Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian chief of a prolific cybercriminal group that stole tens of thousands and thousands of {dollars} from small to mid-sized companies in america and Europe, has been arrested in Switzerland, in accordance with a number of sources.
Needed Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (proper) was arrested in Geneva, Switzerland. Tank was the day-to-day supervisor of a cybercriminal group that stole tens of thousands and thousands of {dollars} from small to mid-sized companies.
Penchukov was named in a 2014 indictment by the U.S. Division of Justice as a prime determine within the JabberZeus Crew, a small however potent cybercriminal collective from Ukraine and Russia that attacked sufferer corporations with a strong, custom-made model of the Zeus banking trojan.
The U.S. Federal Bureau of Investigation (FBI) declined to remark for this story. However in accordance with a number of sources, Penchukov was arrested in Geneva, Switzerland roughly three weeks in the past as he was touring to satisfy up together with his spouse there.
Penchukov is from Donetsk, a historically Russia-leaning area in Japanese Ukraine that was just lately annexed by Russia. In his hometown, Penchukov was a widely known deejay (“DJ Slava Wealthy“) who loved being seen driving round in his high-end BMWs and Porsches. Extra just lately, Penchukov has been investing fairly a bit in native companies.
The JabberZeus crew’s title is derived from the malware they used, which was configured to ship them a Jabber immediate message every time a brand new sufferer entered a one-time password code right into a phishing web page mimicking their financial institution. The JabberZeus gang focused principally small to mid-sized companies, and so they have been an early pioneer of so-called “man-in-the-browser” assaults, malware that may silently siphon any information that victims submit by way of a web-based type.
As soon as inside a sufferer firm’s financial institution accounts, the crooks would modify the agency’s payroll so as to add dozens of “cash mules,” individuals recruited via work-at-home schemes to deal with financial institution transfers. The mules in flip would ahead any stolen payroll deposits — minus their commissions — by way of wire switch abroad.
Tank, a.ok.a. “DJ Slava Wealthy,” seen right here performing as a DJ in Ukraine in an undated photograph from social media.
The JabberZeus malware was custom-made for the crime group by the alleged creator of the Zeus trojan — Evgeniy Mikhailovich Bogachev, a prime Russian cybercriminal with a $3 million bounty on his head from the FBI. Bogachev is accused of operating the Gameover Zeus botnet, a large crime machine of 500,000 to 1 million contaminated PCs that was used for massive DDoS assaults and for spreading Cryptolocker — a peer-to-peer ransomware menace that was years forward of its time.
Investigators knew Bogachev and JabberZeus have been linked as a result of for a few years they have been studying the personal Jabber chats between and amongst members of the JabberZeus crew, and Bogachev’s monitored aliases have been in semi-regular contact with the group about updates to the malware.
Gary Warner, director of analysis in pc forensics on the College of Alabama at Birmingham, famous in his weblog from 2014 that Tank instructed co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, had been born and gave her beginning weight.
“A search of Ukrainian beginning data solely confirmed one lady named Miloslava with that beginning weight born on that day,” Warner wrote. This was sufficient to positively determine Tank as Penchukov, Warner stated.
In the end, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime investigators for a few years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych Jr.) would function godfather to Tank’s daughter Miloslava. By way of his connections to the Yanukovych household, Tank was capable of set up contact with key insiders in prime tiers of the Ukrainian authorities, together with legislation enforcement.
Sources briefed on the investigation into Penchukov stated that in 2010 — at a time when the Safety Service of Ukraine (SBU) was making ready to serve search warrants on Tank and his crew — Tank acquired a tip that the SBU was coming to raid his dwelling. That warning gave Tank ample time to destroy necessary proof towards the group, and to keep away from being dwelling when the raids occurred. These sources additionally stated Tank used his contacts to have the investigation into his crew moved to a distinct unit that was headed by his corrupt SBU contact.
Writing for Know-how Overview, Patrick Howell O’Neil recounted how SBU brokers in 2010 have been trailing Tank across the metropolis, watching intently as he moved between nightclubs and his residence.
“In early October, the Ukrainian surveillance crew stated they’d misplaced him,” he wrote. “The People have been sad, and a little bit shocked. However they have been additionally resigned to what they noticed because the realities of working in Ukraine. The nation had a infamous corruption drawback. The operating joke was that it was simple to seek out the SBU’s anticorruption unit—simply search for the car parking zone filled with BMWs.”
AUTHOR’S NOTE/BACKGROUND
I first encountered Tank and the JabberZeus crew roughly 14 years in the past as a reporter for The Washington Put up, after a trusted supply confided that he’d secretly gained entry to the group’s personal Jabber conversations.
From studying these discussions every day, it grew to become clear Tank was nominally answerable for the Ukrainian crew, and that he spent a lot of his time overseeing the actions of the cash mule recruiters — which have been an integral a part of their sufferer cashout scheme.
It was quickly found that the phony company web sites the cash mule recruiters used to handle new hires had a safety weak point that allowed anybody who signed up on the portal to view messages for each different person. A scraping software was constructed to reap these cash mule recruitment messages, and on the peak of the JabberZeus gang’s exercise in 2010 that scraper was monitoring messages on near a dozen totally different cash mule recruitment websites, every managing lots of of “workers.”
Every mule was given busy work or menial duties for a couple of days or even weeks previous to being requested to deal with cash transfers. I imagine this was an effort to weed out unreliable cash mules. In spite of everything, those that confirmed up late for work tended to price the crooks some huge cash, because the sufferer’s financial institution would often attempt to reverse any transfers that hadn’t already been withdrawn by the mules.
When it got here time to switch stolen funds, the recruiters would ship a message via the pretend firm web site saying one thing like: “Good morning [mule name here]. Our shopper — XYZ Corp. — is sending you some cash at the moment. Please go to your financial institution now and withdraw this cost in money, after which wire the funds in equal funds — minus your fee — to those three people in Japanese Europe.”
Solely, in each case the corporate talked about because the “shopper” was actually a small enterprise whose payroll accounts they’d already hacked into.
So, every day for a number of years my morning routine went as follows: Make a pot of espresso; shuffle over to the pc and look at the messages Tank and his co-conspirators had despatched to their cash mules over the earlier 12-24 hours; lookup the sufferer firm names in Google; choose up the cellphone to warn every that they have been within the means of being robbed by the Russian Cyber Mob.
My spiel on all of those calls was roughly the identical: “You most likely don’t know who I’m, however right here’s all my contact information and what I do. Your payroll accounts have been hacked, and also you’re about to lose a substantial amount of cash. You need to contact your financial institution instantly and have them put a maintain on any pending transfers earlier than it’s too late. Be happy to name me again afterwards in order for you extra details about how I do know all this, however for now please simply name or go to your financial institution.”
In lots of situations, my name would are available in simply minutes or hours earlier than an unauthorized payroll batch was processed by the sufferer firm’s financial institution, and a few of these notifications prevented what in any other case would have been huge losses — usually a number of occasions the quantity of the group’s regular weekly payroll. Sooner or later I ended counting what number of tens of hundreds of {dollars} these calls saved victims, however over a number of years it was most likely within the thousands and thousands.
Simply as usually, the sufferer firm would suspect that I used to be someway concerned within the theft, and shortly after alerting them I’d obtain a name from an FBI agent or from a police officer within the sufferer’s hometown. These have been at all times fascinating conversations.
Collectively, these notifications to victims led to dozens of tales over a number of years about small companies battling their monetary establishments to recuperate their losses. I by no means wrote a couple of single sufferer that wasn’t okay with my calling consideration to their plight and to the sophistication of the menace dealing with different corporations.
This incessant meddling on my half very a lot aggravated Tank, who on multiple event expressed mystification as to how I knew a lot about their operations and victims. Right here’s a snippet from one among their Jabber chats in 2009, after I’d written a narrative for The Washington Put up about their efforts to steal $415,000 from the coffers of Bullitt County, Kentucky. Within the chat beneath, “lucky12345” is the Zeus creator Bogachev:
tank: Are you there?
tank: That is what they rattling wrote about me.
tank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#extra
tank: I’ll take a fast take a look at historical past
tank: Originator: BULLITT COUNTY FISCAL Firm: Bullitt County Fiscal Court docket
tank: Effectively, you bought [it] from that cash-in.
lucky12345: From 200K?
tank: Effectively, they aren’t the appropriate quantities and the money out from that account was shitty.
tank: Levak was written there.
tank: As a result of now all the USA is aware of about Zeus.
tank: 😀
lucky12345: It’s fucked.
On Dec. 13, 2009, one among Tank’s prime cash mule recruiters — a criminal who used the pseudonym “Jim Rogers” — instructed his boss one thing I hadn’t shared past a couple of trusted confidants at that time: That The Washington Put up had eradicated my job within the means of merging the newspaper’s Web page (the place I labored on the time) with the useless tree version.
jim_rogers: There’s a rumor that our favourite (Brian) didn’t get his contract extension at Washington Put up. We’re giddily awaiting affirmation 🙂 Excellent news anticipated precisely by the New Yr! Moreover us nobody reads his column 🙂
tank: Mr. Fucking Brian Fucking Kerbs!
One other member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — is also at present needed by the FBI, which is providing a $5 million reward for info resulting in his arrest and conviction.
Alleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Picture: FBI
Replace, Nov. 16, 2022, 7:55 p.m. ET:: A number of media retailers are reporting that Swiss authorities confirmed they arrested a Ukrainian nationwide needed on cybercrime expenses. The arrest occurred in Geneva on Oct. 23, 2022. “The US authorities accuse the prosecuted particular person of extortion, financial institution fraud and identification theft, amongst different issues,” reads an announcement from the Swiss Federal Workplace of Justice (FOJ).
“Through the listening to on 24 October, 2022, the particular person didn’t consent to his extradition to the USA by way of a simplified continuing,” the FOJ continued. “After completion of the formal extradition process, the FOJ has determined to grant his extradition to the USA on 15 November, 2022. The choice of the FOJ could also be appealed on the Swiss Legal Federal Court docket, respectively on the Swiss Supreme Court docket.”
