equal funds — minus your fee — to those three people in Japanese Europe.”
Solely, in each case the corporate talked about because the “consumer” was in actual fact a small enterprise whose payroll accounts they’d already hacked into.
So, every day for a number of years my morning routine went as follows: Make a pot of espresso; shuffle over to the pc and think about the messages Tank and his co-conspirators had despatched to their cash mules over the earlier 12-24 hours; search for the sufferer firm names in Google; decide up the cellphone to warn every that they had been within the technique of being robbed by the Russian Cyber Mob.
My spiel on all of those calls was roughly the identical: “You in all probability do not know who I’m, however right here’s all my contact data and what I do. Your payroll accounts have been hacked, and also you’re about to lose quite a lot of cash. It’s best to contact your financial institution instantly and have them put a maintain on any pending transfers earlier than it’s too late. Be at liberty to name me again afterwards if you need extra details about how I do know all this, however for now please simply name or go to your financial institution.”
In lots of cases, my name would are available in simply minutes or hours earlier than an unauthorized payroll batch was processed by the sufferer firm’s financial institution, and a few of these notifications prevented what in any other case would have been huge losses — typically a number of instances the quantity of the group’s regular weekly payroll. Sooner or later I ended counting what number of tens of hundreds of {dollars} these calls saved victims, however over a number of years it was in all probability within the tens of millions.
Simply as typically, the sufferer firm would suspect that I used to be someway concerned within the theft, and shortly after alerting them I might obtain a name from an FBI agent or from a police officer within the sufferer’s hometown. These had been at all times attention-grabbing conversations.
Collectively, these notifications to victims led to dozens of tales over a number of years about small companies battling their monetary establishments to get well their losses. I by no means wrote a few single sufferer that wasn’t okay with my calling consideration to their plight and to the sophistication of the risk dealing with different firms.
This incessant meddling on my half very a lot aggravated Tank, who on a couple of event expressed mystification as to how I knew a lot about their operations and victims. Right here’s a snippet from certainly one of their Jabber chats in 2009, after I’d written a narrative for The Washington Submit about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. Within the chat under, “lucky12345” is the Zeus writer Bogachev:
tank: Are you there?
tank: That is what they rattling wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#extra
tank: I’ll take a fast take a look at historical past
tank: Originator: BULLITT COUNTY FISCAL Firm: Bullitt County Fiscal Court docket
tank: Effectively, you bought [it] from that cash-in.
lucky12345: From 200K?
tank: Effectively, they aren’t the best quantities and the money out from that account was shitty.
tank: Levak was written there.
tank: As a result of now all the USA is aware of about Zeus.
tank: 😀
lucky12345: It’s fucked.
On Dec. 13, 2009, certainly one of Tank’s prime cash mule recruiters — a criminal who used the pseudonym “Jim Rogers” — advised his boss one thing I hadn’t shared past a couple of trusted confidants at that time: That The Washington Submit had eradicated my job within the technique of merging the newspaper’s Website online (the place I labored on the time) with the useless tree version.
jim_rogers: There’s a rumor that our favourite (Brian) didn’t get his contract extension at Washington Submit. We’re giddily awaiting affirmation 🙂 Excellent news anticipated precisely by the New Yr! Moreover us nobody reads his column 🙂
tank: Mr. Fucking Brian Fucking Kerbs!
One other member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — is also at the moment needed by the FBI, which is providing a $5 million reward for info resulting in his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Picture: FBI
