Four months after he was arrested in Thailand, a man suspected of being one of those running the SpyEye botnet appeared in court late last week in Atlanta to answer charges that he was part of the crew using the malware to steal millions of dollars from victims worldwide. Hamza Bendelladj was indicted in late 2011 and U.S. authorities have been trying to extradite him from Thailand for several years now, and Bendelladj is facing more than 30 counts related to the botnet and bank fraud.
SpyEye is one of the more notorious pieces of financial malware in use in the last few years. It gives attackers the ability to steal online banking credentials from infected PCs and some versions of SpyEye also can bypass the use of two-factor authentication. The SpyEye Trojan is closely associated with Zeus malware, and the two code bases were merged a couple of years ago. There still are separate versions of each Trojan and there are many different versions of both SpyEye and Zeus sold in the underground. Security researchers and law enforcement officials have focused a lot of attention on Zeus for several years now, and SpyEye has been a little less conspicuous. No longer.
Law enforcement officials say that Bendelladj’s arrest is part of a larger focus on cybercrime.
“Bendelladj’s alleged criminal reach extended across international borders, directly into victims’ homes. In a cyber-netherworld, he allegedly commercialized the wholesale theft of financial and personal information through this virus which he sold to other cybercriminals. Cybercriminals take note; we will find you. This arrest and extradition demonstrates our determination to bring you to justice,” United States Attorney Sally Quillian Yates said.
The indictment against Bendelladj alleges that he was involved in a group responsible for developing and selling the SpyEye Trojan and also for helping other attackers find command-and-control servers to manage their botnets. Bendelladj, who researchers say used the alias Bx1 online, is accused of advertising SpyEye for sale, and he’s now appearing in Georgia court because one of the C2 servers he allegedly operated is in that state.
“The indictment charges Bendelladj and his co-conspirators with operating servers designed to control the personal computers of unsuspecting individuals and aggressively marketing their virus to other international cybercriminals intent on stealing sensitive information. The extradition of Bendelladj to face charges in the United States demonstrates our steadfast determination to bring cybercriminals to justice, no matter where they operate,” said Acting Assistant Attorney General Mythili Raman.
Bendelladj, who is Algerian, was arrested in Bangkok in January and has been in jail there since. He is facing as many as 30 years in prison if convicted on all charges.