April 2016 was a great month for putting cybercriminals in prison. On April 12 Paunch, the creator of the infamous Blackhole exploit kit, was sentenced to seven years in a Russian prison. This was soon followed by Aleksandr Panin, the creator of SpyEye: he was sentenced by a United States federal court to nine and a half years in prison for his role in creating SpyEye. One of his partners, Hamza Bendelladj, was sentenced to fifteen years.
The most recent case involved Esthost, a company we know very well from our research. Vladimir Tsastsin became the latest member of the Esthost gang to be sentenced to jail; he will spend more than 7 years in prison. He was also ordered to forfeit more than $2.5 million in property.
Trend Micro is quite familiar with all three of these cases, and was involved in building the cases against two of them. Esthost was behind the notorious DNS Changer botnet, which changed the DNS settings of victim machines. This allowed Tsastsin and his associates to profit via means such as displaying ads, hijacking search results, or planting malware on victim machines.
At the time of its takedown in late 2011, it was the largest botnet takedown in history. In a multi-year effort, Trend Micro was able to collect a significant amount of information concerning the activities of the entire Esthost syndicate. This information was provided to law enforcement, and was part of the legal case against Tsastsin and his accomplices.
We kept an eye on SpyEye essentially from its beginning as a ZBOT rival, which culminated in the merger with its better-known rival. Along the way it was used by various threat actors to steal millions of dollars from users. Our investigation eventually led us to Panin and Bendelladj, who were both arrested in 2013.
A Long Road, But A Worthwhile One
The road to putting these criminals behind bars has been a long one. Researchers and law enforcement spent years working together to collect the information necessary to build a case. Lawyers and diplomats spent just as much time on the extradition proceedings so these criminals could be brought back before courts in the United States.
Has it been difficult? Yes. Has it been time-consuming? Yes. Do we all wish this entire process had been quicker and less painful? Yes. But is it worth it? Absolutely.
Understand that these are not small-time script kiddies that have been put behind bars. These are major criminals that have been put behind bars: Paunch, Panin, and Bendelladj were part of organized groups responsible for creating tools that were widely used in cybercrime communities, leading to millions of dollars in losses. Tsastsin made more than $14 million off his crimes. These were some of the largest players in the cybercrime underground of their day.
True, other actors have stepped up to the plate. However, these sentences put cybercriminals everywhere on notice that they are not free from the long arm of the law. Law enforcement agencies from around the world are now capable of acting against cybercrime more quickly—something we noted in our 2016 predictions.
Trend Micro researchers will continue to work with law enforcement in private-public partnerships (PPPs) to enhance their capabilities to investigate cybercrime as well as to help in specific cases, as needed. We hope that one day the Internet will cease to be a refuge for cybercriminals, and that they can be brought before the proper courts—wherever they may be.