Top ‘JabberZeus’ Botnet Group Suspect Arrested in Switzerland

Shot of police cars in Switzerland

Ukrainian national Vyacheslav Igorevich Penchukov, the alleged ringleader of the “JabberZeus” botnet gang, has been apprehended in Geneva, Switzerland, according to information security journalist Brian Krebs.

The group connected to “Zeus” banking botnet malware has stolen upwards of $70 million from victims’ bank accounts across the U.S. and Europe over more than a decade.

Krebs has been on JabberZeus’s case for at least 14 years while writing for The Washington Post. At the time, one of his sources had gained access to the crew’s private “Jabber” conversations, shedding light on the professional cybercrime outfit which employed “money mule recruiters” and orchestrated “victim cashout schemes.”

‘JabberZeus Crew’ Group Top Suspect Arrested

According to a Nov. 15 report by cybersecurity journalist Brian Krebs, the 40-year-old Penchukov — also known online as “father” and “tank” — was apprehended in Geneva on Oct. 23 for his central role in the malware botnet ring.

The FBI is still on the lookout for other top members of JabberZeus, including Ivan “nowhere” Klepikov and Alexey “thehead” Bron.

A further eight JabberZeus co-conspirators were charged by the U.S. DoJ in 2014 for infecting thousands of systems with Zeus, calling them a “wide-ranging racketeering enterprise.” Two crew members, Yevhen “jonni” Kulibaba and Yuriy “jtk0” Konovalenko had pleaded guilty in 2014 after being extradited to the UK.

The JabberZeus group, charged by the FBI in 2012 for crimes including identity theft and bank fraud, is a “small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan,” Krebs explained. Penchukov, well-known as “DJ Slava Rich” in Ukraine, led a lavish life and invested significantly in local businesses.

Penchukov’s powerful political connections are what helped him escape from Ukrainian law enforcement since at least 2010, Krebs said, as the former Ukrainian President was the godfather to his daughter. By receiving insider tips from a “corrupt SBU contact,” he always had time to evade incoming home raids and destroy cybercrime evidence on multiple occasions, Krebs added.

Law enforcement first discovered the link between Evgeniy “lucky12345” Bogachev — the alleged author of the original Zeus trojan — and JabberZeus because they intercepted private chats about malware updates between them.

JabberZeus’s Malware and Methods

Krebs said JabberZeus’ modus operandi was to receive “Jabber” messages from the devices they successfully compromised with phishing tactics — often belonging to people from small and mid-sized businesses.

The group was an early pioneer of “man-in-the-browser” (MitB) attacks, Brian Krebs said in his report. MitB attacks are similar to man-in-the-middle (MitM) attacks, though rather than compromising entire Wi-Fi networks and connections, MitB attacks specifically target software vulnerabilities in browsers.

The JabberZeus crew’s name comes from the custom Zeus malware they used, allegedly crafted by Bogachev — whom the FBI is also looking for due to his connection with the “Gameover Zeus botnet” that spread the nefarious “Cryptolocker” ransomware.

The Zeus malware is “endlessly adaptable” in that it can steal passwords, PINs, RSA SecureID tokens, other login information, and account numbers while being multiplied through a botnet.

Banking Trojans Running Rampant

There have been several banking trojan-related incidents all over the world, such as this June’s TeaBot Android banking trojan that spread globally. The beginning of this year saw widespread attacks involving the FluBot and Medusa trojans, also targeting Android banking apps.

This type of malware usually has multiple capabilities, such as keylogging and RAT (Remote Access Trojan) features that initially infect victims through elaborate, socially-engineered email phishing schemes.

Oftentimes, sophisticated cybercrime can be traced back to regions such as Russia, China, Iran, and, more recently, Ukraine. Australian authorities said recently that Russian actors were behind the notable Australian Medibank incident. The Department of Justice and FBI shut down a Russian botnet made up of more than a million devices early this summer, while pro-Russia hackers were thought to be behind distributed denial of service (DDoS) attacks on American airports in October.

Find out more about banking malware in our guide on trojan viruses.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.