Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian chief of a prolific cybercriminal group that stole tens of hundreds of thousands of {dollars} from small to mid-sized companies within the United States and Europe, has been arrested in Switzerland, in accordance with a number of sources.
Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (proper) was arrested in Geneva, Switzerland. Tank was the day-to-day supervisor of a cybercriminal group that stole tens of hundreds of thousands of {dollars} from small to mid-sized companies.
Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a high determine within the JabberZeus Crew, a small however potent cybercriminal collective from Ukraine and Russia that attacked sufferer corporations with a robust, custom-made model of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to remark for this story. But in accordance with a number of sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks in the past as he was touring to satisfy up together with his spouse there.
Penchukov is from Donetsk, a historically Russia-leaning area in Eastern Ukraine that was not too long ago annexed by Russia. In his hometown, Penchukov was a widely known deejay (“DJ Slava Rich“) who loved being seen driving round in his high-end BMWs and Porsches. More not too long ago, Penchukov has been investing fairly a bit in native companies.
The JabberZeus crew’s identify is derived from the malware they used, which was configured to ship them a Jabber on the spot message every time a brand new sufferer entered a one-time password code right into a phishing web page mimicking their financial institution. The JabberZeus gang focused largely small to mid-sized companies, they usually have been an early pioneer of so-called “man-in-the-browser” assaults, malware that may silently siphon any knowledge that victims submit by way of a web-based type.
Once inside a sufferer firm’s financial institution accounts, the crooks would modify the agency’s payroll so as to add dozens of “money mules,” folks recruited by way of work-at-home schemes to deal with financial institution transfers. The mules in flip would ahead any stolen payroll deposits — minus their commissions — by way of wire switch abroad.
Tank, a.ok.a. “DJ Slava Rich,” seen right here performing as a DJ in Ukraine in an undated photograph from social media.
The JabberZeus malware was custom-made for the crime group by the alleged writer of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a high Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of working the Gameover Zeus botnet, an enormous crime machine of 500,000 to 1 million contaminated PCs that was used for giant DDoS assaults and for spreading Cryptolocker — a peer-to-peer ransomware menace that was years forward of its time.
Investigators knew Bogachev and JabberZeus have been linked as a result of for a few years they have been studying the non-public Jabber chats between and amongst members of the JabberZeus crew, and Bogachev’s monitored aliases have been in semi-regular contact with the group about updates to the malware.
Gary Warner, director of analysis in laptop forensics on the University of Alabama at Birmingham, famous in his weblog from 2014 that Tank informed co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her beginning weight.
“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day,” Warner wrote. This was sufficient to positively establish Tank as Penchukov, Warner stated.
Ultimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for a few years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would function godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych household, Tank was capable of set up contact with key insiders in high tiers of the Ukrainian authorities, together with regulation enforcement.
Sources briefed on the investigation into Penchukov stated that in 2010 — at a time when the Security Service of Ukraine (SBU) was making ready to serve search warrants on Tank and his crew — Tank obtained a tip that the SBU was coming to raid his dwelling. That warning gave Tank ample time to destroy necessary proof towards the group, and to keep away from being dwelling when the raids occurred. Those sources additionally stated Tank used his contacts to have the investigation into his crew moved to a distinct unit that was headed by his corrupt SBU contact.
Writing for Technology Review, Patrick Howell O’Neil recounted how SBU brokers in 2010 have been trailing Tank across the metropolis, watching intently as he moved between nightclubs and his house.
“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy, and a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The country had a notorious corruption problem. The running joke was that it was easy to find the SBU’s anticorruption unit—just look for the parking lot full of BMWs.”
AUTHOR’S NOTE/BACKGROUND
I first encountered Tank and the JabberZeus crew roughly 14 years in the past as a reporter for The Washington Post, after a trusted supply confided that he’d secretly gained entry to the group’s non-public Jabber conversations.
From studying these discussions every day, it grew to become clear Tank was nominally in command of the Ukrainian crew, and that he spent a lot of his time overseeing the actions of the cash mule recruiters — which have been an integral a part of their sufferer cashout scheme.
It was quickly found that the phony company web sites the cash mule recruiters used to handle new hires had a safety weak point that allowed anybody who signed up on the portal to view messages for each different consumer. A scraping device was constructed to reap these cash mule recruitment messages, and on the top of the JabberZeus gang’s exercise in 2010 that scraper was monitoring messages on near a dozen completely different cash mule recruitment websites, every managing tons of of “employees.”
Each mule was given busy work or menial duties for a couple of days or perhaps weeks previous to being requested to deal with cash transfers. I imagine this was an effort to weed out unreliable cash mules. After all, those that confirmed up late for work tended to price the crooks some huge cash, because the sufferer’s financial institution would often attempt to reverse any transfers that hadn’t already been withdrawn by the mules.
When it got here time to switch stolen funds, the recruiters would ship a message by way of the pretend firm web site saying one thing like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you some money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in equal payments — minus your commission — to these three individuals in Eastern Europe.”
Only, in each case the corporate talked about because the “client” was in truth a small enterprise whose payroll accounts they’d already hacked into.
So, every day for a number of years my morning routine went as follows: Make a pot of espresso; shuffle over to the pc and examine the messages Tank and his co-conspirators had despatched to their cash mules over the earlier 12-24 hours; lookup the sufferer firm names in Google; choose up the telephone to warn every that they have been within the strategy of being robbed by the Russian Cyber Mob.
My spiel on all of those calls was kind of the identical: “You probably have no idea who I am, but here’s all my contact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of money. You should contact your bank immediately and have them put a hold on any pending transfers before it’s too late. Feel free to call me back afterwards if you want more information about how I know all this, but for now please just call or visit your bank.”
In many cases, my name would are available in simply minutes or hours earlier than an unauthorized payroll batch was processed by the sufferer firm’s financial institution, and a few of these notifications prevented what in any other case would have been monumental losses — typically a number of occasions the quantity of the group’s regular weekly payroll. At some level I ended counting what number of tens of 1000’s of {dollars} these calls saved victims, however over a number of years it was in all probability within the hundreds of thousands.
Just as typically, the sufferer firm would suspect that I used to be in some way concerned within the theft, and shortly after alerting them I might obtain a name from an FBI agent or from a police officer within the sufferer’s hometown. Those have been at all times fascinating conversations.
Collectively, these notifications to victims led to dozens of tales over a number of years about small companies battling their monetary establishments to recuperate their losses. I by no means wrote a few single sufferer that wasn’t okay with my calling consideration to their plight and to the sophistication of the menace going through different corporations.
This incessant meddling on my half very a lot aggravated Tank, who on multiple event expressed mystification as to how I knew a lot about their operations and victims. Here’s a snippet from one in every of their Jabber chats in 2009, after I’d written a narrative for The Washington Post about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. In the chat beneath, “lucky12345” is the Zeus writer Bogachev:
tank: Are you there?
tank: This is what they rattling wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more
tank: I’ll take a fast have a look at historical past
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you bought [it] from that cash-in.
lucky12345: From 200K?
tank: Well, they don’t seem to be the appropriate quantities and the money out from that account was shitty.
tank: Levak was written there.
tank: Because now your entire USA is aware of about Zeus.
tank: 😀
lucky12345: It’s fucked.
On Dec. 13, 2009, one in every of Tank’s high cash mule recruiters — a criminal who used the pseudonym “Jim Rogers” — informed his boss one thing I hadn’t shared past a couple of trusted confidants at that time: That The Washington Post had eradicated my job within the strategy of merging the newspaper’s Web website (the place I labored on the time) with the lifeless tree version.
jim_rogers: There is a rumor that our favourite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting affirmation 🙂 Good information anticipated precisely by the New Year! Besides us nobody reads his column 🙂
tank: Mr. Fucking Brian Fucking Kerbs!
Another member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — is also at present wished by the FBI, which is providing a $5 million reward for info resulting in his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI