Cloned Boy
Professional
- Messages
- 1,176
- Reaction score
- 886
- Points
- 113
The story of how all the world's intelligence agencies were chasing one Russian hacker, but were never able to catch him.
Today, billions of dollars move in seconds. All you have to do is open an app or go to a website and press a few keys. Cybercriminals take advantage of that same simplicity. And this is the story of one of the most powerful online banking Trojans and those behind it. It grew to steal over $70 million. And in such a way that it didn’t even look like a crime. A brilliant coder and hacker is the story of how secrecy, persistence and cunning gave birth to the most dangerous criminal on the planet.
Will programmers really become gods in the future? How did it all develop, banking Trojans, lockers, hacker business clubs and millions of dollars? You are on the Python Today channel and before we begin, I wanted to ask you to support the video, like it and, if possible, leave a comment. Thank you very much for your support! Let’s
fast forward to 2006. At this point, online banking had been around for about 10 years. Bank fraud was nothing new, but it was becoming more sophisticated every year, thanks to the development of technology. After all, people's bank accounts were now accessible from anywhere in the world. Meanwhile, late at night, a young guy from Russia was watching everything that was happening. He was in his early 20s, but don't let his age fool you.
At 22, his calculations would be the envy of seasoned warriors. A meticulous planner and simply a fantastic coder, he was very interested in how to automate the endless stream of opportunities to steal money. On the Internet and on underground forums, he used different names, but eventually settled on one - Slavik. On October 11, 2006, a new message appeared on the Tech Support Guide website.
The site had existed since 1996 and was one of the first tech communities where people asked each other questions, a kind of stack overflow of that time. In one of the forum threads, a user asked for help. He found some strange code on his sister's Windows computer and couldn't identify it. He posted a sample and asked if anyone could help him figure out what it was. The code was different from anything he had ever seen.
People couldn't recognize it either. Security researchers chimed in and said the code was malicious, yes, the program had the name WSEN.M after one of the virus's directories. So, the virus, as they discovered, was undetectable, quietly sneaking onto people's computers and swarming the system, combing through files and the browser. The main target was usernames and passwords for bank accounts. The virus stood out for its unprecedented speed of spread.
It penetrated hundreds of devices daily, collecting credentials and sending thousands of log lines to the hacker. Soon, money began disappearing from bank accounts around the world. At the time, there were rumors that WSN was written by the Russian hacker group Uplevel. It was behind the thefts, but there were no facts, no one knew for sure. This was the starting point. After that, everything began to develop quite quickly. Eight months later, in June 2007, Security Works announced an even more serious discovery.
Researchers had discovered a new version of banking malware An advanced and effective version of WSN. And they called it PRG. Whoever was behind the attacks, they weren’t wasting any time either The Trojan was actively evolving In August, the Security Works team managed to find a huge database of stolen data On one of the servers being investigated, Researchers traced the connection to the PRG Trojan.
Thousands of bank details, card details, social security numbers, usernames and passwords. The company estimated that data had been stolen from at least 50,000 victims and was now being sold on hacker forums. By December 2007, the hackers who had planted the Trojan had stolen more than $200,000 from commercial bank accounts in the United States, the United Kingdom, Italy, and Spain. The hackers sent the malware via email.
Once installed, the virus would collect all the credentials stored on the computer. The malware would then go into standby mode and wait for users to log into their bank accounts. Once this happened, the virus would notify the hackers, who would then connect to the session, infiltrate the user's computer, and transfer money from the user's account to their own. The modern equivalent of daylight robbery, only it was committed in the shadows, by literally invisible thieves.
Impunity and early victories had sparked the imagination that if they could improve the malware a little and expand its scope, they could steal millions of dollars this way. Another six months passed, and Security Works discovered new versions of the malware. The Trojan evolved and expanded its functionality. Another change occurred. It was now called ZBot, short for ZeusBot. This version posed a much more serious threat.
Now ZBot not only stole confidential credentials, but also robbed users' bank accounts automatically. This was not enough for the hackers. The infected machine then joined a botnet - a giant network controlled by machine hackers. The botnet was then used for DDoS attacks and traffic attraction, earning tens of thousands of dollars in additional revenue. Meanwhile, researchers discarded the idea of a hacker group and were sure that the same person who created the PRG and WSN Trojans was behind ZBot.
The author was a young Russian with the nickname Slavik. By 2008, Z-Bot became known as Zeus. We have all heard of Zeus – the king of the Greek gods, the god of thunder and lightning, the unanimous ruler. Perhaps that is why Slavik named it that. He liked the idea of one botnet ruling them all.
The name does seem appropriate, as Zeus eventually became the king of all banking trojans. Slavik was not only a good coder, but also a business savvy. He wanted to get more income from his program. He constantly updated, developed and regularly added new features to ZEUS. Slavik used it to rob people, but he also implemented a certain set of tools for hackers in ZEUS.
Do it yourself, so that they could create their own version of the program. The functionality was sold to hackers for a subscription and a percentage. There was also constant technical support. So, Zeus appeared with an easy-to-use, user-friendly interface for distribution and operator management that did not require any technical knowledge. Now anyone who knew how to turn on a computer could configure Zeus for themselves and start making money.
It was a revolution in the criminal world. Kings of bank phishing, such groups as Rockfish and Avalanche quickly adopted the top tool. The number of victims grew by tens of thousands. It is known that Avalanche also used the CutWale botnet, which was quite large at the time. The botnet, together with its PushDov loader, eventually integrated ZEVS, and ZEVS integrated CutWale. This combination made the infection even more destructive.
Now Zeus used ready-made botnets for distribution. Thousands of computers were waiting for instructions, all that was left was to press a couple of buttons. ZEVS's trick was a man-in-the-browser attack. When a user visited a bank page, ZEVS intercepted the request and replaced the HTML markup. In the end, the unsuspecting user still gets the website they were expecting, only now the page has new fields that ask for additional data, such as a PIN or social security number.
The user doesn’t even suspect that someone is trying to steal their data, because everything is perfect, the domain, the certificates — nothing arouses suspicion. “Slavik improved, polished and perfected his brainchild every day. He was on a roll, talented, ambitious and even greedy not only for money, but also for the top of Olympus. This guy knew what he wanted and persistently achieved his goal. Zeus was the best virus in history.”
By May 2009, the FBI began receiving reports of large wire transfers that were fraudulent but appeared to have no signs of a security breach. In May 2009, several Amahia National Bank customers reported that hundreds of thousands of dollars had been stolen from their bank accounts and that the money had simply disappeared. FBI agents were investigating who was accessing the sites, perhaps from overseas or from a suspicious IP address, but the stolen money was being transferred to the customers from their own home IP address, from their own browser.
The transfers were going to overseas accounts, and the agents began to suspect the bank's customers of fraud. They were lying that the money had been stolen, hoping to collect insurance. After all, the bank could see who was transferring the money, but how could the thief be at home and making the transfers without the owner's knowledge?
What was also strange was that bank accounts had a ton of extra security layers before a user could log into their online bank to do anything. In addition to usernames and passwords, there was a secret question or PIN. The bank also logged their customers' metadata. For example, what time they usually logged in, what IP address they used, what browser they usually used, any digital fingerprints.
So if an attempt to log in was made from an unusual browser or IP address that they were used to seeing, it would trigger an extra security check and the login would be blocked until their identity was confirmed. But the question remained. Hackers were getting into thousands of accounts and transferring money without any problems, because these were normal transactions from users. The FBI was seriously puzzled. A few weeks later, the American intelligence company iDefense made a discovery that turned everything upside down.
On June 1, they discovered a completely new version of Zeus, which would have been impossible at that time using technologies. To say that Slavik had outdone himself would be an understatement. Over the past few years, Slavik had used many different names on the Internet. AZ, Monster, Lucky12345, PolingSoon, before settling on Slavik.
He took over the authorship and often talked about his brainchild Zeus. The genius hacker had already made a lot of money by that time selling Zeus subscriptions. Know-how in the cybercriminal world brought in huge amounts of money. Just imagine, an average of $3,000 for each set. According to the most conservative estimates, by the spring of 2009, Zeus was used by more than 5,000 unique clients. Slavik knew how to count and felt that he was being robbed.
Dishonest hackers and noobs tried to resell their copies of Zeus. Some even tried to release their own customized versions, using a name that was well known and respected, thanks to the perfect code and constant updates of the original version. They were making money off of his work. There was another problem. Banks were not sleeping and improving their defenses. There were more types of two-factor authentication, more layers to get through.
So, in early 2009, Slavik teamed up with the Avalanche team, which still dominated the banking phishing market, and wrote an updated version of Zeus called Jabber Zeus. In addition to the existing modules for stealing credentials and creating your own botnet, a form capture module for Firefox was added, the subscription for which cost $ 2,000. There was also a BackConnect module, which cost $1,500 and allowed the hacker to redirect any tracking of bank account transfers back to the infected computer itself.
This way, the transfers would always go back to the user’s computer, not the hacker’s computer. The big add-on was JabberChat, which cost an extra $500. The add-on enabled Jabber. With this module enabled, Zeus was programmed to send a real-time instant message to the hackers whenever a user logged into a bank account with a balance above a certain amount.
This made things even easier for the Zeus operators. Imagine the level of just getting an instant message saying, “Hey dude, I just found a bank account with $100,000 in it. Here’s the username and password.” The chat would include the login credentials, the bank account details, the balance, the two-factor authentication code, what backup questions were answered.
The hackers recorded absolutely everything and easily logged into the computer to make a few transactions. The computer user simply did not know that transfers from a bank account were being made on his machine in the background. Zeus had another module available - a virtual network computer. For 10 thousand dollars, it allowed hackers to 100% control the infected machine using an active virtual connection.
This meant that they could tunnel all their traffic through the user's computer to hide their tracks. Thus, the bank thinks that the user logged in from home, and not from Russia or any other country. Full automation of the process. With the development of Jabber Zeus, Slavik hired a small team of talented hackers who helped him steal money from banks. People he knew and selected personally, they began to focus on corporate accounts, which held from several hundred thousand to millions of dollars.
But the main problem remained – withdrawal of money. The answer was quite simple – drops or money mules. The hackers behind Zeus needed to find people willing to act as intermediaries. For 5% of the amount, the drops would receive money into their account. Then they would write out a check for an amount slightly less than that received into the account of the hackers or another fake drop.
In a day, an ordinary drop could earn from several thousand to tens or hundreds of thousands of dollars. So, as soon as a new version of Zeus appeared, a barrage of attacks using it began. Slavik was still selling a version of Jabber Zeus as a bundle, but he was tired of people copying his code and releasing different versions. So he decided to write an identification system and became selective about the sales. Now, when people paid for a copy, it only worked on one machine.
In essence, it was a license. The Jabber Zeus team was on fire. Over the next few months, they targeted banks, small businesses, anywhere they could find good money sitting in online bank accounts. The FBI investigated more and more of these attacks. They began to recognize the hallmarks of Jabber Zeus. The FBI was able to track down the domain of the Jabber server that was used to send instant messages to the Zeus. The IP address led them to a server owned by a company called EasyNet, which was located in Brooklyn, New York.
Since the company was based in the United States, the FBI was able to issue a search warrant and learn more about the customer who was paying for the server. The server was registered to someone named Alexey S., from a company based in Moscow. At FBI headquarters, they began to examine the contents of the server. There were logs and recordings of each attack, banking information, user credentials, the names of the banks and businesses that had fallen victim to the attack.
But to the agents' surprise, there were also logs full of chats between the hacker team members in Russian, which required a lengthy translation process. But the FBI knew they had a gold mine of evidence. They also compiled a list of victims that the FBI could now contact and inform them that their accounts had been hacked. By this time, Slavik was using Zeus to make money in three different ways.
To steal money from banks, then he would rent out the botnet to people who would use it at will, and sell the Zeus malware for a subscription fee of over $10,000. This activity was making him a huge profit. However, he wasn’t going to stop and added even more new features and released ZEVS version 2, which allowed users to monitor network traffic, take screenshots, record keystrokes, steal certificates, and connect to other banking systems.
In 2011, the entire Zeus source code was leaked online, meaning that anyone could now develop their own version of Zeus and make even more malware. At this point, Slavik was gone. To the world at large, Slavik had seemingly disappeared. In reality, he was working on a new version of Zeus. In 2011, the third version was released.
And it was the first online banking malware that was offered as a service. This version was called Game Over Zeus. Game Over Zeus was the most effective and successful version of Zeus. In September 2012, it was used to steal half a million dollars from a company and send the money to accounts in China. In September of the same year, Game Over was used to steal $2 million from an American printing company.
No one knows who was behind these thefts to this day. The subscription model that Slavik created allowed anyone who knew how to use a mouse to use his program. In the spring of 2012, Microsoft announced that it had taken down over 800 domains used by the SpyEye and Zeus botnets. Several other security researchers joined the Microsoft team and attempted to take down the botnet.
The Zeus botnet was designed to receive instructions from a central server, and if that server was destroyed, the entire botnet would be vulnerable. The Zeus gameover was designed with impressive resilience. It simply switched to a new set of domains and a central server. By the summer of 2012, the FBI had enough evidence to prove who was running Zeus. They indicted ten people involved in the malware, but kept it a secret to prevent the criminals from realizing that they had been found out and kept the indictment secret.
Among those indicted was Slavik. The FBI penetrated the Zeus network and gathered enough evidence to indict him. However, they still didn’t know his real name and simply charged one of his nicknames – Lucky12345. Meanwhile, Slavik was in Russia, which was reliably protected from the long arm of the American law.
In November 2012, someone used the Zeus gameover and stole over $7 million from a bank. This was not enough, and the hackers decided to conduct a DDoS attack on the bank over the next few days, causing the bank’s functionality to suffer from network outages. The FBI was furious at the audacity. The $7 million heist was the largest ever committed using the ZEVS malware.
Who was behind this attack also remains a mystery to this day. In 2013, another attempt was made to destroy the botnet. This time, by researchers from the security company CrowdStrike. They tried to coordinate a large-scale attack on the network. This time, Slavik was on the other side, and he tried his best to maintain control over the botnet. And not to stop working. He knew that such hacking attempts would be made, and he was always one step ahead, protecting his creation.
The resilience was simply amazing, the business needed to expand. Slavik called his team "Business Club", consisting of six people. Each of them had their own specialization, some were good at tech support, others at creating malware, others - at recruiting dropouts. The appetite was insatiable. Sitting at a round table, the business club thought about how the ZEVS botnet could make even more money.
And then it dawned on everyone. Ransomware. In October 2013, they decided to add CryptoLocker to the ZEVS suite. Now, as before, ZEVS can infect computers, steal passwords, and wait for the user to log into a bank account. But now it can also encrypt the system and demand a ransom for decryption. Fatality. The calculation was accurate, the hackers set the cost of decryption from 500 to 1000 dollars.
The victims paid regularly. A public demonstration took place in November 2013. The police department in Massachusetts was attacked by Zeus, and then by the ransomware CryptoLocker. The hackers demanded only 750 dollars to unlock the entire system, and the police department paid. There was no limit to their impudence. By May 2014, the FBI found out Slavik's real identity - Evgeny Bogachev.
He was in his early 20s, lived in Anapa, and was indicted by the FBI under his real name on charges of bank fraud and money laundering. In 2014-2015, the U.S. Department of Justice spent a huge amount of time trying to take down the Zeus botnet. The attack began early Friday morning and lasted throughout the weekend.
The FBI and foreign law enforcement agencies launched a coordinated takedown of computer servers around the world that were the backbone of both Game Over Zeus and CryptoLocker. Seizures were made in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, and the United Kingdom. The intelligence agencies' actions resulted in significant disruption of the botnet, but did not destroy it. Evgeny Bogachev, a Russian citizen, was indicted in Pittsburgh, Pennsylvania for his role as an administrator of the Game Over Zeus botnet.
Bogachev is a true 21st century criminal who commits cybercrimes all over the world with a single keystroke and a click of a mouse. These charges have earned Bogachev a spot on the list of the world's most wanted cybercriminals. His face is right there on a large FBI poster with identifying information such as his birthday, eye color, weight, and aliases.
The $3 million reward is the largest reward ever offered by the FBI for a wanted hacker. The FBI added him to the list in 2015, but Slavik has yet to be caught. He is believed to still be in Russia. The FBI has tried to cooperate with Russia and sent requests to have him apprehended, but despite their best efforts, they have been unable to bring him to justice.
Zeus is estimated to have infected between 500,000 and several million computers worldwide. America alone lost over $100 million from fraudulent bank transfers, plus $27 million that hackers collected from payments for unlocking systems. Zeus will forever remain in history as one of the most complex and profitable bank robbery programs, which attacked not the bank itself, but clients, stealing money from users' accounts without any fuss.
As for Slavik, no one knows where he is now. Perhaps he just walked off into the sunset. If you are interested in such topics, be sure to support with a like and a comment, because that is how I understand that you are interested in the content.
Today, billions of dollars move in seconds. All you have to do is open an app or go to a website and press a few keys. Cybercriminals take advantage of that same simplicity. And this is the story of one of the most powerful online banking Trojans and those behind it. It grew to steal over $70 million. And in such a way that it didn’t even look like a crime. A brilliant coder and hacker is the story of how secrecy, persistence and cunning gave birth to the most dangerous criminal on the planet.
Will programmers really become gods in the future? How did it all develop, banking Trojans, lockers, hacker business clubs and millions of dollars? You are on the Python Today channel and before we begin, I wanted to ask you to support the video, like it and, if possible, leave a comment. Thank you very much for your support! Let’s
fast forward to 2006. At this point, online banking had been around for about 10 years. Bank fraud was nothing new, but it was becoming more sophisticated every year, thanks to the development of technology. After all, people's bank accounts were now accessible from anywhere in the world. Meanwhile, late at night, a young guy from Russia was watching everything that was happening. He was in his early 20s, but don't let his age fool you.
At 22, his calculations would be the envy of seasoned warriors. A meticulous planner and simply a fantastic coder, he was very interested in how to automate the endless stream of opportunities to steal money. On the Internet and on underground forums, he used different names, but eventually settled on one - Slavik. On October 11, 2006, a new message appeared on the Tech Support Guide website.
The site had existed since 1996 and was one of the first tech communities where people asked each other questions, a kind of stack overflow of that time. In one of the forum threads, a user asked for help. He found some strange code on his sister's Windows computer and couldn't identify it. He posted a sample and asked if anyone could help him figure out what it was. The code was different from anything he had ever seen.
People couldn't recognize it either. Security researchers chimed in and said the code was malicious, yes, the program had the name WSEN.M after one of the virus's directories. So, the virus, as they discovered, was undetectable, quietly sneaking onto people's computers and swarming the system, combing through files and the browser. The main target was usernames and passwords for bank accounts. The virus stood out for its unprecedented speed of spread.
It penetrated hundreds of devices daily, collecting credentials and sending thousands of log lines to the hacker. Soon, money began disappearing from bank accounts around the world. At the time, there were rumors that WSN was written by the Russian hacker group Uplevel. It was behind the thefts, but there were no facts, no one knew for sure. This was the starting point. After that, everything began to develop quite quickly. Eight months later, in June 2007, Security Works announced an even more serious discovery.
Researchers had discovered a new version of banking malware An advanced and effective version of WSN. And they called it PRG. Whoever was behind the attacks, they weren’t wasting any time either The Trojan was actively evolving In August, the Security Works team managed to find a huge database of stolen data On one of the servers being investigated, Researchers traced the connection to the PRG Trojan.
Thousands of bank details, card details, social security numbers, usernames and passwords. The company estimated that data had been stolen from at least 50,000 victims and was now being sold on hacker forums. By December 2007, the hackers who had planted the Trojan had stolen more than $200,000 from commercial bank accounts in the United States, the United Kingdom, Italy, and Spain. The hackers sent the malware via email.
Once installed, the virus would collect all the credentials stored on the computer. The malware would then go into standby mode and wait for users to log into their bank accounts. Once this happened, the virus would notify the hackers, who would then connect to the session, infiltrate the user's computer, and transfer money from the user's account to their own. The modern equivalent of daylight robbery, only it was committed in the shadows, by literally invisible thieves.
Impunity and early victories had sparked the imagination that if they could improve the malware a little and expand its scope, they could steal millions of dollars this way. Another six months passed, and Security Works discovered new versions of the malware. The Trojan evolved and expanded its functionality. Another change occurred. It was now called ZBot, short for ZeusBot. This version posed a much more serious threat.
Now ZBot not only stole confidential credentials, but also robbed users' bank accounts automatically. This was not enough for the hackers. The infected machine then joined a botnet - a giant network controlled by machine hackers. The botnet was then used for DDoS attacks and traffic attraction, earning tens of thousands of dollars in additional revenue. Meanwhile, researchers discarded the idea of a hacker group and were sure that the same person who created the PRG and WSN Trojans was behind ZBot.
The author was a young Russian with the nickname Slavik. By 2008, Z-Bot became known as Zeus. We have all heard of Zeus – the king of the Greek gods, the god of thunder and lightning, the unanimous ruler. Perhaps that is why Slavik named it that. He liked the idea of one botnet ruling them all.
The name does seem appropriate, as Zeus eventually became the king of all banking trojans. Slavik was not only a good coder, but also a business savvy. He wanted to get more income from his program. He constantly updated, developed and regularly added new features to ZEUS. Slavik used it to rob people, but he also implemented a certain set of tools for hackers in ZEUS.
Do it yourself, so that they could create their own version of the program. The functionality was sold to hackers for a subscription and a percentage. There was also constant technical support. So, Zeus appeared with an easy-to-use, user-friendly interface for distribution and operator management that did not require any technical knowledge. Now anyone who knew how to turn on a computer could configure Zeus for themselves and start making money.
It was a revolution in the criminal world. Kings of bank phishing, such groups as Rockfish and Avalanche quickly adopted the top tool. The number of victims grew by tens of thousands. It is known that Avalanche also used the CutWale botnet, which was quite large at the time. The botnet, together with its PushDov loader, eventually integrated ZEVS, and ZEVS integrated CutWale. This combination made the infection even more destructive.
Now Zeus used ready-made botnets for distribution. Thousands of computers were waiting for instructions, all that was left was to press a couple of buttons. ZEVS's trick was a man-in-the-browser attack. When a user visited a bank page, ZEVS intercepted the request and replaced the HTML markup. In the end, the unsuspecting user still gets the website they were expecting, only now the page has new fields that ask for additional data, such as a PIN or social security number.
The user doesn’t even suspect that someone is trying to steal their data, because everything is perfect, the domain, the certificates — nothing arouses suspicion. “Slavik improved, polished and perfected his brainchild every day. He was on a roll, talented, ambitious and even greedy not only for money, but also for the top of Olympus. This guy knew what he wanted and persistently achieved his goal. Zeus was the best virus in history.”
By May 2009, the FBI began receiving reports of large wire transfers that were fraudulent but appeared to have no signs of a security breach. In May 2009, several Amahia National Bank customers reported that hundreds of thousands of dollars had been stolen from their bank accounts and that the money had simply disappeared. FBI agents were investigating who was accessing the sites, perhaps from overseas or from a suspicious IP address, but the stolen money was being transferred to the customers from their own home IP address, from their own browser.
The transfers were going to overseas accounts, and the agents began to suspect the bank's customers of fraud. They were lying that the money had been stolen, hoping to collect insurance. After all, the bank could see who was transferring the money, but how could the thief be at home and making the transfers without the owner's knowledge?
What was also strange was that bank accounts had a ton of extra security layers before a user could log into their online bank to do anything. In addition to usernames and passwords, there was a secret question or PIN. The bank also logged their customers' metadata. For example, what time they usually logged in, what IP address they used, what browser they usually used, any digital fingerprints.
So if an attempt to log in was made from an unusual browser or IP address that they were used to seeing, it would trigger an extra security check and the login would be blocked until their identity was confirmed. But the question remained. Hackers were getting into thousands of accounts and transferring money without any problems, because these were normal transactions from users. The FBI was seriously puzzled. A few weeks later, the American intelligence company iDefense made a discovery that turned everything upside down.
On June 1, they discovered a completely new version of Zeus, which would have been impossible at that time using technologies. To say that Slavik had outdone himself would be an understatement. Over the past few years, Slavik had used many different names on the Internet. AZ, Monster, Lucky12345, PolingSoon, before settling on Slavik.
He took over the authorship and often talked about his brainchild Zeus. The genius hacker had already made a lot of money by that time selling Zeus subscriptions. Know-how in the cybercriminal world brought in huge amounts of money. Just imagine, an average of $3,000 for each set. According to the most conservative estimates, by the spring of 2009, Zeus was used by more than 5,000 unique clients. Slavik knew how to count and felt that he was being robbed.
Dishonest hackers and noobs tried to resell their copies of Zeus. Some even tried to release their own customized versions, using a name that was well known and respected, thanks to the perfect code and constant updates of the original version. They were making money off of his work. There was another problem. Banks were not sleeping and improving their defenses. There were more types of two-factor authentication, more layers to get through.
So, in early 2009, Slavik teamed up with the Avalanche team, which still dominated the banking phishing market, and wrote an updated version of Zeus called Jabber Zeus. In addition to the existing modules for stealing credentials and creating your own botnet, a form capture module for Firefox was added, the subscription for which cost $ 2,000. There was also a BackConnect module, which cost $1,500 and allowed the hacker to redirect any tracking of bank account transfers back to the infected computer itself.
This way, the transfers would always go back to the user’s computer, not the hacker’s computer. The big add-on was JabberChat, which cost an extra $500. The add-on enabled Jabber. With this module enabled, Zeus was programmed to send a real-time instant message to the hackers whenever a user logged into a bank account with a balance above a certain amount.
This made things even easier for the Zeus operators. Imagine the level of just getting an instant message saying, “Hey dude, I just found a bank account with $100,000 in it. Here’s the username and password.” The chat would include the login credentials, the bank account details, the balance, the two-factor authentication code, what backup questions were answered.
The hackers recorded absolutely everything and easily logged into the computer to make a few transactions. The computer user simply did not know that transfers from a bank account were being made on his machine in the background. Zeus had another module available - a virtual network computer. For 10 thousand dollars, it allowed hackers to 100% control the infected machine using an active virtual connection.
This meant that they could tunnel all their traffic through the user's computer to hide their tracks. Thus, the bank thinks that the user logged in from home, and not from Russia or any other country. Full automation of the process. With the development of Jabber Zeus, Slavik hired a small team of talented hackers who helped him steal money from banks. People he knew and selected personally, they began to focus on corporate accounts, which held from several hundred thousand to millions of dollars.
But the main problem remained – withdrawal of money. The answer was quite simple – drops or money mules. The hackers behind Zeus needed to find people willing to act as intermediaries. For 5% of the amount, the drops would receive money into their account. Then they would write out a check for an amount slightly less than that received into the account of the hackers or another fake drop.
In a day, an ordinary drop could earn from several thousand to tens or hundreds of thousands of dollars. So, as soon as a new version of Zeus appeared, a barrage of attacks using it began. Slavik was still selling a version of Jabber Zeus as a bundle, but he was tired of people copying his code and releasing different versions. So he decided to write an identification system and became selective about the sales. Now, when people paid for a copy, it only worked on one machine.
In essence, it was a license. The Jabber Zeus team was on fire. Over the next few months, they targeted banks, small businesses, anywhere they could find good money sitting in online bank accounts. The FBI investigated more and more of these attacks. They began to recognize the hallmarks of Jabber Zeus. The FBI was able to track down the domain of the Jabber server that was used to send instant messages to the Zeus. The IP address led them to a server owned by a company called EasyNet, which was located in Brooklyn, New York.
Since the company was based in the United States, the FBI was able to issue a search warrant and learn more about the customer who was paying for the server. The server was registered to someone named Alexey S., from a company based in Moscow. At FBI headquarters, they began to examine the contents of the server. There were logs and recordings of each attack, banking information, user credentials, the names of the banks and businesses that had fallen victim to the attack.
But to the agents' surprise, there were also logs full of chats between the hacker team members in Russian, which required a lengthy translation process. But the FBI knew they had a gold mine of evidence. They also compiled a list of victims that the FBI could now contact and inform them that their accounts had been hacked. By this time, Slavik was using Zeus to make money in three different ways.
To steal money from banks, then he would rent out the botnet to people who would use it at will, and sell the Zeus malware for a subscription fee of over $10,000. This activity was making him a huge profit. However, he wasn’t going to stop and added even more new features and released ZEVS version 2, which allowed users to monitor network traffic, take screenshots, record keystrokes, steal certificates, and connect to other banking systems.
In 2011, the entire Zeus source code was leaked online, meaning that anyone could now develop their own version of Zeus and make even more malware. At this point, Slavik was gone. To the world at large, Slavik had seemingly disappeared. In reality, he was working on a new version of Zeus. In 2011, the third version was released.
And it was the first online banking malware that was offered as a service. This version was called Game Over Zeus. Game Over Zeus was the most effective and successful version of Zeus. In September 2012, it was used to steal half a million dollars from a company and send the money to accounts in China. In September of the same year, Game Over was used to steal $2 million from an American printing company.
No one knows who was behind these thefts to this day. The subscription model that Slavik created allowed anyone who knew how to use a mouse to use his program. In the spring of 2012, Microsoft announced that it had taken down over 800 domains used by the SpyEye and Zeus botnets. Several other security researchers joined the Microsoft team and attempted to take down the botnet.
The Zeus botnet was designed to receive instructions from a central server, and if that server was destroyed, the entire botnet would be vulnerable. The Zeus gameover was designed with impressive resilience. It simply switched to a new set of domains and a central server. By the summer of 2012, the FBI had enough evidence to prove who was running Zeus. They indicted ten people involved in the malware, but kept it a secret to prevent the criminals from realizing that they had been found out and kept the indictment secret.
Among those indicted was Slavik. The FBI penetrated the Zeus network and gathered enough evidence to indict him. However, they still didn’t know his real name and simply charged one of his nicknames – Lucky12345. Meanwhile, Slavik was in Russia, which was reliably protected from the long arm of the American law.
In November 2012, someone used the Zeus gameover and stole over $7 million from a bank. This was not enough, and the hackers decided to conduct a DDoS attack on the bank over the next few days, causing the bank’s functionality to suffer from network outages. The FBI was furious at the audacity. The $7 million heist was the largest ever committed using the ZEVS malware.
Who was behind this attack also remains a mystery to this day. In 2013, another attempt was made to destroy the botnet. This time, by researchers from the security company CrowdStrike. They tried to coordinate a large-scale attack on the network. This time, Slavik was on the other side, and he tried his best to maintain control over the botnet. And not to stop working. He knew that such hacking attempts would be made, and he was always one step ahead, protecting his creation.
The resilience was simply amazing, the business needed to expand. Slavik called his team "Business Club", consisting of six people. Each of them had their own specialization, some were good at tech support, others at creating malware, others - at recruiting dropouts. The appetite was insatiable. Sitting at a round table, the business club thought about how the ZEVS botnet could make even more money.
And then it dawned on everyone. Ransomware. In October 2013, they decided to add CryptoLocker to the ZEVS suite. Now, as before, ZEVS can infect computers, steal passwords, and wait for the user to log into a bank account. But now it can also encrypt the system and demand a ransom for decryption. Fatality. The calculation was accurate, the hackers set the cost of decryption from 500 to 1000 dollars.
The victims paid regularly. A public demonstration took place in November 2013. The police department in Massachusetts was attacked by Zeus, and then by the ransomware CryptoLocker. The hackers demanded only 750 dollars to unlock the entire system, and the police department paid. There was no limit to their impudence. By May 2014, the FBI found out Slavik's real identity - Evgeny Bogachev.
He was in his early 20s, lived in Anapa, and was indicted by the FBI under his real name on charges of bank fraud and money laundering. In 2014-2015, the U.S. Department of Justice spent a huge amount of time trying to take down the Zeus botnet. The attack began early Friday morning and lasted throughout the weekend.
The FBI and foreign law enforcement agencies launched a coordinated takedown of computer servers around the world that were the backbone of both Game Over Zeus and CryptoLocker. Seizures were made in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, and the United Kingdom. The intelligence agencies' actions resulted in significant disruption of the botnet, but did not destroy it. Evgeny Bogachev, a Russian citizen, was indicted in Pittsburgh, Pennsylvania for his role as an administrator of the Game Over Zeus botnet.
Bogachev is a true 21st century criminal who commits cybercrimes all over the world with a single keystroke and a click of a mouse. These charges have earned Bogachev a spot on the list of the world's most wanted cybercriminals. His face is right there on a large FBI poster with identifying information such as his birthday, eye color, weight, and aliases.
The $3 million reward is the largest reward ever offered by the FBI for a wanted hacker. The FBI added him to the list in 2015, but Slavik has yet to be caught. He is believed to still be in Russia. The FBI has tried to cooperate with Russia and sent requests to have him apprehended, but despite their best efforts, they have been unable to bring him to justice.
Zeus is estimated to have infected between 500,000 and several million computers worldwide. America alone lost over $100 million from fraudulent bank transfers, plus $27 million that hackers collected from payments for unlocking systems. Zeus will forever remain in history as one of the most complex and profitable bank robbery programs, which attacked not the bank itself, but clients, stealing money from users' accounts without any fuss.
As for Slavik, no one knows where he is now. Perhaps he just walked off into the sunset. If you are interested in such topics, be sure to support with a like and a comment, because that is how I understand that you are interested in the content.
