Page 44 - Cyber Warnings
P. 44
SpyEye Sentencing
Malware Author and Co-conspirator Receive Hefty Sentences in SpyEye
Cybercrime Case
On Wednesday, April 20, 2016, a federal judge handed down stiff sentences for Aleksandr
Panin ("Gribodemon" or "Harderman"), author of the infamous SpyEye banking trojan, and his
co-conspirator, Hamza Bendelladj ("bx1"). Because both co-defendants pled guilty, there was
no actual trial. What followed instead was described by seasoned attorneys on both sides as
the "weirdest" sentencing hearing they had ever witnessed.
The SpyEye Conspiracy
Panin developed SpyEye and began offering the kit or sale on underground cybercrime forums
in 2010, marketing it with the tagline "ZeuS Killer". Bendelladj was not just one of Panin's two
main customers, but partnered with him and developed plugins for SpyEye, including the
"spreader" plugin and the "ATS" (automated transfer system) plugin that helped bring SpyEye
up to feature parity with ZeuS. Both men were prosecuted as conspirators in the same
cybercrime case.
Bendelladj, a citizen of Algeria, was arrested in early February 2013 by authorities in Thailand
working in conjunction with the FBI. He was nabbed at the airport in Bangkok as he traveled
from his home in Malaysia to vacation in Egypt.
Panin was arrested on July 1, 2013, as he flew through Atlanta's Hartsfield-Jackson airport on
his way back to Russia from a vacation in the Dominican Republic. The third individual in the
main SpyEye triad, James Bayliss ("Jam3s" or "Jam3s2k"), a British citizen, was arrested in
May 2014 is being prosecuted by UK authorities.
"Weird" Sentencing Hearing
Both Panin and Bendelladj pled guilty in US federal court. Panin entered into a plea deal which,
although it drastically limited his options to appeal, also capped the losses for which he would
be held responsible and which determine his sentence. Bendelladj, however, plead guilty
without the benefit of a plea deal, and could still appeal his sentence.
Initially, the sentencing hearing was delayed because of a change in venue from New York to
Atlanta, Georgia. The discovery of a command-and-control (C2) server in Atlanta, which was
operated by Bendelladj, and the discovery of several victims in Georgia gave the Northern
District of Georgia jurisdiction in the case.
44 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
