Russian Citadel Malware Developer Gets 5-Year Sentence

Notorious Banking Trojan Tied to 11 Million Infections, $500 Million in Losses

Russian citizen Mark Vartanyan, aka “Kolypto,” has been sentenced to serve five years in U.S. prison after he pleaded guilty to helping develop and distribute the notorious banking Trojan called Citadel.

Mark Vartanyan, aka “Kolypto,” pleaded guilty March 20 to one count of computer fraud, for which he had faced up to 10 years imprisonment.

Prosecutor Steven Grimberg told the court Wednesday at Vartanyan’s sentencing hearing that the defendant had shown remorse and cooperated with the FBI and Justice Department, Associated Press reports. It notes that Vartanyan will get credit for time served, which includes two years spent in a Norwegian prison.

Vartanyan was extradited from Norway to the United States in December 2016, when he was 28 years old.

While Vartanyan admitted to providing software development expertise to help refine Citadel, it’s not clear if he was a major player in the cybercrime ring behind the malware.

Major Losses Tied to Citadel

Citadel – a variant of the notorious Zeus banking Trojan – first appeared for sale in 2012 on underground cybercrime marketplaces. It was offered as a malware-as-a-service product to which users subscribed.

The Justice Department has tied Citadel botnets to infections of 11 million PCs worldwide that caused more than $500 million in fraud.

The malware was used to steal funds from a number of financial services firms, including American Express, Bank of America, HSBC, PayPal, Royal Bank of Canada and Wells Fargo. But it was programmed to avoid infecting institutions in Ukraine or Russia, in what was a likely sign that its developers wanted to avoid angering authorities in those countries (see Russian Cybercrime Rule No. 1: Don’t Hack Russians).

Citadel, run by a controller who used the alias “Aquabox,” appeared to be based in Eastern Europe, according to Microsoft. Aquabox was assisted by an estimated 81 lieutenants – or botnet herders – who helped develop, distribute, update and sell the malware.

In 2013, the FBI, working with Microsoft, disrupted more than 1,000 Citadel botnets. Microsoft said 455 of those botnets were hosted in 40 U.S.-based data centers, while the rest were distributed across dozens of overseas countries.

Continue reading…