A 23-count indictment charges Hamza Bendelladj, 24, with wire fraud, bank fraud, computer fraud and conspiracy. U.S. Attorney Sally Yates said the man was extradited to Atlanta from Thailand on Thursday and was arraigned in federal court Friday afternoon. A second person is also charged in the indictment but has not been identified. Investigators could not disclose whether the person was in the U.S. or abroad. Officials also could not disclose what information led them to Bendelladj.
Bendelladj, whose nickname is “Bx1,” is accused of developing and marketing SpyEye, a banking Trojan. However, federal authorities have not said exactly how Bendelladj helped develop the software. Court records don’t indicate whether he had a lawyer.
The malware was implanted onto computers to secretly collect financial information and drain bank accounts. Authorities say the malware impacted 253 different financial institutions and is responsible for untold amounts of financial theft.
“We’re talking millions,” Yates said Friday. “We don’t have the precise number quantified at this point.”
Trojans such as SpyEye can be profitable for cybercriminals. A small group of hackers in Eastern Europe arrested in 2010 was able to steal about $70 million from companies, municipalities and churches in Europe and the U.S.
SpyEye was designed to automatically steal sensitive information — such as bank account credentials, credit card information, passwords and PIN numbers — after being implanted in victims’ computers. After the program took control of a computer, it allowed hackers to use a number of covert techniques to trick victims into giving up their personal information — including data grabbing and presenting victims with a fake bank account page. The information was then relayed to a command and control server, which was used to access bank accounts.
Bendelladj was indicted in December 2011 and was on a trip from Malaysia to Egypt when he was arrested during a layover at an airport in Bangkok on Jan. 5, 2013. Police there seized two laptops, a tablet computer, a satellite phone and external hard drives.
Although authorities say he never set foot on U.S. soil, Bendelladj is accused of leasing a virtual server from an unidentified Internet company in Atlanta to control computers that were impacted by SpyEye. The company was unaware the man was allegedly using the server for illegal purposes, Yates said.
“The federal indictment and extradition of Bendelladj should send a very clear message to those international cybercriminals who feel safe behind their computers in foreign lands that they are, in fact, within reach,” Mark F. Giuliano of the FBI’s Atlanta field office said in a news release.
Bendelladj and others allegedly developed and sold various versions of SpyEye and its components on the Internet between 2009 and 2011. Cybercriminals were able to customize their purchases to choose specific methods of gathering personal information from victims. Bendelladj and others also allegedly advertised SpyEye on Internet forums focused on cybercrime and other criminal activity.
Yates said that Bendelladj is not accused of being part of a specific criminal organization, and that he and his associates are not accused of carrying out cyberterrorism.
While the arrest does show that authorities are vigilant about trying to fight cybercrime, cybersecurity experts said there is still a vast network of cybercriminals finding more sophisticated ways to remain anonymous and create malware resistant to antivirus programs.
“At the end of the day, this one arrest, unfortunately, won’t cause a lot of reduction in online fraud attempts,” said George Tubin, senior security strategist at Boston-based Trusteer, a provider of cybercrime prevention programs. “Hopefully it sends a message maybe to the fraudsters that you can be caught and you need to think twice.”
Investigators say SpyEye is still active, and authorities are trying to track down computer hackers who are still using the virus. Hackers have developed a mobile version of SpyEye called Spitmo, which targets victims’ smartphones, Tubin said. Cybercriminals can steal personal information through victims’ computers and forward themselves text messages from the victims’ cellphones to fraudulently verify the person’s identity and lock them out of bank accounts and other personal accounts. That method is more widely used in Europe, Tubin said.
If convicted, Bendelladj faces up to 30 years in prison for conspiracy to commit wire and bank fraud, and up to five years for conspiracy to commit computer fraud. The 21 counts of wire and computer fraud carry maximum sentences of between five and 20 years each. The man may also be fined up to $14 million.