A recent conviction of a proven cyber criminal is showing just how serious prosecutors are taking hacking. Aleksandr Andreevich Panin, a 24-year-old hacker who used the online names "Gribodemon" and "Harderman," has been convicted by U.S. prosecutors for creating the Trojan called SpyEye.
This piece of malware worked by infecting computers of unsuspecting victims, gaining access to banking information that would then be used to drain the target's account. For his leading role in the theft of nearly $500 million, both in the U.S. and on the international scene, Panin received a nine-and-a-half-year prison sentence.
SpyEye's reach was huge
Although Panin's sentencing happened this year, the story of his criminal acts actually began years ago. The whole debacle started in 2009 when Panin created SpyEye. After recognizing its value on the black market, Panin scoured online forums to find prospective buyers. By September 2010, his malware had spread so far that a server running SpyEye was found to be targeting Polish users.
This criminal success continued for some time, as Panin and his compatriots racked up millions of dollars. However, as it always does in these kinds of situations, the fun had to stop sometime. This moment came for Panin in July 2013 when he was arrested in the Dominican Republic. About six months later, the hacker pled guilty to wire and bank fraud.
This capturing of Panin, as well as the arrest of his accomplice named Hamza Bendelladj in January 2013, was the culmination of efforts from Trend Micro researchers along with the FBI and other agencies. In fact, Trend Micro's involvement in this case began long before Panin's identity was known. Our experts were following a hacker named "Soldier," who was using SpyEye to rake in around $17,000 a day in 2011.
Although extremely malicious, "Soldier's" involvement in the SpyEye criminal ring is certainly interesting. The person behind these attacks didn't just focus his efforts on individuals or financial institutions, as other often do. The list of systems infected with SpyEye under "Soldier's" command ranged from U.S. military institutions to Airports, showing just how widespread these attacks can be.
However, as the money continued to roll in for these criminals, our researchers began to look for the head of the operation. This began by zeroing in on the online nicknames of the most important people within this enterprise. Once this was accomplished, Trend Micro security experts monitored Internet forums known to harbor cyber criminals, which is where we collected the email addresses and other identifying information of both Panin and Bendelladj. This data was then handed off to the FBI, where it was then used to track down both hackers.
During its reign of terror, SpyEye is thought to have stolen from more than 100 thousand bank accounts from all around the world. Like most hacking campaigns, such a high number of successful attacks translated to even more infected machines. SpyEye compromised more than 1.4 million computers during its years of operation.
Clearly, with so much money stolen and so many personal privacies violated, it isn't hard to see why Panin received the sentence that he did. In fact, it's very possible that he could have gotten an even harsher sentence had he not decided to cooperate. Pleading guilty in 2014 may not have wiped the slate clean, but cooperating with prosecutors almost always results in shorter prison time.
Helping hackers is a crime, too
As Panin's case shows, developing malware used to steal money from innocent people can very easily end in tremendously negative repercussions. However, it's also important to realize that the person at the top of the pyramid isn't the only one breaking the law. Knowingly taking part in illegal activities, regardless of initial intent or level of involvement, can still get someone in a lot of hot water.
A recent example of this is the sentencing of Matthew Keys, a journalist who levied his past work experience to help Anonymous hack the Los Angeles Times. Keys once worked for a company associated with the Times, with each organization using the same content management system, according to The Verge. This software is used by journalists to submit new stories and alter old ones.
Due to his past experience working with this system, Keys had login credentials that he handed over to Anonymous members. These individuals then went on to illegally alter a story on the company's website.
Although this may seem like a benign action to some, illegal digital activities such as this are taken very seriously by U.S. prosecutors. In fact, Keys was found to be in violation of the Computer Fraud and Abuse Act. With three counts of hacking levied against him for his involvement in this affair, Keys was looking at up to 25 years in prison.
After much deliberation, Keys was eventually sentenced to 24 months. While that is certainly less than the maximum penalty of 25 years that he faced, Keys has argued that he did nothing wrong, and will attempt to appeal this sentence. Regardless, it appears the U.S. legal system is attempting to remind the general public that hacking of any kind will not be tolerated.
The law needs to be defined more clearly
Despite Panin's very cut and dry hacking campaign, the legality of online activities can often seem fuzzy. Keys' case shows prosecutors are willing to go after someone for handing out private login credentials, but it also means the U.S. government will be working with a zero-tolerance policy for involvement within cyber crime.
Although going after hackers is certainly beneficial to the average Internet user, many see this as a slippery slope. The CFAA is seen by many as being extremely broad, with Samantha Jensen devoting an entire paper in the Hamline Law Review to the act's seeming oversight. Jensen believed that certain terms within the act as being all-encompassing, allowing legal figures to overreach.
"Whether the CFAA is limited to hacking or extends to employees who misuse company computers hinges entirely on how a court interprets the terms 'without authorization' and 'exceeds authorized access,'" said Jensen.
The problem with this is the fact that authorization isn't exactly a well-defined term within the act. Jensen stated that some courts won't pursue legal action under CFAA if an employee was given access to a database before using the information for nefarious affairs. This worker was already given authorization to access this information, and therefore is not violating the CFAA, according to certain officials.
However, other courts view this as breaking the CFAA due to a stressing of "exceeds authorized access." Misusing company information is seen as going beyond what the employer originally intended, and this employee is therefore actually performing an illegal act.
As it stands, whether or not a person is in violation of the CFAA depends very much upon where they live. Prosecutors were obviously attempting to make an example of Keys, but other districts may not have found his actions to be breaking the CFAA. Keys sees this discrepancy in the law, and is working with his current legal team to change how the CFAA is viewed.
Regardless of what happens to the CFAA, it's up to users to understand what's expected of them. Company information is private for a reason, and a best-case scenario of mishandling this data still involves a loss of trust from an employer. Employees should take note and think through their actions carefully. Cyber crime is taken extremely seriously by legal authorities, and if it feels illegal, it probably is.