Notorious Banking Trojan Tied to 11 Million Infections, $500 Million in Losses
A Russian citizen was sentenced Wednesday in Georgia federal court to serve five years in prison after he pleaded guilty to helping develop and distribute the notorious banking Trojan called Citadel.
See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime
Mark Vartanyan, aka “Kolypto,” pleaded guilty March 20 to one count of computer fraud, for which he had faced up to 10 years imprisonment.
Prosecutor Steven Grimberg told the court Wednesday at Vartanyan’s sentencing hearing that the defendant had shown remorse and cooperated with the FBI and Justice Department, Associated Press reports. It notes that Vartanyan will get credit for time served, which includes two years spent in a Norwegian prison.
Vartanyan was extradited from Norway to the United States in December 2016, when he was 28 years old.
While Vartanyan admitted to providing software development expertise to help refine Citadel, it’s not clear if he was a major player in the cybercrime ring behind the malware.
Major Losses Tied to Citadel
Citadel – a variant of the notorious Zeus banking Trojan – first appeared for sale in 2012 on underground cybercrime marketplaces. It was offered as a malware-as-a-service product to which users subscribed.
The Justice Department has tied Citadel botnets to infections of 11 million PCs worldwide that caused more than $500 million in fraud.
The malware was used to steal funds from a number of financial services firms, including American Express, Bank of America, HSBC, PayPal, Royal Bank of Canada and Wells Fargo. But it was programmed to avoid infecting institutions in Ukraine or Russia, in what was a likely sign that its developers wanted to avoid angering authorities in those countries (see Russian Cybercrime Rule No. 1: Don’t Hack Russians).
Citadel, run by a controller who used the alias “Aquabox,” appeared to be based in Eastern Europe, according to Microsoft. Aquabox was assisted by an estimated 81 lieutenants – or botnet herders – who helped develop, distribute, update and sell the malware.
In 2013, the FBI, working with Microsoft, disrupted more than 1,000 Citadel botnets. Microsoft said 455 of those botnets were hosted in 40 U.S.-based data centers, while the rest were distributed across dozens of overseas countries.
From Ukraine to Norway
It’s unclear when in the course of its Citadel investigation the FBI identified Vartanyan.
In 2012, Vartanyan began working as a software engineer for a mobile healthcare data company called Dignio, based in Fredrikstad, Norway, and relocated from Ukraine to Norway in 2014 at the request of his employer, Norway Today reported. In interviews, Dignio lauded the programming work that Vartanyan did, while the Russian called it a “dream job.”
In October 2014, however, Vartanyan was arrested by Norway’s National Criminal Investigation Service, commonly known as Kripos, at the FBI’s request, after he was indicted in U.S. federal court in Georgia on suspicion of helping to develop or sell Citadel. Based on the charges originally filed against him, he faced up to 75 years in U.S. prison.
Present at Vartanyan’s 2014 interrogation was FBI cyber special agent Mark C. Ray, who had traveled to Fredrikstad, Norwegian newspaper Verdens Gang reported. According to news reports, the FBI had previously attempted to visit Vartanyan at his prior address in Ukraine, but had not been able to find him.
After his arrest in Norway, Vartanyan denied any wrongdoing and fought the extradition request. After two years, however, Norway’s Court of Appeal upheld the extradition request.
The court’s decision was condemned by Moscow. Russian Foreign Ministry spokeswoman Maria Zakharova labeled the charges as being “politically motivated” and claimed it was “part of the worldwide hunting for Russian citizens by American secret services and has nothing to do with … justice.”
Citadel Support Request to Aquabox
According to evidence presented at the extradition hearings in Norway, the FBI identified Vartanyan as part of a fake tech-support service. In June 2012, working undercover, an FBI agent obtained two versions of Citadel from an underground seller using the handle “Aquabox,” and then filed a bug report – over fake problems – with the seller, who then requested that the problems be documented in screenshots and uploaded to the SendSpace.com file-sharing site, the Norwegian Broadcasting Corporation, aka NRK, reported.
From August 2012 to January 2013, the FBI tracked 48 file uploads to SendSpace from the suspect’s IP address, including Citadel updates as well as a “patched.zip” that included purported fixes for the errors identified by the undercover FBI agent, NRK reported.
In interviews with Norwegian media outlets, Vartanyan claimed that his PC must have been infected by Citadel malware and the IP address hijacked by criminals.
Another Russian Also Sentenced Over Citadel
In addition to the charges against Vartanyan, authorities filed similar charges against another Russian citizen, Dimitry Belorossov, a.k.a. Rainerfox, who was arrested in Spain, at the FBI’s request, and then extradited to the United States.
In July 2014, at the age of 22, he pleaded guilty to running a Citadel botnet beginning in 2012, and having infected 7,000 PCs with the malware. In September 2015, he was sentenced to serve four years and six months in prison and pay $322,409 in restitution, followed by three years of parole.
Authorities appear to have tracked St. Petersburg, Russia-based Belorossov thanks to his participation in an online, Russian-language Citadel user group called Citadelmovement.com. In the online forum, “Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware,” according to the U.S. Attorney’s Office. “In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the internet and electronically communicating with other cybercriminals via email and instant messaging.”
It’s not clear if authorities have identified – or know the precise location of – the individual known as Aquabox.