Irish research key to bringing down SpyEye creator

Cork-based experts help FBI track major online fraudster

Robert McArdle of Trend Micro in Cork: “[The FBI] had a case in place already but it was the intelligence we provided that helped get it over the line.” photograph: daragh mcsweeney/provision

“It’s similar to how you dismantle drug operations,” says Trend Micro’s Robert McArdle. “It’s best to start from the top.”

The Cork-based senior threat researcher is trying to explain just how he and his colleagues helped the FBI, as well as a number of international police forces, track down one of the most wanted online criminals in the world, Aleksandr Panin.

Creator of the SpyEye banking malware programme which has helped siphon tens of millions of euro from accounts since 2009, Panin pleaded guilty to a number of fraud charges in an Atlanta federal courtroom two weeks ago.


After several years of undercover operations, infiltration of underground marketplaces and tracking online trails across continents, Panin and a key ally, Hamza Bendelladj, both now face 30 years in prison.


"The level of SpyEye was huge," McArdle tells The Irish Times , noting it was the actions of Bendelladj under an online alias of 'BX1' which first came up on his radar.

“When we got some leads into it we said ‘okay let’s find out who is in charge of this case’ – which turned out to the FBI in Atlanta – and then we started actively working back and forth with them,” he says.

“They had a case in place already but it was the intelligence we provided that helped get it over the line.”

Dr Ray Genoe of the UCD Centre for Cybersecurity and Cybercrime Investigation told The Irish Times : "It's great to see Irish fingerprints all over the case," adding the "open-source intelligence" provided by companies such as Trend Micro is now key to fighting cybercrime.

Panin – or ‘Gribodemon’ to give him his online identity – developed software to automate the theft of confidential personal and financial information, including user names, passwords, credit card details and online banking credentials in 2009. He then began selling it through invite-only criminal forums for anything between $1,000 and $8,500 a time.

Since then, 150 ‘clients’ of Panin have infected 1.4 million computers with variants of SpyEye, with reports from the financial services industry claiming that more than 10,000 bank accounts were compromised by SpyEye in 2013 alone.

For McArdle and the various law enforcement agencies involved, as well as other companies on board with the investigation such as Microsoft’s Digital Crimes Unit and Dell SecureWorks, the path to finding Panin lay in tracking what was becoming a growing IT infrastructure.

“The more [infrastructure] these guys have the more likely they’ll slip up somewhere,” McArdle explains. “They could have lots of different servers in lots of different countries and one of them is in a place where it’s easier to get a wiretap to see what data is going back and forth.”

Indeed, in February 2011, with the help of McArdle and others, the FBI seized control of a key server involved in the operation, coincidentally based in Atlanta.

This opened a door for undercover FBI officers to communicate with the hitherto mysterious 'Gribodemon' directly, eventually purchasing a version of SpyEye. As a result, in December of that year a Georgia grand jury returned a 23-count indictment against 'Gribodemon' and the now identified Bendelladj, though both remained at large.

In January last year Algerian-born Bendelladj was apprehended in Bangkok while on route back home from Malaysia. Panin then decided it was time he had a holiday, leaving his Russian base for the Dominican Republic where he was arrested last July.

“A lot of [cybercriminals] live in regions where it’s unlikely you’ll get extradition, but at the same time they’re making lots of money, want to enjoy it and go to nice places. That’s where they often mess up,” says McArdle.

"It's actually amazing how many criminals make mistakes and leave clues lying around the place online as well," says respected UK-based independent security analyst, Graham Cluley. It's a point with which Uri Rivner, vice-president for cyber strategy with Israeli analytical security company, BioCatch agrees.

'High-stake game'

“SpyEye involved resellers,” he says, “and once you’re that level of malware manufacturer you start giving support, you start working with others, you basically begin exposing yourself and if you’re not careful you will make some mistakes. It’s becoming a high-stake game for the elite malicious code writers.”

The arrest of Panin has been heralded by law officials, with FBI executive assistant director Rick McFeely telling online criminals “the next person you peddle your malware to could be an FBI undercover employee”.

Though, as Cluley says, “the majority of cyber criminals aren’t going to be caught as the internet makes it easy to cover your tracks”.

Take the example of ‘Soldier’, a cybercriminal who first brought SpyEye to world attention in 2011 when a six-month attack he or she carried out earned them nearly €2.4 million. “That investigation,” McArdle adds, “is still ongoing”.