U.S. and British law enforcement officials announced charges Thursday against two Russian nationals they believe responsible for separate global hacking schemes that deployed some of the largest pieces of malware ever seen to swipe tens of millions of dollars from the bank accounts of unsuspecting victims.
Officials identified those charged as Maksim Yakubets, of Moscow, and Igor Turashev, of Yoshkar-Ola, Russia. They said a $5 million reward is being offered for information that leads to Yakubets’ capture – which they said was the largest such money offering yet for a cyber criminal.
Brian Benczkowski, who heads the Justice Department’s criminal division, said Yakubets was the “leader of a criminal cyber gang,” who had been involved in cyber crime for the past decade on an “unimaginable scale.”
“Maksim Yakubets allegedly has engaged in a decade-long cybercrime spree that deployed two of the most damaging pieces of financial malware ever used and resulted in tens of millions of dollar losses to victims worldwide,” he said.
Yakubets was charged in two separate cases – one in Pennsylvania and the other in Nebraska – for distributing malware known as “Bugat” and “Zeus” that stole unsuspecting victims’ passwords and other personal information. The hackers were then able to reroute wire transfers to foreign bank accounts run by “money mules.” Turashev was also charged in connection with the Bugat case.
Authorities said many of the thousands of U.S. victims were small to midsized businesses, targeted by email phishing scams. FBI Deputy Director David Bowdich said those targeted included a dairy company in Ohio, a luggage store in New Mexico and an order of religious sisters.
The Zeus malware was used in the attempted theft of about $220 million, of which the hackers were able to successfully steal about $70 million, authorities said.
The suspects used that money to live like flamboyant millionaires, officials said.
Bowdich conceded because the two men are in Russia, it is unlikely they will ever be brought to the U.S. to face charges.
“It’s difficult, no doubt,” he said, “but it’s not impossible.”
The Russian government, which does not extradite its citizens to face charges overseas, responded to a U.S. request in the case that was “helpful in the investigation, to a point,” Bowdich said.
Yakubets was part of a group called the “Jabber Zeus Crew” that began their alleged scheme as far back as 2009.
Some members of the conspiracy have already been caught and sent to prison. Two Ukrainians, Yuriy Konovaleko and Yevhen Kulibaba, were extradited from Britain to the U.S. in 2015, pleaded guilty to conspiracy, and have completed their prison sentences.
Investigators recovered chat logs among members of the group showing them reacting to a 2009 Washington Post article about their apparent effort to steal $415,000 from the coffers of Bullitt County, Kentucky.
“I’m really pissed,” Yakubets allegedly wrote. “They exposed the entire deal.” Another suspect shared a link to the story and wrote: “This is what they damn wrote about me.”
Bowdich said the conversations show that the way to defeat hackers is to unmask them, wherever they are, through news stories or publicly filed charges, and the chat logs recounted in court documents show “they didn’t like it.”
Authorities were able to identify Yakubets as the person behind the online hacker persona “aqua” through those chats and a review of other digital evidence. They used applications for U.S. visas filed by Yakubets’s ex-wife and their young child, and the Russian government provided additional information that tied him to an “aqua” email address used to order a baby carriage that was delivered to his Moscow address.