The takedown tale of Gribodemon

TVER, Russia — Sasha Panin called himself “Gribodemon,” and his evil works in the world of cybercrime have bedeviled millions.

Panin is a 20-something Russian computer whiz who until a few years ago lived in obscurity with his grandmother in this struggling riverside city.

Context: Lessons from the capture of Spyeye’s mastermind

Working from a Moscow apartment, federal prosecutors say, Panin developed SpyEye, one of the most destructive computer software programs ever launched in the Internet’s criminal underworld, the dark Web where hackers ply their trade.

Panin’s software tool kit, which sold for a few thousand dollars on underground websites, systematically infected more than 1.4 million computers, where it collected bank account credentials, credit card numbers, passwords and personal identification numbers.

The world’s cybercriminals — from lone hackers like Panin, who supply the software tools, to elaborate, multilevel crime syndicates that steal billions of dollars every year — wreak havoc on computer systems: Witness the data heists that struck Target and Neiman Marcus during the holiday shopping season last year.

An examination of Panin’s case, his lifestyle, his eccentric ambitions and his ultimate capture by U.S. authorities reveals how youthful hackers hiding behind anonymous screen names in unlikely corners of the world can use their personal computers and programming skills to create malicious software, called malware, with the power to penetrate computers at multinational corporations, financial institutions and governments — and steal your credit card numbers or even your identity.

The threat from hackers for hire, state-sponsored cyber intrusions and organized cyber syndicates is so dire that Director of National Intelligence James Clapper lists cybersecurity as the greatest global threat, edging out terrorism and weapons of mass destruction.

To catch Panin, who awaits sentencing in a U.S. prison after pleading guilty this year to bank and wire fraud, FBI agents crisscrossed the globe, hacked into computers and posed as cybercrooks themselves.

The investigation is chronicled in criminal and civil court records and cyber-research reports examined by USA TODAY.

To crack the case, they sifted through millions of lines of computer code, wrestled with law enforcement officials in Thailand, Bulgaria and Britain, and finally waited patiently for Panin to leave Russia before they could bring him to justice, leaving his family in shock.

The young Sasha dreamed, his mother, Inessa Rozova, told USA TODAY, of creating artificial intelligence, obsessing over transhumanism, a cultural movement bent on transforming human life through technology.

“When he was 16, he told me he wanted to do everything possible to live forever,” Rozova said.

Unbeknown to her, the sweet boy with the keen mind who bought her a tea kettle with his first paycheck had an alter ego as Gribodemon, one of the most destructive and prolific hackers in the world. Rozova said she had no idea her son had become a hacker until she learned of his arrest in June by authorities in the Dominican Republic, acting on an Interpol warrant from the United States. The hacker had been visiting a friend there.

Panin’s capture and guilty plea represent one of law enforcement’s great successes in the battle against cybercrime. But U.S. efforts to catchcriminals are often stymied by layers of encryption, secret screen names and uncooperative foreign governments. Panin’s case illustrates the intricate, sprawling tangle that U.S. law enforcement must unravel to find and prosecute hackers who prey on American consumers, banks and retailers.

While Panin sits in jail, the creator of the ZeuS malware, the predecessor to Panin’s SpyEye, remains elusive. That hacker, known only by screen name Slavik, passed the mantle to Panin and slid quietly off the radar screen into retirement, untouched thus far by law enforcement.

“One of the challenges that we face is that to be a hacker all you really need is a computer and an Internet connection. You can reach anonymously into a victim’s bank account from halfway around the world,” says U.S. Attorney Sally Quillian Yates, whose office in Atlanta prosecuted Panin. “We have to chase their digital footprint.”

Hackers like Panin write thousands of lines of computer code to develop malware tool kits — ready-made malicious software packages that are as easy to operate as the legitimate software sold off the shelf at Best Buy or Office Depot to do your taxes or track the family budget.

Once they’re ready, the tool kits are sold in underground Web forums. The criminals who create the forums use the onion router, known as TOR, to conceal the location of the computer servers hosting the websites. TOR ensures privacy by randomly routing computer messages through several places on the Internet, wrapped in encrypted code, so no single point can link the source to the destination.

The tool kits are “very easy, very customizable,” says Roel Schouwenberg, principal security researcher at Kaspersky Lab, which helps businesses defend against malware. “They are template-based, so any attacker can change the template to meet their needs.”

Once hackers have used malware to infiltrate a computer, they can interfere with its operating system to see what the user does, capture any data they want and install their own software. In the Target case, for example, cyberthieves penetrated point-of-sale credit card readers and Target’s internal computer system to steal credit card data and personal information, including PINs, e-mail addresses and phone numbers, from as many as 110 million Target customers, putting them at risk of bogus credit card charges, identity theft and other types of fraud.

The hackers who hit Target used an off-the-shelf tool kit, Schouwenberg noted.

Among the creators of the tool kits, “there’s something of a philosophy,” Schouwenberg says. “They say, ‘We are only creating the weapons. We are not pulling the trigger.’ ”

Indeed, at Konyayev College where Panin studied computer science, teacher Larisa Ishkova recalls his work as “exceptional” and says students there still admire and respect him.

“The kids are proud of him, not because he broke the law but because they see hacking as the height of mastery of computer science,” Ishkova says.


SpyEye arrived on Jan. 10, 2010, when the hacker known only as Gribodemon pitched it for sale on,an underground marketplace, court papers say.

For years, that forum had been Slavik’s domain and the ZeuS malware reigned. ZeuS, created in 2007, had infected more than 13 million computers and had been used to steal over $100 million, according to court papers filed by Microsoft in 2012.

“SpyEye made its notoriety by going after and competing with ZeuS,” says Wade Williamson, senior threat researcher of Shape Security, a computer security firm. “SpyEye was the upstart.”

Gribodemon placed ads for SpyEye on websites for the underground hacker marketplaces, Williamson says.”The ads said, ‘I’m a better hacker than ZeuS. … He was kind of bombastic.”

SpyEye is top-shelf malware. The tool kit automates the collection of confidential personal and financial information using multiple approaches, including a keystroke logger and data grabbers. A basic SpyEye tool kit sold for $1,000; top-of-the-line versions cost up to $8,500.

The FBI estimates Gribodemon had 150 clients, including one client known as “Soldier” who allegedly used the software to steal $3.2 million from bank accounts over six months. Federal agents say that Panin sent his clients more than 80 e-mails from his Gmail account with SpyEye updates and security patches, and that he provided after-sale maintenance, updates and technical support as well.

SpyEye can hijack Web browsers or present fake bank webpages that prompt users to enter their logins and passwords. SpyEye also had a credit card grabber that could scan infected computers for credit card credentials. Once the information is collected, the malware directs the computer to send the data to an infected master computer, known as a “command and control” server, or C2 server, where the criminals can collect it.

By October 2010, the hacker behind ZeuS gave his source code to Gribodemon and the two hackers merged their operations. Afterward, Slavik disappeared.

The FBI investigation into SpyEye caught its first break in February 2011, when agents seized and searched a SpyEye C2 server near Atlanta that Hamza Bendelladj, Gribodemon’s online collaborator, allegedly operated remotely from his home in Algeria. That server controlled more than 200 computers infected with SpyEye, including computers connected to 253 banks in North Carolina, New York, California and Virginia.

That summer, FBI informants communicated with Gribodemon on to purchase a SpyEye tool kit. They paid $8,500.

By December, agents had enough evidence of criminal acts for a 23-count indictment against Bendelladj, but they still didn’t have a name for the SpyEye creator. A grand jury indicted “John Doe.”


Aleksandr Andreevich “Sasha” Panin was born in Tver in 1989, two years before the Soviet Union and its economy collapsed. His mother, Inessa Rozova, struggled to make ends meet. He was in fifth grade when his parents divorced and he moved from the family home into his grandmother’s two-room apartment.

Panin did well in school, showing particular aptitude for math and computers.

In this city of 400,000 people 100 miles north of Moscow, computer programmers are in demand and earn a healthy living, his teacher, Ishkova, said. But after graduation, Panin found his skills weren’t needed. He attended a local institute but dropped out after six months, his mother says.

After school, he moved to Moscow and traveled abroad. Panin rarely talked about his work. and Rozova is unsure what he was doing and where he was living.

Now he writes to her from prison.

In an Oct. 28 letter, Panin told his mother he wasn’t sure when he started to think about dedicating himself to transforming life through technology.

“I started to generate an idea that it is imperative for me to spend my life obtaining money to invest it in the necessary technology,” he wrote. “Only now have I started to understand that was a bad idea.”

Panin pleaded guilty Jan. 28 and will be sentenced on April 29.

“It’s not that they are innocent boys,” says Arkady Bukh, a Brooklyn, N.Y., lawyer who represents Panin and several other convicted Russian hackers. “They are young boys who were greedy and did the wrong thing. That’s why they took a plea.”

The FBI considers several Eastern European countries “hot spots” for cybercrime and has embedded agents in police departments in Estonia, Romania and Ukraine. Bukh says young computer programmers in Russia and other Eastern European countries turn to cybercrime for lack of opportunity. They are highly educated, with strong math skills, but cannot get top-flight jobs in Russia or visas to work in Silicon Valley or high-tech centers in Scandinavia and the Netherlands.

Panin, he said, fits that profile.

“You’re talking about an 18-, 19-year-old boy who is a brilliant computer analyst, a brilliant programmer,” he says. “Plain and simple, it is greed and a lack of opportunity in Russia.”

He compares the hackers to Mikhail Kalashnikov, the Russian general who designed the AK-47 but isn’t responsible for starting the war in Afghanistan. Panin, he says, never got rich off his malware and never used it to steal. He lived modestly in a small rental apartment and rode a bicycle, the lawyer says.

Panin “is not a bank robber. He’s an excellent, brilliant computer programmer who created bad things,” Bukh says. “Of course, he knew it would be used for invasive and illegal purposes.”

Prosecutor Yates sees hackers like Panin differently.

“We’re not talking about misunderstood genius here. These are not just nerdy kids up to mischief in their parent’s basement,” Yates says. “They are breaking in and they are stealing.”

The world of cybercrime has evolved into a loosely knit group of specialists. Cybercriminals who buy malware often work with hackers called “bot herders,” who specialize in finding unprotected computers and infecting them to create a network known as a “botnet.”

Other hackers use a C2 server to remotely control the “botnet” and force the infected computers to execute commands. Still others collect the credit card and bank data, which is then sold on underground “carder” forums known as dumps where an American credit card number can sell for about $3 each.

One of those “carders” is Vladislav Anatolievich Horohorin, 27, of Moscow, known online as “BadB” and one of the founders of “CarderPlanet.”

Founded in 2001, CarderPlanet maintained a Web marketplace where it sold millions of stolen credit card numbers. Federal investigators say it operated as an organized crime ring and had a hierarchy that mirrored the Mafia. After police shut down CarderPlanet in 2004, Horohorin moved on to malware.

Horohorin and his team of hackers used malware to infiltrate the computers of RBS World Pay in Atlanta, the credit-card-processing division of the Royal Bank of Scotland. They stole the debit card numbers and altered the accounts to raise the balances and withdrawal limits on the cards, court papers say.

The hackers then distributed 44 counterfeit payroll debit cards and PINs to “cashers,” including Horohorin, who used the account numbers at 2,100 ATMs in 280 cities around the world, ultimately stealing $9 million in less than 12 hours, court papers say. The cashers took a 30% to 50% cut and then submitted the rest of the money back to the crime syndicate bosses in Estonia, Russia and Moldova through Web money accounts.

Horohorin withdrew more than $125,000 from ATMs around Moscow, court papers say.

At the time of his arrest as he boarded a plane in Nice, France, Horohorin possessed more than 2.5 million stolen credit card and debit card numbers, prosecutors said. The Justice Department called Horohorin “an international credit card trafficker thought to be one of the most prolific sellers of stolen data.”

Horohorin pleaded guilty on Oct. 25, 2012, to device fraud and conspiracy to commit wire fraud. He is serving seven years in a New Jersey prison.

In the ecosystem of cybercriminals, it’s the cashers — people who attempt to use the stolen credit cards at a store or ATM and whose faces are captured on security cameras — who are easiest to catch.

“The hackers put a layer of separation between themselves and the real buyer,” says Shape Security’s Williamson. “They can stay fairly safely tucked away in Eastern Europe.”


Key to catching cybercriminals are the white-hat cybergeeks who work as computer security researchers, identifying the suspicious bits that signal malware among the billions of bits that make up computer code.

In the SpyEye case, the FBI and Justice Department cited the work of Trend Micro, a computer security firm in Dallas, which has 1,200 threat researchers working full time to identify and stop malware attacks.

SpyEye caught Trend Micro’s attention four years ago, says Rik Ferguson, vice president of security research.

“It was very effective, pernicious and persistent,” Ferguson says.

After identifying the signature characteristics of the malware and mapping out its infrastructure, including IP addresses and C2 computers, company researchers infiltrated an underground forum often visited by the SpyEye creator and his customers, says Loucif Kharouni, a senior threat researcher at Trend Micro who investigated the malware.

Gribodemon and a coder he worked with known online as ‘bx1’ periodically let slip e-mail addresses and information about instant messenger accounts, which could lead to actual identities, Kharouni says.

“Very often, it’s poor operational security that leads you to the beginning of the trail,” Ferguson says. “It’s detective work — good, old-fashioned detective work.”

On one SpyEye server, Kharouni retrieved and decoded the configuration files that made the software operate. Among the bits, he found an online handle “bx1,” an e-mail address and login credentials for virtest, a detection-testing service used by cybercriminals.

Kharouni matched that information with handles used in the underground criminal forum to tie the computer code to one of Gribodemon’s online collaborators.

Trend Micro turned the information over to law enforcement authorities, Ferguson says.

The FBI in February 2011 searched and seized the SpyEye command-and-control computer in Georgia that allegedly showed communications between the Atlanta-based server and infected computers in the United States and around the world. The evidence against SpyEye includes two hard drives, more than 40 disks and over one terabyte of data, court papers show.

In June and July 2011, FBI undercover employees purchased a top-of-the-line SpyEye tool kit from Gribodemon and, following his instructions, paid for it with money electronically transferred to a digital account at Liberty Reserve, a Costa Rica-based money processor shut down by federal agents last year, court papers say.

Even after federal investigators linked Panin to Gribodemon, the evidence and the new indictment remained under seal for two years so Panin wouldn’t know he had been identified. Russia does not have an extradition treaty with the U.S., so federal agents had to wait until Panin left Russia.

Thai authorities arrested Bendelladj on Jan. 5, 2013, at the airport in Bangkok as he traveled from Malaysia to Egypt. He was extradited in May to face the U.S. charges. He has pleaded not guilty.

Authorities caught up with Panin in June when he visited a friend in the Dominican Republic. Dominican police arrested Panin as he attempted to board a flight home to Russia.

Though Panin now sits in prison, his malware survives, and new hackers are recycling the old source code to design new tool kits, computer experts say.

“We’re dying a death by a million cuts,” says Chester Wisniewski, a senior security adviser at data security firm Sophos. “We’ll go after SpyEye or the Target gang. Every year, we go after two or three of these guys, but nothing is ever really done.”

Leinwand Leger reported from Washington. Contributing: Alexei Kosorukov of Komsomolskaya Pravda

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone