A 24-year-old Algerian man remains in a Thai jail awaiting extradition to the United States, where he is suspected of masterminding more than $100 million in global bank heists using the ZeuS and SpyEye Trojans.
Malaysian authorities believe they’ve apprehended the hacker Hamza Bendelladj, who they say has been jetsetting around the world using millions of dollars stolen online from various banks. He was arrested at a Bangkok airport enroute from Malaysia to Egypt.
The hacker had developed a considerable reputation as a major operator of ZeuS-powered botnets and bragged about his exploits. One recipient of that braggadocio was security blogger Brian Krebs, who wrote in a post that he believes someone using the handle “bx1” and Bendelladj are the same people.
“I didn’t fully appreciate why I found this case so interesting until I started searching the Internet and my own servers for his email address. Turns out that in 2011, I was contacted via instant message by a hacker who said he was operating botnets using the Zeus and SpyEye Trojans,” he wrote. “This individual reached out to me repeatedly over the next year, for no apparent reason except to brag about his exploits. He contacted me via Microsoft’s MSN instant message platform, using the email address firstname.lastname@example.org. That account used the alias ‘Daniel.’ I later found out that Daniel also used the nickname bx1.”
That email address is mentioned in a complaint Microsoft and IF-ISAC filed in a Virginia federal court against known ZeuS botmasters.
Krebs noted that in an online chat, the hacker talked of turning on a fellow botmaster.
“The Daniel I chatted with was proud of his work, and seemed to enjoy describing successful attacks. In one such conversation, dated January 2012, bx1 bragged about breaking into the systems of a hacker who used the nickname ‘Symlink’ and was renowned in the underground for writing complex, custom Web injects for ZeuS and SpyEye users. Specifically, Symlink’s code was designed to automate money transfers out of victim banks to accounts that ZeuS and SpyEye botmasters controlled.”
Bendelladj is suspected of stealing funds from 127 U.S. banks in the past six years using ZeuS- and SpyEye-infected machines to drain accounts in minutes. Victims are said to have been compromised through fake financial Web pages between December 2009 and September 2011. The FBI, which has been hunting for the hacker behind the schemes for three years, has not released details of alleged crimes listed in arrest warrants awaiting the man after he is extradicted to the agency’s Georgia division.
At the time of Bendelladj’s arrest, police seized two laptops, a tablet, satellite-enabled phone and several external hard drives.
“When asked what he did with the money, he said he spent it on travelling and a luxurious life, like flying first class and staying in luxury places,” Bangkok Immigration Police Chief Lt. Gen. Pharnu Kerdlarpphon told reporters at a news conference.
During the event, Bendelladj reportedly beamed and joked about his ranking as an international criminal. He earned the moniker “the happy hacker” because of numerous photos that all show him smiling broadly in photos taken during his airport arrest.