A Ukrainian citizen has pleaded guilty in the United States for his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021.
Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the United States last year. In 2012 he was added to the FBI’s most wanted list.
The US Department of Justice (DoJ) described Penchukov as the “leader of two prolific malware groups” that infected thousands of computers with malware, resulting in ransomware and the theft of millions of dollars.
These included the Zeus banking trojan which facilitated the theft of bank account information, passwords, personal identification numbers and other details needed to access online bank accounts.
Penchukov and his co-conspirators, as part of a “wide-ranging racketeering enterprise” dubbed the Jabber Zeus gang, then masqueraded as employees of the victims to initiate unauthorized fund transfers.
They also used individuals residing in the United States and other parts of the world as “money mules” to receive the transferred funds, which were ultimately funneled to foreign accounts controlled by Penchukov et al. A successor to Zeus was dismantled in 2014.
The defendant has also been accused of facilitating malicious activity by helping to conduct attacks involving the IcedID (also known as BokBot) malware since at least November 2018. The malware is capable of acting as an information stealer and a loader for other payloads, like ransomware.
Ultimately, as investigative journalist Brian Krebs reported in 2022, he managed to evade prosecution by Ukrainian cybercrime investigators for many years due to his political ties to former Ukrainian President Victor Yanukovych.
Following his arrest and extradition, Penchukov pleaded guilty to one charge of conspiracy to commit a racketeering-influenced and corrupt organization (RICO) crime for his leadership role in the Jabber Zeus group. He also pleaded guilty to a charge of conspiracy to commit wire fraud for his leadership role in the IcedID malware group.
Penchukov is scheduled to be sentenced on May 9, 2024, and faces a maximum sentence of 20 years in prison on each count.
The development comes as the DoJ announced the extradition of a 28-year-old Ukrainian citizen from the Netherlands in connection with fraud, money laundering and aggravated identity theft by allegedly operating and publicizing an information thief known as Raccoon.
Mark Sokolovsky, arrested by Dutch authorities in March 2022, rented Raccoon to other cybercriminals in a malware-as-a-service (MaaS) model for $200 per month. It first became available in April 2019.
“These individuals used various ploys, such as email phishing, to install the malware on the computers of unsuspecting victims,” the DoJ said.
“Infostealer Raccoon then stole personal data from the victims’ computers, including login credentials, financial information, and other personal data. The stolen information was used to commit financial crimes or sold to others on cybercrime forums.”
The malware has collected at least 50 million unique credentials and forms of identification, according to estimates from the US Federal Bureau of Investigation (FBI).
Sokolovsky’s arrest was accompanied by a coordinated takedown of Raccoon’s digital infrastructure, but a new version of the thief, called RecordBreaker, has since emerged.
He was charged with one count of conspiracy to commit fraud and related activities in relation to computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering and one count of aggravated identity theft.