WEBVTT

00:00:00.000 --> 00:00:04.440
JACK: When you put your money in the bank, you do it for safekeeping, right? I mean,

00:00:04.440 --> 00:00:08.960
you need to collect it somewhere, and under your mattress doesn’t seem like the best idea,

00:00:08.960 --> 00:00:14.160
so we use bank accounts. Our paychecks go into it, and we pay our bills from it. We

00:00:14.160 --> 00:00:18.800
could take cash out or transfer money to someone else. Yeah, it’s all pretty easy,

00:00:18.800 --> 00:00:24.000
because now we can do all this online. Before, we had to go into a local branch and wait in a queue

00:00:24.000 --> 00:00:29.040
and get the bank teller to do what we needed. It was a bit time-consuming and a little boring,

00:00:29.040 --> 00:00:34.000
but not anymore. Now, we can just log into our bank account via the bank’s website and yeah,

00:00:34.000 --> 00:00:39.920
just go ahead and do whatever we need and then log out again. Now there are apps for cell phones so

00:00:39.920 --> 00:00:43.920
that you could just do it on the go. You don’t even have to be home anymore to check your bank

00:00:43.920 --> 00:00:49.600
balance or pay bills. All this stuff is going digital, which makes it easier for us to use.

00:00:49.600 --> 00:00:55.840
The problem with that though is that it’s not just easier for customers to use; it also means it’s

00:00:55.840 --> 00:01:01.280
easier for criminals to rob banks. [MUSIC] Let’s be honest about it; millions of bank accounts,

00:01:01.280 --> 00:01:06.560
from standard personal accounts to big business accounts all just sitting behind a login

00:01:06.560 --> 00:01:13.520
screen, and that’s just a flashing beacon for hackers that have an eye for financial fraud. Back

00:01:13.520 --> 00:01:19.160
in the mid-2000s, online banking had only been around for a few years. It was Wells Fargo in 1995

00:01:19.160 --> 00:01:23.640
who was the first bank to offer internet banking to its customers, and their customers loved it.

00:01:23.640 --> 00:01:28.160
Once that started, there was no going back, and I like to think that the definition of information

00:01:28.160 --> 00:01:34.000
security is to be able to conduct business in a hostile environment, and the internet is hostile.

00:01:34.000 --> 00:01:39.360
If you put something like a bank online, you can absolutely expect it to be hammered on by people

00:01:39.360 --> 00:01:45.280
trying to use their computers to steal money from it, because the more the world goes digital,

00:01:45.280 --> 00:01:50.920
the more opportunities there are for criminals to do things. It’s like lighting up opportunities for

00:01:50.920 --> 00:01:56.360
them to find places they shouldn’t be going to to steal things that don’t belong to them. We love

00:01:56.360 --> 00:02:01.120
how easy and quick it is to open an app and go to a website and do all our banking in seconds, but

00:02:01.120 --> 00:02:08.040
that same simplicity is exploited by criminals, and this story is about a powerful online banking

00:02:08.040 --> 00:02:14.080
Trojan and the minds behind it. It grew to steal more than $70 million, and without looking like

00:02:14.080 --> 00:02:19.920
a crime had even taken place at all. It’s about how stealth and perseverance can seemingly make

00:02:19.920 --> 00:02:26.080
the bad guys always look like they come out on top. It’s the ultimate multiplayer strategy game,

00:02:26.080 --> 00:02:32.440
a game where two very capable sharp teams compete. On one side of the board are federal agents,

00:02:32.440 --> 00:02:37.640
bank security, and security researchers, and on the other were thieves, criminals,

00:02:37.640 --> 00:02:43.960
and hackers. Strategic, calculated moves from each side pitted one force against the other,

00:02:43.960 --> 00:02:52.177
and the outcome, well, you’ll have to keep listening for that.

00:02:52.177 --> 00:02:54.480
(INTRO): [INTRO MUSIC] These are true stories from the dark side of

00:02:54.480 --> 00:03:17.914
the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:03:17.914 --> 00:03:22.200
JACK: I’m gonna take you back to 2006. By this point, mainstream online banking had been

00:03:22.200 --> 00:03:27.200
around for about ten years. Banking fraud wasn’t exactly new and it had been going on for years,

00:03:27.200 --> 00:03:31.840
and it was just turning more and more electronic, and that meant that people’s bank accounts had

00:03:31.840 --> 00:03:37.600
now become fair game from anywhere in the world. There was one switched-on guy who

00:03:37.600 --> 00:03:42.440
had been sitting and watching all this. He was in Russia and was very interested in

00:03:42.440 --> 00:03:48.320
tapping into the neverending supply of money to steal. He was young, just twenty-two years old,

00:03:48.320 --> 00:03:52.400
but he was ambitious. Don’t be fooled by his age, though; at twenty-two years old,

00:03:52.400 --> 00:03:59.520
he was very sharp and calculated, a meticulous planner, and a fantastic coder. This coder went

00:03:59.520 --> 00:04:04.720
by loads of different usernames on the web and underground forums, but he eventually settled

00:04:04.720 --> 00:04:11.680
into one name, Slavik. [MUSIC] On October 11, 2006, a new forum message appeared on the

00:04:11.680 --> 00:04:17.560
website techsupportguy.com. This website had been going on since 1996 and was one of the first that

00:04:17.560 --> 00:04:23.280
offered free internet tech support. In those ten years, the site gained more than 210,000

00:04:23.280 --> 00:04:28.640
members and had twenty-seven individual forums. On one of the forums, a user asked for help.

00:04:28.640 --> 00:04:32.520
He said he found some weird code on his sister’s Windows computer and he couldn’t

00:04:32.520 --> 00:04:36.200
identify it. He posted a sample of it and asked if anyone could help figure out what

00:04:36.200 --> 00:04:41.640
this was. The code was new and different, and not something people recognized. The code was

00:04:41.640 --> 00:04:46.640
passed around and picked up by some security researchers, and someone called out that this

00:04:46.640 --> 00:04:53.600
code was malicious. The researcher called this malware WSNPoem after one of the names of the

00:04:53.600 --> 00:04:59.320
directories in the malware. So, WSNPoem, they discovered, crawled into people’s computers

00:04:59.320 --> 00:05:05.080
very quietly and walked around their files, their storage, and their browser, hunting for usernames

00:05:05.080 --> 00:05:10.520
and passwords that it could steal and report back to the malware owner. It was fast, too;

00:05:10.520 --> 00:05:14.520
it would capture all the credentials on a daily basis and then seemingly send them back to the

00:05:14.520 --> 00:05:20.080
hacker that launched it. Now, the credentials it wanted more than any others was the username and

00:05:20.080 --> 00:05:27.800
password for online bank accounts, which could be the most valuable credentials we have. WSNPoem was

00:05:27.800 --> 00:05:32.400
a banking malware that tried to steal money from people’s accounts. If it found the user

00:05:32.400 --> 00:05:36.280
details of a banking site, it would report that to the malware operator, and someone

00:05:36.280 --> 00:05:40.160
would go log into the bank and try to figure out a way to take the money that was in there.

00:05:40.160 --> 00:05:46.480
It was rumored at the time that this was a Russian hacker group called UpLevel who wrote WSNPoem,

00:05:46.480 --> 00:05:51.960
but really, no one knew for sure. Things started to move pretty quickly after that. Eight months

00:05:51.960 --> 00:05:57.760
later, in June 2007, came a bigger discovery by Secureworks. Some researchers there found

00:05:57.760 --> 00:06:02.840
a new version of this banking malware, and they called it PRG and had it down as a more advanced

00:06:02.840 --> 00:06:09.000
and effective version than the WSNPoem malware. Whoever was behind these attacks wasn’t wasting

00:06:09.000 --> 00:06:14.320
their time, either. In August, the Secureworks team discovered a huge database of stolen data,

00:06:14.320 --> 00:06:19.840
and they traced it back to the PRG Trojan. Lists and lists of bank details, card details,

00:06:19.840 --> 00:06:23.440
social security numbers, usernames, and passwords were being sucked up by this

00:06:23.440 --> 00:06:28.600
banking Trojan. Secureworks calculated that 46,000 victims who had all been hit

00:06:28.600 --> 00:06:33.320
with this malware had their data stolen. Now it was all in this big data dump,

00:06:33.320 --> 00:06:38.040
openly sold to underworld criminals. By December 2007, the hackers who deployed

00:06:38.040 --> 00:06:43.440
the Trojan had stolen over $200,000 from commercial bank accounts across the US,

00:06:43.440 --> 00:06:48.640
UK, Italy, and Spain. [MUSIC] This is how it worked; the hackers were sending out malware

00:06:48.640 --> 00:06:53.520
through spam e-mails and drive-by downloads, getting it into as many machines as possible.

00:06:53.520 --> 00:06:58.760
Once installed, it seeked out and sucked up all the credentials stored on that computer. Then the

00:06:58.760 --> 00:07:05.800
malware would sit and wait for users to log into their online bank accounts. As soon as it did,

00:07:05.800 --> 00:07:10.240
the malware would alert the hackers who would then jump into the session,

00:07:10.240 --> 00:07:14.640
get on that user’s computer, and transfer money from the user’s account to their

00:07:14.640 --> 00:07:19.360
accounts. It was as if they were in the room with the user on the same machine,

00:07:19.360 --> 00:07:25.640
taking money out of the account right under their nose. It was sneaky and stealthy and very

00:07:25.640 --> 00:07:30.320
successful. It was the modern-day equivalent of daylight robbery, only it was done in the

00:07:30.320 --> 00:07:35.480
shadows like an invisible invader. These early wins were proving to the hackers that they

00:07:35.480 --> 00:07:40.400
were onto something big, and if they could just improve the malware a little bit and scale it up,

00:07:40.400 --> 00:07:46.360
they could steal a lot of money this way. So, they continued to develop their malware and their

00:07:46.360 --> 00:07:51.840
skills. Roll forward another six months, and there were more discoveries by Secureworks. As

00:07:51.840 --> 00:07:57.600
they watched this Trojan expand and develop like a growing snake, there was another name change;

00:07:57.600 --> 00:08:06.100
now it was being called Zbot, short for ZeuS Bot, and this malware posed as a double-edged threat.

00:08:06.100 --> 00:08:11.600
[MUSIC] You see, the banking malware not only stole sensitive and valuable credentials and then

00:08:11.600 --> 00:08:17.320
robbed the user’s bank account. That would be bad enough, right? But then it turned this infected

00:08:17.320 --> 00:08:23.840
machine into a spy, a slave computer that was completely under control. The machine would join a

00:08:23.840 --> 00:08:29.880
botnet, a giant network of infected machines. The hackers were stacking up these bots and utilizing

00:08:29.880 --> 00:08:36.480
their power as a single formidable force to do some really shady stuff. By now, everyone

00:08:36.480 --> 00:08:41.760
analyzing the different versions had trashed the idea that this was a new hacker group. Now they

00:08:41.760 --> 00:08:49.200
were sure whoever was behind this ZeuS Bot was the same individual who had created PRG Trojan and the

00:08:49.200 --> 00:08:57.480
WSNPoem Trojan. One author was the mastermind and whoever it was, was raking it in. That author was

00:08:57.480 --> 00:09:06.040
the young Russian going by the name of Slavik. By 2008, Zbot became known just as ZeuS, a name that

00:09:06.040 --> 00:09:12.080
Slavik had apparently given to it at some point through its development. So, you’ve heard of Zeus,

00:09:12.080 --> 00:09:16.120
right? ‘Cause it’s big in Greek mythology and a lot of people actually name their dog

00:09:16.120 --> 00:09:23.160
Zeus. But Zeus was the king of the Greek gods, the god of the sky and thunder and lightning.

00:09:23.160 --> 00:09:28.360
He was the ruler, which I think is why Slavik named it this. He liked the idea

00:09:28.360 --> 00:09:34.880
of there being a single botnet that ruled them all, and it actually seems fitting because ZeuS

00:09:34.880 --> 00:09:42.680
would eventually become the king of all banking malware. [MUSIC] Not only was Slavik a good coder,

00:09:42.680 --> 00:09:47.760
he was also good at business, too. He wanted to make more streams of income with this malware,

00:09:47.760 --> 00:09:52.800
and he kept updating ZeuS and developing it, and adding new features regularly. A lot of

00:09:52.800 --> 00:09:57.440
times when malware is created, there’s just one or two versions of it. Whoever wrote it

00:09:57.440 --> 00:10:02.920
just does the job they need to do with it and it’s done. But ZeuS was different. Slavik was

00:10:02.920 --> 00:10:10.200
using it himself to rob people, but he also built ZeuS to be a crimeware kit that he could sell on

00:10:10.200 --> 00:10:16.440
underground forums and on the dark web. It was like a DIY hacker’s toolkit so they could build

00:10:16.440 --> 00:10:22.160
their own banking Trojan botnet. He would let others use it for a fee, and then he would even

00:10:22.160 --> 00:10:26.280
supply continued support for them, because there’s a lot of people that want to have

00:10:26.280 --> 00:10:30.640
the power of a botnet at their fingertips, but they just don’t have the skills to build one.

00:10:30.640 --> 00:10:35.600
So, in comes ZeuS with this easy-to-use, no-tech-knowledge-needed interface to

00:10:35.600 --> 00:10:40.800
spread and listen for commands from any of its operators. But it was still up to ZeuS’

00:10:40.800 --> 00:10:46.120
customers to figure out what to do with the botnet. Back in 2007, another hacker

00:10:46.120 --> 00:10:50.200
group wanted to steal banking logins, but they were doing it through phishing e-mail,

00:10:50.200 --> 00:10:53.920
so sending out spam e-mails trying to convince people that this is their bank and they need

00:10:53.920 --> 00:10:59.440
to log in and they need to click this link. This group in particular was doing very well at this.

00:10:59.440 --> 00:11:03.520
They were skilled at sending out e-mails that look like they actually came from your bank,

00:11:03.520 --> 00:11:08.640
just they hadn’t; they were fake e-mails with links that look exactly like the banking login

00:11:08.640 --> 00:11:14.360
site, but if you logged in, you just handed your login details to the criminals. That group was

00:11:14.360 --> 00:11:20.080
called Rock Phish. They specialized in phishing campaigns targeting banks to steal login details,

00:11:20.080 --> 00:11:25.200
and they’d been going since 2005. Their earlier campaigns always had ‘rock’ in the fake domain

00:11:25.200 --> 00:11:29.960
names, which is how they got their name. Now, Rock Phish were widely considered to be one

00:11:29.960 --> 00:11:34.760
of the biggest phishing groups in the world, and by 2008, they were adding ZeuS to their

00:11:34.760 --> 00:11:40.600
arsenal. [MUSIC] Rock Phish began pushing the ZeuS malware out along with their phishing e-mails.

00:11:40.600 --> 00:11:45.240
So, if you got one of these spam phishing e-mails, you could be hit in two different ways; you could

00:11:45.240 --> 00:11:50.520
either click the link and get the fake version of the bank login, and if you did put your password

00:11:50.520 --> 00:11:55.640
in, then you just gave them your password, but if you didn’t do that and went to your bank account

00:11:55.640 --> 00:12:01.200
manually or used a bookmark or something, that’s when ZeuS would kick in and capture your username

00:12:01.200 --> 00:12:07.040
and password as you typed it on the screen and send that to the hackers. In time, Rock Phish gave

00:12:07.040 --> 00:12:12.520
way to new blood, another group called Avalanche. But it’s probably safe to say that this new group

00:12:12.520 --> 00:12:18.240
had a few members of Rock Phish that moved into it. Avalanche liked ZeuS too, and the better that

00:12:18.240 --> 00:12:22.640
ZeuS had become, the more popular it was with the underground criminals. They loved the idea

00:12:22.640 --> 00:12:28.160
of buying a credential thief and botnet rolled into one. For phishing groups like Rock Phish and

00:12:28.160 --> 00:12:33.920
Avalanche, ZeuS offered a secondary way for them to make money, and lots of it. Layering up their

00:12:33.920 --> 00:12:39.480
e-mails like this expanded their earning potential big time. Avalanche were also known to make use of

00:12:39.480 --> 00:12:44.200
the Cutwail botnet, which was pretty big around this time. The Cutwail botnet, along with its

00:12:44.200 --> 00:12:49.560
friendly loader Pushdo, eventually integrated ZeuS into it, and ZeuS integrated Cutwail into it.

00:12:49.560 --> 00:12:54.880
It was a great combination, making it even more devastating for everyone to get infected by it,

00:12:54.880 --> 00:13:00.200
because using existing botnets to spread banking Trojans was a very effective technique.

00:13:00.200 --> 00:13:04.720
Those botnets were already inside thousands of computers sitting and waiting for instructions;

00:13:04.720 --> 00:13:08.960
might as well put ZeuS in there to start sucking passwords up while it’s there. ZeuS

00:13:08.960 --> 00:13:13.480
was an exceptionally clever bit of kit on a whole ‘nother level to your standard phishing

00:13:13.480 --> 00:13:18.640
ideas. Once ZeuS was on a computer, it dialed into the command and control servers to get

00:13:18.640 --> 00:13:23.680
instructions on what to do next. Now, the ZeuS crimeware kit came with ZeuS Builder,

00:13:23.680 --> 00:13:28.560
which was a nifty little program that allowed the operator to specify the behaviors and actions

00:13:28.560 --> 00:13:34.720
that they wanted each of their new bots to carry out. It was easy to use and reliable. ZeuS was

00:13:34.720 --> 00:13:38.760
able to carry out man-in-the-browser attacks when on a user’s computer,

00:13:38.760 --> 00:13:44.080
it would intercept the web page that the user was trying to go to and alter the HTML code

00:13:44.080 --> 00:13:49.000
that would be rendered in the browser. So, the user still gets the website they are expecting,

00:13:49.000 --> 00:13:55.160
usually their banking homepage or something, which makes it not suspicious at all. But now the page

00:13:55.160 --> 00:14:01.080
has new fields asking for additional details like your PIN number or social security number.

00:14:01.080 --> 00:14:05.080
The user has no idea that there’s someone in the browser trying to steal this information

00:14:05.080 --> 00:14:10.840
from them. [MUSIC] Slavik had been improving, polishing, and perfecting his version of ZeuS. He

00:14:10.840 --> 00:14:16.520
updated it, kept adding new features, and better functionality. This was an evolving bit of kit,

00:14:16.520 --> 00:14:21.120
and Slavik was on the ball and keen to keep everything rolling forward and doing better

00:14:21.120 --> 00:14:26.600
at every step, ambitious, greedy, even. This guy knew what he wanted and he was pushing hard for

00:14:26.600 --> 00:14:33.720
ZeuS to get it for him. By May 2009, the FBI was starting to receive reports of large-scale

00:14:33.720 --> 00:14:40.640
bank transfers that were fraudulently sent but had seemingly no evidence of a security breach.

00:14:40.640 --> 00:14:45.320
An FBI Special Agent was based in the Cyber Crime Task Force in the Omaha field office in

00:14:45.320 --> 00:14:50.440
Nebraska. He was a few months shy of his first year as a Special Agent and didn’t know it,

00:14:50.440 --> 00:14:56.400
but he was about to be sucked into a complicated web weaved by a master coder determined to stay

00:14:56.400 --> 00:15:03.520
one step ahead at all times. The First National Bank of Omaha has been around

00:15:03.520 --> 00:15:08.360
for 160 years. It’s family-owned and independent, and it’s a subsidiary of the First National Bank

00:15:08.360 --> 00:15:14.040
of Nebraska and offers online banking services to its customers. In May 2009, their customers

00:15:14.040 --> 00:15:20.200
reported that they had $100,000 swiped from their bank accounts. It just disappeared.

00:15:20.200 --> 00:15:25.240
[MUSIC] So, the Special Agent from the FBI gets on the case and he starts to examine the bank

00:15:25.240 --> 00:15:29.680
accounts to try to figure out what happened. When the account transactions were examined, it

00:15:29.680 --> 00:15:34.440
didn’t make sense, though. The Special Agent was looking for someone logging into these websites,

00:15:34.440 --> 00:15:40.960
maybe from overseas or from a suspicious IP, but the stolen money was transferred by the customer

00:15:40.960 --> 00:15:46.520
from the customer’s IP at home, on the customer’s very browser. The transfers were sending the money

00:15:46.520 --> 00:15:52.320
to accounts overseas, but the thought crossed the FBI agent’s mind that maybe these customers were

00:15:52.320 --> 00:15:57.720
just trying to commit fraud and lying that the money was stolen. But no, that’s too obvious;

00:15:57.720 --> 00:16:02.440
the bank could see who transfers the money, so there must have been something else here,

00:16:02.440 --> 00:16:07.280
but how could the thief be in their home doing these transfers? The money was being

00:16:07.280 --> 00:16:12.400
transferred from the targeted accounts using ACH transfers. This is how you usually pay someone

00:16:12.400 --> 00:16:18.080
or pay your bills online. Now, what was weird was that for First National Accounts at least,

00:16:18.080 --> 00:16:22.120
they had a load of extra security layers before an account could even get into an

00:16:22.120 --> 00:16:26.520
online account to do anything. There’s the standard username and password, but also,

00:16:26.520 --> 00:16:30.480
there was a security question or PIN number that you needed, which is good.

00:16:30.480 --> 00:16:34.720
It’s an extra layer of security you want your bank to have. Well, for First National,

00:16:34.720 --> 00:16:38.800
they used to send their banking customers a list of PIN numbers in the mail. So,

00:16:38.800 --> 00:16:43.440
whenever they wanted to log into their online bank account, they used a PIN number from the list as

00:16:43.440 --> 00:16:48.400
well as their username and password to get in. But First National was clever, too. See, generally,

00:16:48.400 --> 00:16:53.480
people are creatures of habit, right? So, First National logs metadata stuff for their customers,

00:16:53.480 --> 00:16:58.120
like when they usually log in from what IP address, and what browser they usually use,

00:16:58.120 --> 00:17:04.680
all this stuff. So, if a login attempt happens but it’s not from the typical browser or IP address

00:17:04.680 --> 00:17:10.280
that they’re used to seeing, then it could trigger an extra security check and block the login until

00:17:10.280 --> 00:17:15.120
the user confirmed that it’s really them. The point of telling you all this is that there’s all

00:17:15.120 --> 00:17:19.000
these extra security checks to make it harder for hackers to get in. Because if you think about it,

00:17:19.000 --> 00:17:24.880
if you lived in Omaha and logged into your bank there all the time, every time, and then all of a

00:17:24.880 --> 00:17:30.320
sudden there was a strange login from Russia, that should trigger some alerts, right? So,

00:17:30.320 --> 00:17:34.880
these extra security measures were designed to stop hackers from doing that. Yet still,

00:17:34.880 --> 00:17:38.720
in this case, the thieves were able to get into these accounts and take large

00:17:38.720 --> 00:17:43.440
sums of money out. So, the FBI was baffled by how they were doing this.

00:17:43.440 --> 00:17:48.600
Weeks later, the US security intelligence company iDefense made a find that turned everything

00:17:48.600 --> 00:17:53.920
on its head. iDefense monitors and defends against cyber security threats, and on June 1,

00:17:53.920 --> 00:17:59.240
they found a brand-new version of ZeuS, and this one came with some pretty advanced capabilities.

00:17:59.240 --> 00:18:04.080
To say Slavik had upped his game would be a bit of an understatement. For the last few years,

00:18:04.080 --> 00:18:08.720
Slavik had used many different usernames on the web, but he was often seen talking about ZeuS,

00:18:08.720 --> 00:18:14.040
and took ownership as the author. [MUSIC] He had cycled through lots of usernames like A-Z,

00:18:14.040 --> 00:18:19.960
Monstr, lucky12345, and pollingsoon before he seemingly decided to stick

00:18:19.960 --> 00:18:26.320
with Slavik. Slavik had made a lot of money selling ZeuS as a crimeware kit.

00:18:26.320 --> 00:18:32.400
Imagine $3,000 on average for each one he sold. He sold a lot; by spring 2009,

00:18:32.400 --> 00:18:38.400
it was believed that there were 5,000 different customers using ZeuS. The scale of this malware

00:18:38.400 --> 00:18:44.240
and the number of hackers using it was just huge. But Slavik felt like he was getting ripped off,

00:18:44.240 --> 00:18:48.360
and he was not happy about it. People were trying to resell their copies of ZeuS and

00:18:48.360 --> 00:18:53.440
their own customized versions of it using the ZeuS name that was well-known and respected

00:18:53.440 --> 00:18:59.640
because of Slavik’s excellent coding and continued updates. They were making profit off of his work.

00:18:59.640 --> 00:19:03.880
There was another problem, too; banks were getting better at their online security. There were more

00:19:03.880 --> 00:19:08.000
kinds of two-factor authentication coming in, more layers for hackers to have to get through

00:19:08.000 --> 00:19:13.120
before they could get into a bank account. So, in early 2009, Slavik teamed up with Avalanche who

00:19:13.120 --> 00:19:17.960
were still dominating the market in their banking phishing scams, and wrote the next big version of

00:19:17.960 --> 00:19:24.560
ZeuS. This would be called JabberZeuS. So, the DIY kit for ZeuS gave the basic functions needed

00:19:24.560 --> 00:19:29.280
for ZeuS to steal credentials once it infected a machine, and it had the ZeuS Builder so that

00:19:29.280 --> 00:19:35.000
people could make their own botnet. But on top of this basic package were extra modules and add-ons,

00:19:35.000 --> 00:19:40.440
too. [MUSIC] So, there was the form-grabber made for FireFox for a cool $2,000, and there

00:19:40.440 --> 00:19:46.120
was another feature, the backconnect module, which was $1,500 and allowed the hacker to redirect any

00:19:46.120 --> 00:19:51.400
tracing of their transfers out of bank accounts back into the infected computer itself. This is

00:19:51.400 --> 00:19:56.560
so the transfers would always just trace back to the computer of the user and not to the hacker’s

00:19:56.560 --> 00:20:02.400
computers. The big additional module available with JabberZeuS was the Jabber chat notifier,

00:20:02.400 --> 00:20:06.960
but you had to pay an extra $500 for that. The add-on included Jabber,

00:20:06.960 --> 00:20:11.040
which is an instant messaging app. So with this module enabled, ZeuS was programmed

00:20:11.040 --> 00:20:16.640
to send an instant message in real time to the hackers whenever a user or an infected machine

00:20:16.640 --> 00:20:21.480
logged into an online bank account that had over a certain amount in the account balance.

00:20:21.480 --> 00:20:25.800
This made it even easier for whoever was running ZeuS to get notified and interact

00:20:25.800 --> 00:20:30.040
with the malware on someone’s machine. Can you imagine a new instant message just pop

00:20:30.040 --> 00:20:35.880
up from an infected machine telling you hey, I just found a bank account with $100,000 in it,

00:20:35.880 --> 00:20:40.640
and here’s the username and password. The chat messages would send you login credentials,

00:20:40.640 --> 00:20:44.520
bank account details, the balance, and the two-factor authentication code that the user

00:20:44.520 --> 00:20:49.240
used to log in with. This allowed hackers full access to the bank account as long as they acted

00:20:49.240 --> 00:20:54.080
quick. You see, the beauty of this new model is that hackers could sit back and see live updates

00:20:54.080 --> 00:20:59.320
via chat messages when their target logged in; what two-factor authentication code was used,

00:20:59.320 --> 00:21:02.720
what backup questions were answered, and the hackers would capture all this,

00:21:02.720 --> 00:21:08.520
and they would simply hop into that computer to process some transactions. The computer user just

00:21:08.520 --> 00:21:15.680
had no idea that bank account transfers were being done on their machine in the background.

00:21:15.680 --> 00:21:21.720
There was one more module available for ZeuS; the virtual networking computer module. For $10,000,

00:21:21.720 --> 00:21:27.000
this would allow the hackers to 100% control the infected machine using an active virtual

00:21:27.000 --> 00:21:31.960
connection. It was several steps further than the bank connect module. It meant they could

00:21:31.960 --> 00:21:35.960
essentially tunnel all their traffic through the user’s computer to hide their footsteps.

00:21:35.960 --> 00:21:40.800
This way, the bank thinks the user logged in from home and not from Russia or wherever the operators

00:21:40.800 --> 00:21:46.440
were from. With the development of JabberZeuS, Slavik was employing a small team of talented

00:21:46.440 --> 00:21:52.080
hackers to help him steal money from banks, people he knew and hand-selected, and they started to

00:21:52.080 --> 00:21:56.520
focus on corporate accounts, like big corporate accounts, with hundreds of thousands of dollars

00:21:56.520 --> 00:22:01.960
in them. This would mean they could siphon out much bigger sums of money and transfer them to

00:22:01.960 --> 00:22:06.320
the hackers’ accounts. But one of the biggest challenges for these thieves is after they get

00:22:06.320 --> 00:22:11.000
into someone’s bank account, how are they gonna get the money out? Because they have to know how

00:22:11.000 --> 00:22:17.520
to launder money so that it’s not tracked back to them. Electronic transfers like ACH are great,

00:22:17.520 --> 00:22:21.320
but the robbers can’t just transfer your money straight into their bank account, because that

00:22:21.320 --> 00:22:26.480
would lead the FBI right to them. No, they needed to hide their trail and muddy the waters a bit,

00:22:26.480 --> 00:22:31.800
putting some distance between the fraud and their own accounts. The answer to that is money

00:22:31.800 --> 00:22:38.120
mules. [MUSIC] The hackers behind ZeuS needed to find people willing to act as go-betweens,

00:22:38.120 --> 00:22:42.760
a middle point between the fraud and the thieves. It’s sort of like an air gap

00:22:42.760 --> 00:22:48.640
for the money to make it harder to trace. So, what they do is advertise a job on some online

00:22:48.640 --> 00:22:54.040
job board like Craigslist. Now, obviously they don’t advertise money mule for hire.

00:22:54.040 --> 00:22:59.360
No, they’re very deceiving about this, perhaps posting a job for a writer or someone to do some

00:22:59.360 --> 00:23:04.560
clerical work at home. But when they hire the person to do the work, then they ask them to

00:23:04.560 --> 00:23:08.920
commit a crime. But the person doesn’t realize it’s a crime; the thieves will say something

00:23:08.920 --> 00:23:13.440
like listen, we need to pay one of our suppliers, but our bank is having problems. Is it possible

00:23:13.440 --> 00:23:18.480
for us to send you the money and then you write a check to them? By the way, you can keep 5% of the

00:23:18.480 --> 00:23:24.240
money as a bonus for helping us do this. So, the unwitting money mule agrees. They get the

00:23:24.240 --> 00:23:28.880
stolen money added to their account, then they write a check for a little less than the full

00:23:28.880 --> 00:23:33.920
amount to go to the thieves’ account or another money mule’s account. The reason why this is

00:23:33.920 --> 00:23:38.840
illegal is because the money mule is laundering money; they’re taking stolen funds and passing

00:23:38.840 --> 00:23:44.880
it along. It’s an easy job; you don’t have to leave the house, and it pays well. So, lots of

00:23:44.880 --> 00:23:52.280
people are tricked into doing this. It might not smell legit, but hey, if the job’s paying nice,

00:23:52.280 --> 00:23:56.920
maybe that’s enough to keep people from asking questions. Just keep quiet, do the easy work,

00:23:56.920 --> 00:24:03.080
and get paid. No big deal, boss. I got it. What these money mules don’t realize is yeah, they’re

00:24:03.080 --> 00:24:07.320
just moving money about, but they’re totally liable for it and are probably going to take the

00:24:07.320 --> 00:24:14.000
rap for it. There’s been so many cases of money mules going to prison for years for doing this.

00:24:14.000 --> 00:24:18.120
So a word of warning; if you ever see a job posting online that seems suspicious or too

00:24:18.120 --> 00:24:23.720
good to be true, it probably is. Don’t touch it. So, once this new version of ZeuS landed,

00:24:23.720 --> 00:24:29.000
there was just an onslaught of attacks using it. Slavik was still selling JabberZeuS version as a

00:24:29.000 --> 00:24:33.520
kit, but now he had some new terms for the older ZeuS. He had gotten pretty sick of people ripping

00:24:33.520 --> 00:24:38.440
off his code and bootlegging different versions of it. So, he decided to do something with JabberZeuS

00:24:38.440 --> 00:24:43.440
that was pretty rare for malware at the time; he hardcoded an ID system into it and got real

00:24:43.440 --> 00:24:48.320
selective on who he sold it to. So, when people paid for a copy, they got one, but that would

00:24:48.320 --> 00:24:53.360
only work on one machine. It was basically like a license that you could only run on one computer

00:24:53.360 --> 00:24:58.000
unless you paid for another copy. [MUSIC] Slavik was tightening things up and preparing for some

00:24:58.000 --> 00:25:04.600
busy times ahead. On June 29, 2009, employees at the First Federal Savings Bank spotted something

00:25:04.600 --> 00:25:10.760
abnormal in a client’s bank account. The account belonged to Bullitt County Fiscal Court in

00:25:10.760 --> 00:25:18.360
Kentucky. That’s the bank account for the court in Kentucky. The bank employee saw there had been

00:25:18.360 --> 00:25:25.240
twenty-five new employees added to the payroll system starting on June 22, just a week before.

00:25:25.240 --> 00:25:29.440
More than that, straight after a new employee was onboarded, they were transferred a sum of

00:25:29.440 --> 00:25:34.800
money from the account. But the transfers were all under $10,000, which made it really hard to

00:25:34.800 --> 00:25:39.960
notice. It was a stroke of luck that this bank employee spotted it at all. After checking in

00:25:39.960 --> 00:25:45.360
with the Fiscal Court, the court knew nothing of this activity. They immediately started to process

00:25:45.360 --> 00:25:50.320
and reverse these payments, because these weren’t legit at all. But what they couldn’t figure out

00:25:50.320 --> 00:25:56.080
is how it had been done. You see, this court had some extra security measures in place. On

00:25:56.080 --> 00:26:01.360
this particular account, you needed two people to sign off on all transfers, and specifically

00:26:01.360 --> 00:26:07.320
it required a sign-off from the Bullitt County treasurer and judge, yet somehow these hackers

00:26:07.320 --> 00:26:12.720
bypassed that and got their transfers through. Both the bank and Bullitt County reported the

00:26:12.720 --> 00:26:17.200
fraud to the FBI. The news reached that Special Agent who was investigating the same problems

00:26:17.200 --> 00:26:22.200
in Omaha and realized pretty quick the clues matched. These transfers looked very similar

00:26:22.200 --> 00:26:27.760
to what was going on in Omaha. On July 2, Brian Krebs wrote an article about what happened in his

00:26:27.760 --> 00:26:33.120
Washington Post column. He said he had a source inside the investigation who told him exactly

00:26:33.120 --> 00:26:39.360
how the hackers had carried this out. They also told him this was the work of JabberZeuS. First

00:26:39.360 --> 00:26:44.400
Federal Savings was a bank that had customers’ profiles in place for all their account holders.

00:26:44.400 --> 00:26:48.480
So, this was a profile of the usual and expected online behaviors of their

00:26:48.480 --> 00:26:53.560
customers. This included stuff like the device and operating system they usually log in with,

00:26:53.560 --> 00:26:56.880
the browser that they usually use, and if all this matched their accounts,

00:26:56.880 --> 00:27:02.000
it would let the transaction through. But if it didn’t match, it would send another security check

00:27:02.000 --> 00:27:07.040
to the e-mail address to authenticate. You know how it goes; when you log into Amazon or Google

00:27:07.040 --> 00:27:10.880
from a different device, you need to verify by going through an extra check before it lets you

00:27:10.880 --> 00:27:17.000
in. It’s the same idea here. Anyway, so, this is what was set up on the account for Bullitt County,

00:27:17.000 --> 00:27:20.920
but what surprised people was this still wasn’t enough to stop the thieves getting in and making

00:27:20.920 --> 00:27:26.640
these illegal transfers. Why? Because they were using JabberZeuS, and this is how they got around

00:27:26.640 --> 00:27:32.040
the security hurdles. [MUSIC] The thieves had targeted a specific person, the county treasurer,

00:27:32.040 --> 00:27:37.720
knowing that this person is probably who had access to the bank account. So, they infected the

00:27:37.720 --> 00:27:43.120
treasurer’s computer with JabberZeuS. I don’t know how, maybe through a phishing link or something,

00:27:43.120 --> 00:27:46.640
but they got the malware on there and it did what it was designed to do; it went off and

00:27:46.640 --> 00:27:51.480
hunted around for the username and password for the First Federal Saving online bank account. But

00:27:51.480 --> 00:27:57.600
they needed more than that, so JabberZeuS also got them the treasurer’s e-mail account details.

00:27:57.600 --> 00:28:01.560
Using the backconnect and VPN modules, the crew made sure that they were going through

00:28:01.560 --> 00:28:06.160
the treasurer’s own internet connection when they logged into the bank. This way, when anyone looked

00:28:06.160 --> 00:28:10.000
back to try to trace what happened, it would look like it was someone at the treasurer’s computer

00:28:10.000 --> 00:28:15.520
who had done this. So, step one is complete. Next, they logged into the bank account as if they were

00:28:15.520 --> 00:28:19.440
the treasurer, and they went to the section for details of the two people who were required

00:28:19.440 --> 00:28:23.840
to sign off the transactions for the account. They already had the treasurer’s details; that

00:28:23.840 --> 00:28:29.480
was fine, but they needed the judge to approve these transactions, too. So, in order to do that,

00:28:29.480 --> 00:28:34.720
they saw that the treasurer could reset the judge’s password, and so, they just did that,

00:28:34.720 --> 00:28:39.800
and they were able to get into the judge’s account that way. So, once they got in, they wanted to

00:28:39.800 --> 00:28:45.440
transfer money out, and what they did is they had twenty-five money mules ready for money, and so,

00:28:45.440 --> 00:28:50.800
they just created twenty-five fake employees that would be on the payroll and made transfers

00:28:50.800 --> 00:28:56.400
of money to all twenty-five of these people, and then logged in as the judge and approved all these

00:28:56.400 --> 00:29:01.720
transfers. It sounds like a lot of work, but I think they did it all in less than ten minutes.

00:29:01.720 --> 00:29:08.880
They stole $415,000 from Bullitt County doing this, and it was just sheer luck that the bank

00:29:08.880 --> 00:29:13.760
spotted this, and because they acted quickly, they were able to reverse some of these transfers and

00:29:13.760 --> 00:29:18.680
recover some of the money. The crew behind JabberZeuS were on a roll. They hit banks,

00:29:18.680 --> 00:29:23.440
small businesses, even schools over the following months, anywhere they found good money sitting in

00:29:23.440 --> 00:29:27.760
online bank accounts. Their range of targets were pretty varied. The bank account owned

00:29:27.760 --> 00:29:33.040
by All Things Possible was hit in early July. The same day, Armstrong Fitness Ink was hit,

00:29:33.040 --> 00:29:37.720
and just over a month later, the Franciscan Sisters of Chicago had their account hacked

00:29:37.720 --> 00:29:42.680
and money stolen. There was no one this group wouldn’t steal from, but their crusade of bank

00:29:42.680 --> 00:29:48.560
fraud wasn’t going to last forever. The FBI were investigating more and more of these types

00:29:48.560 --> 00:29:52.920
of attacks. They had begun to recognize the hallmarks of JabberZeuS. There were a lot of

00:29:52.920 --> 00:29:58.160
common factors across this fraud, which made them think it was the same crew. In September 2009,

00:29:58.160 --> 00:30:02.880
they finally got a break. [MUSIC] The FBI managed to trace the domain of the Jabber server which was

00:30:02.880 --> 00:30:09.680
used to send instant messages by ZeuS. The malware led them to a domain called incomeet.com. The IP

00:30:09.680 --> 00:30:15.040
address led them to a server company hosted by Ezzi.net, which was in Brooklyn, New York.

00:30:15.040 --> 00:30:18.920
Being a US-based company, the FBI was able to issue a search warrant and see the extra

00:30:18.920 --> 00:30:24.040
details of the customer that was paying for that IP and server. The feds went there and saw the

00:30:24.040 --> 00:30:29.000
computer that was being used. It was running CentOS 5.0. It had a 500 gigabyte hard drive,

00:30:29.000 --> 00:30:34.920
two gigabytes of RAM, dual-core AMD processor. The FBI’s first question was who’s the customer

00:30:34.920 --> 00:30:39.880
using this server? The best information they got was that it was an individual calling themself

00:30:39.880 --> 00:30:47.280
Alexi S. who said they were from a company based in Moscow in Russia. Back in Omaha, Nebraska, FBI

00:30:47.280 --> 00:30:52.480
engineers started to examine the contents of the server. What they had was the full Jabber server

00:30:52.480 --> 00:30:57.760
that the JabberZeuS crew was using for their attacks. It had logs and records of every attack,

00:30:57.760 --> 00:31:02.360
bank details and credentials that they’d stolen, the names of the banks and businesses that have

00:31:02.360 --> 00:31:07.960
been unlucky victims, but it also had – to the sheer surprise of these engineers – the full

00:31:07.960 --> 00:31:14.000
backdated instant chat logs between members of the hacking crew. It was all there, black and white,

00:31:14.000 --> 00:31:19.840
and it was all in Russian. This triggered a long process to try to translate all the chats,

00:31:19.840 --> 00:31:24.560
but by the end of it, the FBI had an absolute gold mine of evidence.

00:31:24.560 --> 00:31:29.520
There were also a list of victims that the FBI could now go to and inform them that their

00:31:29.520 --> 00:31:35.600
accounts were hacked into. By this time, Slavik was using ZeuS to make money in three different

00:31:35.600 --> 00:31:39.480
ways; he was using it to steal money from banks, he was renting out the botnet to people who wanted

00:31:39.480 --> 00:31:44.320
to use it, and he was selling the ZeuS malware for well over $8,000 for anyone who wanted to use it

00:31:44.320 --> 00:31:48.840
for themselves. He was bringing in a ton of cash with this endeavor, and he wasn’t slowing down,

00:31:48.840 --> 00:31:52.840
either. He went on to add even more new features and came out with ZeuS V2,

00:31:52.840 --> 00:31:57.240
which gave the users ability to monitor network traffic, capture screenshots, record victims’

00:31:57.240 --> 00:32:01.960
keystrokes, steal certificates, and connect to other banking systems. But of course,

00:32:01.960 --> 00:32:06.160
other people were seeing how effective this malware was and wanted to get in on the profits,

00:32:06.160 --> 00:32:12.200
too. A couple of people named Gribodemon and Harderman took ZeuS and modified it to make

00:32:12.200 --> 00:32:18.600
a new malware called SpyEye. First versions were terrible, but the kit cost just $400,

00:32:18.600 --> 00:32:23.040
compared to ZeuS which was over $8,000. Because SpyEye was so cheap,

00:32:23.040 --> 00:32:27.400
it started to attract attention. The more people bought it meant the creators were spending more

00:32:27.400 --> 00:32:32.300
time improving it. As SpyEye improved, the price went up from $400 to $1,000.

00:32:32.300 --> 00:32:38.000
[MUSIC] The team behind SpyEye wanted ZeuS’ customers and targeted them with deals and

00:32:38.000 --> 00:32:44.040
specials which created a power struggle between ZeuS and SpyEye. SpyEye was also programmed so

00:32:44.040 --> 00:32:48.840
that when it infected a machine, it would check to see if ZeuS was on it, and it would delete it. So,

00:32:48.840 --> 00:32:54.080
a battle of botnets began. Slavik, of course, did not like this and was like, nah, I don’t think

00:32:54.080 --> 00:33:00.240
so. This is rude. So, he updated ZeuS to try to delete SpyEye, and this back-and-forth continued.

00:33:00.240 --> 00:33:06.840
Then suddenly and strangely, in October 2010, both ZeuS and SpyEye made an announcement that

00:33:06.840 --> 00:33:12.320
ZeuS would no longer be available for sale and that the ZeuS business was going to be handed

00:33:12.320 --> 00:33:20.160
over and merged into Gribodemon’s SpyEye. This was one weird and unexpected announcement. One

00:33:20.160 --> 00:33:25.840
side just suddenly giving up, and now they’re friends and merging? Gribodemon and SpyEye

00:33:25.840 --> 00:33:31.000
looked like they were coming out of this battle victorious, and was leading the show now. Some

00:33:31.000 --> 00:33:36.200
people thought that Slavik wanted to retire and took this opportunity to hand over the

00:33:36.200 --> 00:33:41.520
reigns and quietly slip into the shadows of the internet while someone else takes all the heat.

00:33:41.520 --> 00:33:48.960
But the merger never actually happened; SpyEye never took on ZeuS’ code or features or botnet.

00:33:48.960 --> 00:33:54.200
Meanwhile, the FBI was following clues and trails and was paying very close attention to the

00:33:54.200 --> 00:34:00.200
activities of ZeuS and SpyEye. The investigations led them to discover there was a SpyEye server in

00:34:00.200 --> 00:34:05.880
Atlanta, USA. The FBI was able to issue search warrants to infiltrate the server and found it

00:34:05.880 --> 00:34:12.440
was controlling over 200 bots and had information pertaining to a lot of financial institutions on

00:34:12.440 --> 00:34:20.080
that server. This gave the FBI a lot more clues as to who was behind SpyEye. [MUSIC] Then 2011 rolls

00:34:20.080 --> 00:34:26.520
around and suddenly, the entire set of ZeuS source code is leaked online, all of it. This

00:34:26.520 --> 00:34:32.560
meant that anyone could develop their own version of ZeuS and make more malware. By this point,

00:34:32.560 --> 00:34:38.000
Slavik had gone dark and silent. The ZeuS source code is available online and being used by all

00:34:38.000 --> 00:34:43.400
sorts of people with different ideas. SpyEye was creating new updates and developing their malware,

00:34:43.400 --> 00:34:49.800
but then quietly, Gribodemon disappeared and was no longer active on the underground communities.

00:34:49.800 --> 00:34:54.560
But while to the outside world, Slavik had seemingly disappeared and gone silent,

00:34:54.560 --> 00:35:01.360
he had in fact been working on a new version of ZeuS V2.1. He changed it from a repeating

00:35:01.360 --> 00:35:06.560
license software to one that was based on a subscription model delivered via the Cloud.

00:35:06.560 --> 00:35:13.520
On 2011, ZeuS V2.1 became ZeuS Version 3, and it was the first online banking malware to be

00:35:13.520 --> 00:35:20.480
offered as a service, MAAS, malware as a service, and this would soon develop into a new version of

00:35:20.480 --> 00:35:28.160
ZeuS which had peer-to-peer capability, and that version was called Gameover ZeuS. Gameover ZeuS

00:35:28.160 --> 00:35:34.240
was the most effective and successful version of ZeuS yet. In September 2012, someone used

00:35:34.240 --> 00:35:41.680
it to steal $465,000 from a company and sent the money to an account in China. In September 2012,

00:35:41.680 --> 00:35:47.280
someone used Gameover ZeuS to steal two million dollars from a US printing company. I’m actually

00:35:47.280 --> 00:35:53.320
not sure how successful this was or who did it, since some of these heists can ring alarms and

00:35:53.320 --> 00:35:57.600
bank employees can scramble to freeze transfers and recover the funds before the money mule can

00:35:57.600 --> 00:36:02.280
send it to the next hop. We really don’t know who was doing these heists either, since ZeuS

00:36:02.280 --> 00:36:07.840
can be used and bought by anyone. What we know is that Gameover ZeuS was used in the robbery,

00:36:07.840 --> 00:36:12.280
but we don’t know who was using it. But these are examples of the different types of licks

00:36:12.280 --> 00:36:17.320
people were going after with it. Regardless, if Slavik was the one behind the heist or not,

00:36:17.320 --> 00:36:20.800
he was certainly making a ton of money with Gameover ZeuS.

00:36:20.800 --> 00:36:26.320
[MUSIC] Gribodemon, the maker of SpyEye, went on holiday to the Dominican Republic, but little did

00:36:26.320 --> 00:36:30.880
he know, he was being watched by the FBI, and they alerted the Dominican Republic authorities

00:36:30.880 --> 00:36:36.120
to arrest him and extradite him to the US. He was charged with bank fraud and money laundering, and

00:36:36.120 --> 00:36:42.040
he pled guilty for creating the SpyEye malware. Gribodemon’s real name was Aleksandr Panin,

00:36:42.040 --> 00:36:47.040
a twenty-seven-year-old from Russia, and was sentenced to nine years in prison for creating

00:36:47.040 --> 00:36:52.760
the SpyEye malware. But along with that arrest was another SpyEye developer, Hamza Bendelladj,

00:36:52.760 --> 00:36:57.880
a twenty-seven-year-old from Algeria. He was responsible for marketing and spreading SpyEye

00:36:57.880 --> 00:37:03.760
and using it to attack victims and send spam and malware. Hamza was sentenced to fifteen years in

00:37:03.760 --> 00:37:10.760
prison for his role in SpyEye. In the spring of 2012, Microsoft announced they had seized

00:37:10.760 --> 00:37:15.840
over 800 domains that were used by SpyEye and ZeuS botnets. They worked with authorities to

00:37:15.840 --> 00:37:20.040
turn over information that they discovered from this. A few more security researchers

00:37:20.040 --> 00:37:24.760
joined in to help Microsoft’s Digital Crime Unit to attempt to take down the botnet by

00:37:24.760 --> 00:37:28.760
attacking its command and control servers and taking down domains involved. See,

00:37:28.760 --> 00:37:32.720
the ZeuS botnet had to receive instructions from a central authority for what to do,

00:37:32.720 --> 00:37:37.480
and if you could take down that central system, the whole thing would become inoculated.

00:37:37.480 --> 00:37:40.880
But that central system was hosted in a place that was not touchable,

00:37:40.880 --> 00:37:45.400
so the next best thing to do is take down the domain name that points to that system,

00:37:45.400 --> 00:37:50.760
essentially making it so the bots don’t know where to go for commands. You can do this by reporting

00:37:50.760 --> 00:37:55.120
malicious domains to certain places to get them sinkholed, but this has to be a coordinated

00:37:55.120 --> 00:37:59.960
takedown, to do as much damage as possible to the botnet in as little time as possible

00:37:59.960 --> 00:38:05.280
to not allow it to recover somehow. So, the coordinated sinkholing of domains was executed,

00:38:05.280 --> 00:38:11.320
but it did not take down the ZeuS botnet. Gameover ZeuS was built with impressive resiliency and it

00:38:11.320 --> 00:38:15.840
just switched to a whole new set of domains and command and control server. This was going to

00:38:15.840 --> 00:38:21.880
be very hard to take down. [MUSIC] By the summer of 2012, the FBI had enough evidence of who was

00:38:21.880 --> 00:38:27.200
running ZeuS that they issued an indictment for ten people involved with operating ZeuS malware,

00:38:27.200 --> 00:38:30.760
but they didn’t want to tip their hand and let the criminals know they were onto them, so they

00:38:30.760 --> 00:38:36.760
kept this indictment sealed and secret. But among those indicted was Slavik, the mastermind behind

00:38:36.760 --> 00:38:43.120
ZeuS. The FBI infiltrated the ZeuS network and had collected enough evidence to indict him. However,

00:38:43.120 --> 00:38:48.960
they didn’t know his real name and just indicted him under one of his online names, Lucky12345.

00:38:48.960 --> 00:38:52.840
He was being charged with conspiracy to participate in racketeering activity,

00:38:52.840 --> 00:38:57.480
bank fraud, conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to violate the

00:38:57.480 --> 00:39:03.120
Identity Theft and Assumption Deterrence Act, and aggravated identity theft. Slavik was in Russia

00:39:03.120 --> 00:39:09.480
though, which was safe from the long arm of the American law. But of course, Slavik had no idea

00:39:09.480 --> 00:39:13.880
he was indicted and carried right on selling ZeuS to people, supporting the software, and

00:39:13.880 --> 00:39:22.680
using it to rob banks. In November 2012, someone using Gameover ZeuS stole over $6.9 million from

00:39:22.680 --> 00:39:28.320
a single target. If that wasn’t enough, they decided to DDoS the bank for the next few days,

00:39:28.320 --> 00:39:34.000
which meant the bank was suffering from major network outages. I mean, I guess might as well,

00:39:34.000 --> 00:39:37.760
right? If you control a whole botnet of devices, why not use it to attack your

00:39:37.760 --> 00:39:42.320
victims when they’re down just so you can make a clean getaway while they deal with the mess? Jeez,

00:39:42.320 --> 00:39:48.960
the audacity. But this $6.9 million heist was the largest known robbery done by the ZeuS malware.

00:39:48.960 --> 00:39:55.360
We don’t know who did it exactly, whether it was someone who bought it or Slavik himself. In 2013,

00:39:55.360 --> 00:39:59.520
there was another attempt to take down the botnet, this time attempted by some

00:39:59.520 --> 00:40:03.440
researchers at CrowdStrike, a security company, and they attempted to sinkhole

00:40:03.440 --> 00:40:08.160
all the domains that were involved with ZeuS and coordinated a wide-scale attack on the network.

00:40:08.160 --> 00:40:13.400
They successfully sinkholed the domains, but the ZeuS botnets continued to stay up, almost

00:40:13.400 --> 00:40:17.920
without a hitch. There was a secondary layer of redundancy that the team didn’t know about,

00:40:17.920 --> 00:40:22.720
and it just fell back onto that and kept on infecting systems and robbing banks. When

00:40:22.720 --> 00:40:27.880
a takedown attempt like this happens, Slavik is on the other side, trying hard to maintain

00:40:27.880 --> 00:40:33.320
control of the botnet and keep everything up. He knew these kind of takedowns would be attempted

00:40:33.320 --> 00:40:39.280
and was always seemingly one step ahead and was ready, which is very impressive. I mean,

00:40:39.280 --> 00:40:44.560
imagine a major campaign where someone is trying to completely destroy your network at work. How

00:40:44.560 --> 00:40:50.480
many layers of redundancy and backup strategies do you have to fall back onto to maintain a

00:40:50.480 --> 00:40:57.840
completely functioning service for your customers? The resiliency here is just amazing. Slavik called

00:40:57.840 --> 00:41:03.480
his team the Business Club, which consisted of six members. Each member had their own specialty;

00:41:03.480 --> 00:41:07.120
some were good at tech support, others good at creating malicious software,

00:41:07.120 --> 00:41:11.840
and some were good at recruiting money mules. Together, the Business Club thought about other

00:41:11.840 --> 00:41:16.620
ways that the ZeuS botnet could make money, and that’s when it hit them; ransomware.

00:41:16.620 --> 00:41:23.240
[MUSIC] In October 2013, they decided to add the CryptoLocker ransomware into the ZeuS malware kit.

00:41:23.240 --> 00:41:28.080
Now, ZeuS infects computers and steals passwords, then listens for bank logins. But when all that’s

00:41:28.080 --> 00:41:35.320
done, it can now encrypt the system and demand payment to un-encrypt it. Truly nasty. The first

00:41:35.320 --> 00:41:40.760
major time we saw this in action was in November 2013. A police department in Massachusetts was hit

00:41:40.760 --> 00:41:47.160
with ZeuS and then the ransomware CryptoLocker. But the Business Club only demanded $750 to

00:41:47.160 --> 00:41:52.080
unlock the system, so the police department paid it, and that’s pretty cheap when you look at how

00:41:52.080 --> 00:41:58.080
much ransomware demands are today. By May of 2014, the FBI discovered the real identity

00:41:58.080 --> 00:42:04.440
of Slavik. His name was Evgeniy Bogachev. He was in his twenties, living in Anapa,

00:42:04.440 --> 00:42:09.240
Russia. They indicted him under his real name and charged him with even more counts of bank

00:42:09.240 --> 00:42:16.120
fraud and money laundering. In 2014 and 2015, the US Department of Justice spent an enormous

00:42:16.120 --> 00:42:21.840
amount of energy trying to take down the ZeuS botnet. Here is the Assistant Attorney General

00:42:21.840 --> 00:42:26.960
Leslie Caldwell of the US Department of Justice Criminal Division to explain what they did.

00:42:26.960 --> 00:42:32.520
LESLIE: So, here’s what we did; beginning in the early morning hours on this past Friday and

00:42:32.520 --> 00:42:37.960
continuing throughout the weekend, the FBI and foreign law enforcement began the coordinated

00:42:37.960 --> 00:42:43.360
seizure of computer servers around the world that had backbone of both Gameover ZeuS and

00:42:43.360 --> 00:42:50.880
CryptoLocker. These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands,

00:42:50.880 --> 00:42:56.200
the Ukraine, and the United Kingdom. Recognizing that the seizures alone would not be enough

00:42:56.200 --> 00:43:01.160
because cyber criminals can quickly establish new servers in other locations, our team began

00:43:01.160 --> 00:43:06.400
a carefully timed sequence of technical measures. These measures were designed to wrest from the

00:43:06.400 --> 00:43:12.360
criminals the ability to send commands to hundreds of thousands of infected computers and to direct

00:43:12.360 --> 00:43:18.040
those computers to contact the server that the court authorized us to establish. Working from

00:43:18.040 --> 00:43:23.000
command posts in the United States and at the European Cyber Crime Center in the Hague, the

00:43:23.000 --> 00:43:29.160
Netherlands, the FBI and our foreign counterparts, assisted by numerous private sector partners,

00:43:29.160 --> 00:43:34.120
worked around the clock to accomplish this redirection and to defeat various defenses

00:43:34.120 --> 00:43:39.080
built into the malware, as well as significant countermeasures attempted in real-time over

00:43:39.080 --> 00:43:44.440
the weekend by the cyber criminals who were trying to keep control over their network. I’m

00:43:44.440 --> 00:43:49.580
pleased to report that our actions have caused a major disruption of the Gameover ZeuS botnet.

00:43:49.580 --> 00:43:54.660
JACK: Bob Anderson of the FBI explains the extent of players involved with this takedown.

00:43:54.660 --> 00:44:01.440
BOB: Gameover ZeuS is the most sophisticated botnet the FBI and all of our allies have

00:44:01.440 --> 00:44:07.880
ever attempted to disrupt. In fact, this is the largest fusion of law enforcement and industry,

00:44:07.880 --> 00:44:15.120
partner and cooperation, ever undertaken in support of an FBI cyber operation. Today’s

00:44:15.120 --> 00:44:20.720
actions are part of an operation called Clean Slate. The FBI’s Pittsburgh, Omaha,

00:44:20.720 --> 00:44:26.400
and Washington field offices have led the Gameover ZeuS investigation with the assistance of our

00:44:26.400 --> 00:44:33.480
legal attache’s offices in Canada and in Germany. Participants in the Gameover ZeuS operation

00:44:33.480 --> 00:44:41.320
include law enforcement from the Ukraine, the United Kingdom, Japan, France, the Netherlands,

00:44:41.320 --> 00:44:48.080
and Canada, as well as our European Cyber Crime Center. Among the many private sector partners

00:44:48.080 --> 00:44:53.320
who assisted by helping victims remediate the damage to their computers infected by the Gameover

00:44:53.320 --> 00:45:01.040
ZeuS botnet are as follows; the Microsoft Corporation, Dell Secure Works, CrowdStrike,

00:45:01.040 --> 00:45:12.200
Newstar, Symantec, McAfee, F-Secure, Abuse.ch, Afilias, Level 3 Communications, and Shadowserver.

00:45:12.200 --> 00:45:16.700
JACK: The US Deputy Attorney General James Cole had some additional comments.

00:45:16.700 --> 00:45:22.560
JAMES: Today we’re here to announce that over the weekend, the department disrupted two extremely

00:45:22.560 --> 00:45:27.960
damaging cyber threats. We have also identified and charged one of the leaders of the Eastern

00:45:27.960 --> 00:45:35.480
European criminal cyber gang that is responsible for these schemes. Evgeniy Bogachev, a Russian

00:45:35.480 --> 00:45:40.680
national, has been indicted in Pittsburgh, Pennsylvania for his role as an administrator

00:45:40.680 --> 00:45:47.760
of the Gameover ZeuS botnet. Bogachev, a true 21st century criminal who commits cyber crimes across

00:45:47.760 --> 00:45:53.400
the globe with a stroke of a key and the click of a mouse is also charged in a newly unsealed

00:45:53.400 --> 00:45:58.680
criminal complaint in Omaha, Nebraska [MUSIC] for orchestrating a related botnet scheme.

00:45:58.680 --> 00:46:03.660
These crimes have earned Bogachev a place on the list of the World’s Most Wanted Cyber Criminals.

00:46:03.660 --> 00:46:12.440
JACK: A place on the FBI’s Cyber’s Most Wanted list. Let’s see, yep, there he is. His face is

00:46:12.440 --> 00:46:18.760
right there on the front of a big, bold Wanted poster, with some identifying details like his

00:46:18.760 --> 00:46:24.920
birthday, eye color, weight, and aliases. But there’s something about this Wanted poster that’s

00:46:24.920 --> 00:46:31.560
different than all the others on the FBI’s Cyber’s Most Wanted list. This one has a $3 million-dollar

00:46:31.560 --> 00:46:39.920
reward tacked onto it. This is the largest reward offered by the FBI for a wanted hacker.

00:46:39.920 --> 00:46:48.360
Huh. While the FBI put him on the Most Wanted list in 2015, Slavik still hasn’t been caught.

00:46:48.360 --> 00:46:54.640
He’s presumably still in Russia, and the FBI has tried to work with Russia to get custody of him,

00:46:54.640 --> 00:46:59.280
but despite their efforts, they have not been able to bring him to justice. In total,

00:46:59.280 --> 00:47:05.920
it’s estimated that the ZeuS botnet infected 500,000 to one million computers worldwide,

00:47:05.920 --> 00:47:11.320
and 25% of those computers were in the US. The FBI reported they estimated that the US

00:47:11.320 --> 00:47:19.160
victims lost over $100 million from fraudulent bank transfers alone, and another $27 million

00:47:19.160 --> 00:47:24.040
was collected from ransomware payments. That’s a lot of money. What’s surprising

00:47:24.040 --> 00:47:29.440
about this malware is while it’s used to rob banks, it didn’t attack the bank directly;

00:47:29.440 --> 00:47:35.880
it attacked the customers of the banks, stealing money from users’ accounts, which is a lot smaller

00:47:35.880 --> 00:47:41.400
payouts versus stealing money directly from the bank. But when you can get your malware spread on

00:47:41.400 --> 00:47:48.520
a large scale like Gameover ZeuS did, a bunch of smaller payouts add up to be quite a lot,

00:47:48.520 --> 00:47:55.704
making this one of the most sophisticated and lucrative pieces of malware ever.

00:47:55.704 --> 00:48:04.280
(OUTRO): [OUTRO MUSIC] This show is made by me, the FBI’s least wanted, Jack Rhysider.

00:48:04.280 --> 00:48:08.960
This episode was written by the crime traveler, Fiona Guy. Sound design by the splendid Andrew

00:48:08.960 --> 00:48:13.560
Meriwether, and editing help this episode by the wide-eyed Damienne. Our associate producer

00:48:13.560 --> 00:48:19.360
just back from his trip to a cyber soiree is Ray [REDACTED]. Our theme music is by the steel-toed

00:48:19.360 --> 00:48:24.080
Breakmaster Cylinder. When I was a kid, my grandpa used to tell me to get a job cleaning windows, so

00:48:24.080 --> 00:48:36.560
I did. But I was also pretty good at cleaning Macs and Linux machines, too. This is Darknet Diaries.