A Ukrainian national has pleaded guilty leading two prolific malware schemes and is facing up to 40 years imprisonment.
The US Department of Justice (DoJ) said that Vyacheslav Igorevich Penchukov was behind the Zeus and IcedID malware campaigns, which led to tens of millions of dollars in losses across thousands of organizations.
The University of Vermont Medical Center was a victim of one of Penchukov’s campaigns in 2020. The ransomware attack meant the center was unable to provide many critical patient services for over two weeks and resulted in losses of over $30m.
Penchukov was arrested in Geneva, Switzerland, in October 2022 after nearly a decade on the FBI’s Cyber Most Wanted List. He was extradited to the US in 2023.
How the Malware Campaigns Worked
The Zeus malware campaign began in May 2009, led by Penchukov and his co-conspirators, and quickly became the weapon of choice for criminals targeting financial institutions and their online customers.
The group would install the malware on victims’ computers, enabling them to capture bank account information, passwords, personal identification numbers and other information necessary to log into online banking accounts.
Penchukov and his associates then falsely told banks that they were employees of the victim and authorized to transfer funds from their bank accounts. This resulted in banks making unauthorized transfers of funds from these accounts.
Numerous “money mules” were used by the group to receive wired funds from victims’ bank accounts into their own bank accounts. These mules would then withdraw and wire funds overseas to accounts controlled by Penchukov’s co-conspirators.
Two members of the Zeus group plead guilty to their role in the campaign in November 2014, receiving a sentence of two years and 10 months of incarceration.
After being added to the FBIs Cyber Most Wanted List, Penchukov launched a new cybercriminal campaign using the IcedID malware, which started from at least November 2018.
IcedID enabled Penchukov and co-conspirators to collect and transmit personal information from victims, including credentials for banking accounts.
This malware also provided access to infected computers for other forms of malicious software, including ransomware, of which the University of Vermont Medical Center was a victim.
Zeus and IcedID malware have been used by various cybercrime groups, infecting victims via a range of techniques, including phishing emails.
Tough Sentences for Cybercriminals
Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division, commented: “Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to patients for over two weeks.”
Argentieri added: “Today’s guilty pleas should serve as a clear warning: the Justice Department will never stop in its pursuit of cybercriminals.”
Penchukov will be sentenced on May 9, 2024, and faces a maximum penalty of 20 years in prison for each count.
The US has recently imposed hefty penalties for prosecuted cybercriminals. In January 2024, the DoJ announced that 19 individuals involved in managing and using the late xDedic cybercrime marketplace were handed lengthy prison sentences.
In September 2023, a Russian businessman was sentenced to nine years in prison for an elaborate corporate hacking scheme that defrauded American businesses to the tune of approximately $93m.