A Ukrainian national has pleaded guilty in the U.S. to his role in two different malware schemes, Zeus and IcedID, between May 2009 and February 2021.
Vyacheslav Igorevich Penchukov (aka Vyacheslav Igoravich Andreev, father, and tank), 37, was arrested by Swiss authorities in October 2022 and extradited to the U.S. last year. He was added to the FBI’s most-wanted list in 2012.
The U.S. Department of Justice (DoJ) described Penchukov as a “leader of two prolific malware groups” that infected thousands of computers with malware, leading to ransomware and the theft of millions of dollars.
This included the Zeus banking trojan that facilitated the theft of bank account information, passwords, personal identification numbers, and other details necessary to log in to online banking accounts.
Penchukov and his co-conspirators, as part of the “wide-ranging racketeering enterprise” dubbed Jabber Zeus gang, then masqueraded as employees of the victims to initiate unauthorized fund transfers.
They also used individuals residing in the U.S. and other parts of the world as “money mules” to receive the wired funds, which were ultimately funneled to overseas accounts controlled by Penchukov et al. A successor to Zeus was dismantled in 2014.
The defendant has also been accused of facilitating malicious activity by helping lead attacks involving the IcedID (aka BokBot) malware from at least November 2018. The malware is capable of acting as an information stealer and a loader for other payloads, such as ransomware.
Ultimately, as investigative journalist Brian Krebs reported back in 2022, he managed to evade prosecution by Ukrainian cybercrime investigators for many years due to his political connections with former Ukrainian President Victor Yanukovych.
Following his arrest and extradition, Penchukov pleaded guilty to one count of conspiracy to commit a racketeer-influenced and corrupt organization (RICO) act offense for his leadership role in the Jabber Zeus group. He also pleaded guilty to one count of conspiracy to commit wire fraud for his leadership role in the IcedID malware group.
Penchukov is scheduled to be sentenced on May 9, 2024, and faces a maximum penalty of 20 years in prison for each count.
The development comes as the DoJ announced the extradition of a 28-year-old Ukrainian national from the Netherlands in connection with fraud, money laundering, and aggravated identity theft by allegedly operating and advertising an information stealer known as Raccoon.
Mark Sokolovsky, who was arrested by Dutch authorities in March 2022, leased Raccoon to other cybercriminals on a malware-as-a-service (MaaS) model for $200 a month. It first became available in April 2019.
“These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims,” the DoJ said.
“Raccoon infostealer then stole personal data from victim computers, including login credentials, financial information, and other personal records. The stolen information was used to commit financial crimes or was sold to others on cybercrime forums.”
At least 50 million unique credentials and forms of identification have been harvested by the malware, according to the U.S. Federal Bureau of Investigation (FBI) estimates.
Sokolovsky’s arrest was accompanied by a coordinated takedown of Raccoon’s digital infrastructure, but a new version of the stealer, called RecordBreaker, has since emerged in the wild.
He has been charged with one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and one count of aggravated identity theft.