{ "id": "541fb629-31ce-4880-9652-34ab58047c3b", "created_at": "2026-04-06T00:07:31.58001Z", "updated_at": "2026-04-10T03:24:39.75556Z", "deleted_at": null, "sha1_hash": "28ce1c4a8de0504d34b195d8a7a4ce57f5a883c2", "title": "Inside the Hunt for Russia's Most Notorious Hacker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9203703, "plain_text": "Inside the Hunt for Russia's Most Notorious Hacker\r\nBy Garrett M. Graff\r\nPublished: 2017-03-21 · Archived: 2026-04-05 12:42:08 UTC\r\nTHE\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 1 of 19\n\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 2 of 19\n\nInside the Hunt\r\nfor Russia’s Most\r\nNotorious Hacker\r\nInside the Hunt for Russia’s Most Notorious Hacker\r\nOn the morning of December 30, the day after Barack Obama imposed sanctions on Russia for interfering in the\r\n2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany. He spread some jam on a\r\nslice of rye bread, poured himself a cup of coffee, and settled in to check Twitter at his dining room table.\r\nThe news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm\r\nCrowdStrike, was still catching up on details. Following a link to an official statement, Werner saw that the White\r\nHouse had targeted a short parade’s worth of Russian names and institutions—two intelligence agencies, four\r\nsenior intelligence officials, 35 diplomats, three tech companies, two hackers. Most of the details were a blur.\r\nThen Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich\r\nBogachev. \r\nWerner, as it happened, knew quite a bit about Evgeniy Bogachev. He knew in precise, technical detail how\r\nBogachev had managed to loot and terrorize the world’s financial systems with impunity for years. He knew what\r\nit was like to do battle with him.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 3 of 19\n\nBut Werner had no idea what role Bogachev might have played in the US election hack. Bogachev wasn’t like the\r\nother targets—he was a bank robber. Maybe the most prolific bank robber in the world.\r\n“What on earth is he doing on this list?” Werner wondered.\r\nAmerica’s war with Russia’s greatest cybercriminal began in the spring of 2009, when special agent James Craig,\r\na rookie in the FBI’s Omaha, Nebraska, field office, began looking into a strange pair of electronic thefts. A\r\nsquare-jawed former marine, Craig had been an agent for just six months, but his superiors tapped him for the case\r\nanyway, because of his background: For years, he’d been an IT guy for the FBI. One of his nicknames in college\r\nwas “the silent geek.”\r\nWhile you log into seemingly secure websites, the malware modifies pages before they load, siphoning away your\r\ncredentials and your account balance.\r\nThe leading victim in the case was a subsidiary of the payments-processing giant First Data, which lost $450,000\r\nthat May. That was quickly followed by a $100,000 theft from a client of the First National Bank of Omaha. What\r\nwas odd, Craig noticed, was that the thefts seemed to have been executed from the victims’ own IP addresses,\r\nusing their own logins and passwords. Examining their computers, he saw that they were infected with the same\r\nmalware: something called the Zeus Trojan horse.\r\nIn online security circles, Craig discovered, Zeus was notorious. Having first appeared in 2006, the malware had a\r\nreputation among both criminals and security experts as a masterpiece—smooth, effective, versatile. Its author\r\nwas a phantom. He was only known online, where he went by the handle Slavik, or lucky12345, or a half-dozen\r\nother names.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 4 of 19\n\nApril 2017. Subscribe to WIRED.\r\nZeus infected computers through fairly typical means: fake IRS emails, say, or illegitimate UPS shipping notices\r\nthat tricked recipients into downloading a file. But once it was on your computer, Zeus let hackers play God: They\r\ncould hijack websites and use a keystroke logger to record usernames, passwords, and PINs. Hackers could even\r\nmodify login forms to request further valuable security information: a mother’s maiden name, a Social Security\r\nnumber. The ruse is known as a “man in the browser” attack. While you sit at your computer logging into\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 5 of 19\n\nseemingly secure websites, the malware modifies pages before they load, siphoning away your credentials and\r\nyour account balance. Only when you log in from a different computer do you even realize the money is gone.\r\nBy the time Craig started his investigation, Zeus had become the digital underground’s malware of choice—the\r\nMicrosoft Office of online fraud. Slavik was something rare in the malware world: a genuine professional. He\r\nregularly updated the Zeus code, beta-testing new features. His product was endlessly adaptable, with variants\r\noptimized for different kinds of attacks and targets. A computer infected with Zeus could even be folded into a\r\nbotnet, a network of infected computers that can be harnessed together to run spam servers or distributed denial-of-service attacks, or send out more deceptive emails to spread the malware further.\r\nBut sometime shortly before Craig picked up his case in 2009, Slavik had begun to change tack. He started\r\ncultivating an inner circle of online criminals, providing a select group with a variant of his malware, called Jabber\r\nZeus. It came equipped with a Jabber instant-message plug-in, allowing the group to communicate and coordinate\r\nattacks—like in the two Omaha thefts. Rather than rely on broad infection campaigns, they began to specifically\r\ntarget corporate accountants and people with access to financial systems.\r\nAs Slavik turned increasingly to organized crime, he dramatically narrowed his retail malware business. In 2010\r\nhe announced his “retirement” online and then released what security researchers came to call Zeus 2.1, an\r\nadvanced version of his malware protected by an encryption key—effectively tying each copy to a specific user—\r\nwith a price tag upwards of $10,000 per copy. Now, Slavik was only dealing with an elite, ambitious group of\r\ncriminals.\r\n“We had no idea how big this case was,” Craig says. “The amount of activity from these guys was phenomenal.”\r\nOther institutions began to come forward with losses and accounts of fraud. Lots of them. Craig realized that,\r\nfrom his desk in suburban Omaha, he was chasing a well-organized international criminal network. “The victims\r\nstarted falling out of the sky,” Craig says. It dwarfed any other cybercrime the FBI had tackled before.\r\nCraig’s first major break in the case came in September 2009. With the help of some industry experts, he\r\nidentified a New York–based server that seemed to play some sort of role in the Zeus network. He obtained a\r\nsearch warrant, and an FBI forensics team copied the server’s data onto a hard drive, then overnighted it to\r\nNebraska. When an engineer in Omaha examined the results, he sat in awe for a moment. The hard drive\r\ncontained tens of thousands of lines of instant message chat logs in Russian and Ukrainian. Looking over at Craig,\r\nthe engineer said: “You have their Jabber server.”\r\nThis was the gang’s whole digital operation—a road map to the entire case. The cybersecurity firm Mandiant\r\ndispatched an engineer to Omaha for months just to help untangle the Jabber Zeus code, while the FBI began\r\ncycling in agents from other regions on 30- or 90-day assignments. Linguists across the country pitched in to\r\ndecipher the logs. “The slang was a challenge,” Craig says.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 6 of 19\n\nOne woman explained that she’d become a money mule after a job at a grocery store fell through, telling an agent:\r\n“I could strip, or I could do this.”\r\nThe messages contained references to hundreds of victims, their stolen credentials scattered in English throughout\r\nthe files. Craig and other agents started cold-calling institutions, telling them they had been hit by cyberfraud. He\r\nfound that several businesses had terminated employees they suspected of the thefts—not realizing that the\r\nindividuals’ computers had been infected by malware and their logins stolen.\r\nThe case also expanded beyond the virtual world. In New York one day in 2009, three young women from\r\nKazakhstan walked into the FBI field office there with a strange story. The women had come to the States to look\r\nfor work and found themselves participating in a curious scheme: A man would drive them to a local bank and tell\r\nthem to go inside and open a new account. They were to explain to the teller that they were students visiting for\r\nthe summer. A few days later, the man had them return to the bank and withdraw all of the money in the account;\r\nthey kept a small cut and passed the rest on to him. Agents pieced together that the women were “money mules”:\r\nTheir job was to cash out the funds that Slavik and his comrades had siphoned from legitimate accounts.\r\nBy the summer of 2010, New York investigators had put banks across the region on alert for suspicious cash-outs\r\nand told them to summon FBI agents as they occurred. The alert turned up dozens of mules withdrawing tens of\r\nthousands of dollars. Most were students or newly arrived immigrants in Brighton Beach. One woman explained\r\nthat she’d become a mule after a job at a grocery store fell through, telling an agent: “I could strip, or I could do\r\nthis.” Another man explained that he’d be picked up at 9 am, do cash-out runs until 3 pm, and then spend the rest\r\nof the day at the beach. Most cash-outs ran around $9,000, just enough to stay under federal reporting limits. The\r\nmule would receive 5 to 10 percent of the total, with another cut going to the recruiter. The rest of the money\r\nwould be sent overseas.\r\n“The amount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed\r\nany Fortune 100 company,” the FBI’s James Craig says.\r\nThe United States, moreover, was just one market in what investigators soon realized was a multinational reign of\r\nfraud. Officials traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and\r\nRussia. All told, investigators could attribute around $70 million to $80 million in thefts to the group—but they\r\nsuspected the total was far more than that.\r\nBanks howled at the FBI to shut the fraud down and stanch the losses. Over the summer, New York agents began\r\nto close in on high-ranking recruiters and the scheme’s masterminds in the US. Two Moldovans were arrested at a\r\nMilwaukee hotel at 11 pm following a tip; one suspect in Boston tried to flee a raid on his girlfriend’s apartment\r\nand had to be rescued from the fire escape.\r\nMeanwhile, Craig’s case in Omaha advanced against the broader Jabber Zeus gang. The FBI and the Justice\r\nDepartment had zeroed in on an area in eastern Ukraine around the city of Donetsk, where several of the Jabber\r\nZeus leaders seemed to live. Alexey Bron, known online as “thehead,” specialized in moving the gang’s money\r\naround the world. Ivan Viktorvich Klepikov, who went by the moniker “petr0vich,” ran the group’s IT\r\nmanagement, web hosting, and domain names. And Vyacheslav Igorevich Penchukov, a well-known local DJ who\r\nwent by the nickname “tank,” managed the whole scheme, putting him second in command to Slavik. “The\r\namount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed any\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 7 of 19\n\nFortune 100 company,” Craig says. The gang poured their huge profits into expensive cars (Penchukov had a\r\npenchant for high-end BMWs and Porsches, while Klepikov preferred Subaru WRX sports sedans), and the chat\r\nlogs were filled with discussions of fancy vacations across Turkey, Crimea, and the United Arab Emirates.\r\nBy the fall of 2010, the FBI was ready to take down the network. As officials in Washington called a high-profile\r\npress conference, Craig found himself on a rickety 12-hour train ride across Ukraine to Donetsk, where he met up\r\nwith agents from the country’s security service to raid tank’s and petr0vich’s homes. Standing in petr0vich’s living\r\nroom, a Ukrainian agent told Craig to flash his FBI badge. “Show him it’s not just us,” he urged. Craig was\r\nstunned by the scene: The hacker, wearing a purple velvet smoking jacket, seemed unperturbed as agents searched\r\nhis messy apartment in a Soviet-style concrete building; his wife held their baby in the kitchen, laughing with\r\ninvestigators. “This is the gang I’ve been chasing?” Craig thought. The raids lasted well into the night, and Craig\r\ndidn’t return to his hotel until 3 am. He took nearly 20 terabytes of seized data back to Omaha.\r\nWith 39 arrests around the world—stretching across four nations—investigators managed to disrupt the network.\r\nBut crucial players slipped away. One top mule recruiter in the US fled west, staying a step ahead of investigators\r\nin Las Vegas and Los Angeles before finally escaping the country inside a shipping container. More important,\r\nSlavik, the mastermind himself, remained almost a complete cipher. Investigators assumed he was based in\r\nRussia. And once, in an online chat, they saw him reference that he was married. Other than that, they had\r\nnothing. The formal indictment referred to the creator of the Zeus malware using his online pseudonym. Craig\r\ndidn’t even know what his prime suspect looked like. “We have thousands of photos from tank, petr0vich—not\r\nonce did we see Slavik’s mug,” Craig says. Soon even the criminal’s online traces vanished. Slavik, whoever he\r\nwas, went dark. And after seven years of chasing Jabber Zeus, James Craig moved on to other cases.\r\nAbout a year after the FBI shut down the Jabber Zeus ring, the small community of online cybersecurity\r\nresearchers who watch for malware and botnets began to notice a new variant of Zeus emerge. The malware’s\r\nsource code had been leaked online in 2011—perhaps purposefully, perhaps not—effectively turning Zeus into an\r\nopen source project and setting off an explosion of new variants. But the version that caught the eyes of\r\nresearchers was different: more powerful and more sophisticated, particularly in its approach to assembling\r\nbotnets.\r\nUntil then, most botnets used a hub-and-spoke system—a hacker would program a single command server to\r\ndistribute orders directly to infected machines, known as zombie computers. The undead army could then be\r\ndirected to send out spam emails, distribute malware, or target websites for denial-of-service attacks. That hub-and-spoke design, though, made botnets relatively easy for law enforcement or security researchers to dismantle.\r\nIf you could knock the command server offline, seize it, or disrupt a hacker’s ability to communicate with it, you\r\ncould usually break the botnet.\r\nThe gang’s strategy represented an evolutionary leap in organized crime: Now they could do everything remotely,\r\nnever touching a US jurisdiction.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 8 of 19\n\nThis new Zeus variant, however, relied on both traditional command servers and peer-to-peer communication\r\nbetween zombie machines, making it extremely difficult to knock down. Infected machines kept a constantly\r\nupdated list of other infected machines. If one device sensed that its connection with the command server had\r\nbeen interrupted, it would rely on the peer-to-peer network to find a new command server.\r\nThe network, in effect, was designed from the start to be takedown-proof; as soon as one command server was\r\nknocked offline, the botnet owner could just set up a new server somewhere else and redirect the peer-to-peer\r\nnetwork to it. The new version became known as GameOver Zeus, after one of its file names, gameover2.php. The\r\nname also lent itself naturally to gallows humor: Once this thing infects your computer, went a joke among\r\nsecurity experts, it’s game over for your bank accounts.\r\nAs far as anyone could tell, GameOver Zeus was controlled by a very elite group of hackers—and the group’s\r\nleader was Slavik. He had reemerged, more powerful than ever. Slavik’s new crime ring came to be called the\r\nBusiness Club. A September 2011 internal announcement to the group—introducing members to a new suite of\r\nonline tools for organizing money transfers and mules—concluded with a warm welcome to Slavik’s select\r\nrecipients: “We wish you all successful and productive work.”\r\nLike the Jabber Zeus network, the Business Club’s prime directive was knocking over banks, which it did with\r\neven more ruthless inventiveness than its predecessor. The scheme was multipronged: First, the GameOver Zeus\r\nmalware would steal a user’s banking credentials, intercepting them as soon as someone with an infected\r\ncomputer logged into an online account. Then the Business Club would drain the bank account, transferring its\r\nfunds into other accounts they controlled overseas. With the theft complete, the group would use its powerful\r\nbotnet to hit the targeted financial institutions with a denial-of-service attack to distract bank employees and\r\nprevent customers from realizing their accounts had been emptied until after the money had cleared. On\r\nNovember 6, 2012, the FBI watched as the GameOver network stole $6.9 million in a single transaction, then hit\r\nthe bank with a multiday denial-of-service attack.\r\nUnlike the earlier Jabber Zeus gang, the more advanced network behind GameOver focused on larger six- and\r\nseven-figure bank thefts—a scale that made bank withdrawals in Brooklyn obsolete. Instead, they used the globe’s\r\ninterconnected banking system against itself, hiding their massive thefts inside the trillions of dollars of legitimate\r\ncommerce that slosh around the world each day. Investigators specifically identified two areas in far eastern\r\nChina, close to the Russian city of Vladivostok, from which mules funneled huge amounts of stolen money into\r\nBusiness Club accounts. The strategy, investigators realized, represented an evolutionary leap in organized crime:\r\nBank robbers no longer had to have a footprint inside the US. Now they could do everything remotely, never\r\ntouching a US jurisdiction. “That’s all it takes to operate with impunity,” says Leo Taddeo, a former top FBI\r\nofficial.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 9 of 19\n\nChad Hagan\r\nBanks weren’t the gang’s only targets. They also raided the accounts of nonfinancial businesses large and small,\r\nnonprofits, and even individuals. In October 2013, Slavik’s group began deploying malware known as\r\nCryptoLocker, a form of ransomware that would encrypt the files upon an infected machine and force its owner to\r\npay a small fee, say, $300 to $500, to unlock the files. It quickly became a favorite tool of the cybercrime ring, in\r\npart because it helped transform dead weight into profit. The trouble with building a massive botnet focused on\r\nhigh-level financial fraud, it turns out, is that most zombie computers don’t connect to fat corporate accounts;\r\nSlavik and his associates found themselves with tens of thousands of mostly idle zombie machines. Though\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 10 of 19\n\nransomware didn’t yield huge amounts, it afforded the criminals a way to monetize these otherwise worthless\r\ninfected computers.\r\nThe concept of ransomware had been around since the 1990s, but CryptoLocker took it mainstream. Typically\r\narriving on a victim’s machine under the cover of an unassuming email attachment, the Business Club’s\r\nransomware used strong encryption and forced victims to pay using bitcoin. It was embarrassing and\r\ninconvenient, but many relented. The Swansea, Massachusetts, police department grumpily ponied up $750 to get\r\nback one of its computers in November 2013; the virus “is so complicated and successful that you have to buy\r\nthese bitcoins, which we had never heard of,” Swansea police lieutenant Gregory Ryan told his local newspaper.\r\n“When a bank gets attacked en masse—100 transactions a week—you stop caring about the specific malware and\r\nthe individual attacks; you just need to stop the bleeding,” says one Dutch security expert.\r\nThe following month, the security firm Dell SecureWorks estimated that as many as 250,000 machines worldwide\r\nhad been infected with CryptoLocker that year. One researcher traced 771 ransoms that netted Slavik’s crew a\r\ntotal of $1.1 million. “He was one of the first to realize how desperate people would be to regain access to their\r\nfiles,” Brett Stone-Gross, a researcher with Dell SecureWorks at the time, says of Slavik. “He didn’t charge an\r\nexorbitant amount, but he made a lot of money and created a new type of online crime.”\r\nAs the GameOver network continued to gain strength, its operators kept adding revenue streams—renting out\r\ntheir network to other criminals to deliver malware and spam or to carry out projects like click fraud, ordering\r\nzombie machines to generate revenue by clicking on ads on fake websites.\r\nWith each passing week, the cost to banks, businesses, and individuals from GameOver grew. For businesses, the\r\nthefts could easily wipe out a year’s profits, or worse. Domestically, victims ranged from a regional bank in north\r\nFlorida to a Native American tribe in Washington state. As it haunted large swathes of the private sector,\r\nGameOver absorbed more and more of the efforts of the private cybersecurity industry. The sums involved were\r\nstaggering. “I don’t think anyone has a grasp of the full extent—one $5 million theft overshadows hundreds of\r\nsmaller thefts,” explains Michael Sandee, a security expert at the Dutch firm Fox-IT. “When a bank gets attacked\r\nen masse—100 transactions a week—you stop caring about the specific malware and the individual attacks; you\r\njust need to stop the bleeding.”\r\nMany tried. From 2011 through 2013, cybersecurity researchers and various firms mounted three attempts to take\r\ndown GameOver Zeus. Three European security researchers teamed up to make a first assault in the spring of\r\n2012. Slavik easily repelled their attack. Then, in March 2012, Microsoft’s Digital Crimes Unit took civil legal\r\naction against the network, relying upon US marshals to raid data centers in Illinois and Pennsylvania that housed\r\nZeus command-and-control servers and aiming legal action against 39 individuals thought to be associated with\r\nthe Zeus networks. (Slavik was first on the list.) But Microsoft’s plan failed to put a dent in GameOver. Instead it\r\nmerely clued Slavik in to what investigators knew about his network and allowed him to refine his tactics.\r\nBotnet fighters are a small, proud group of engineers and security researchers—self-proclaimed “internet janitors”\r\nwho work to keep online networks running smoothly. Within that group, Tillmann Werner—the tall, lanky German\r\nresearcher with the security firm CrowdStrike—had become known for his flair and enthusiasm for the work. In\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 11 of 19\n\nFebruary 2013 he seized control of the Kelihos botnet, an infamous malware network built on Viagra spam, live\r\nonstage during a presentation at the cybersecurity industry’s biggest conference. But Kelihos, he knew, was no\r\nGameOver Zeus. Werner had been watching GameOver since its inception, marveling at its strength and\r\nresilience.\r\nIn 2012 he had linked up with Stone-Gross—who was just a few months out of graduate school and was based in\r\nCalifornia—plus a few other researchers to map out an effort to attack GameOver. Working across two continents\r\nlargely in their spare time, the men plotted their attack via online chat. They carefully studied the previous\r\nEuropean effort, identifying where it had failed, and spent a year preparing their offensive.\r\nAt the peak of their attack, the researchers controlled 99 percent of Slavik’s network—but they’d overlooked a\r\ncritical source of resilience in GameOver’s structure.\r\nIn January 2013, they were ready: They stocked up on pizza, assuming they were in for a long siege against\r\nSlavik’s network. (When you go against a botnet, Werner says, “you have one shot. It either goes right or wrong.”)\r\nTheir plan was to reroute GameOver’s peer-to-peer network, centralize it, and then redirect the traffic to a new\r\nserver under their control—a process known as “sinkholing.” In doing so, they hoped to sever the botnet’s\r\ncommunication link to Slavik. And at first, everything went well. Slavik showed no signs of fighting back, and\r\nWerner and Stone-Gross watched as more and more infected computers connected to their sinkhole by the hour.\r\nAt the peak of their attack, the researchers controlled 99 percent of Slavik’s network—but they’d overlooked a\r\ncritical source of resilience in GameOver’s structure: a small subset of infected computers were still secretly\r\ncommunicating with Slavik’s command servers. “We missed that there’s a second layer of control,” Stone-Gross\r\nsays. By the second week, Slavik was able to push a software update to his whole network and reassert his\r\nauthority. The researchers watched with dawning horror as a new version of GameOver Zeus propagated across\r\nthe internet and Slavik’s peer-to-peer network began to reassemble. “We immediately saw what happened—we’d\r\ncompletely neglected this other channel of communication,” Werner says.\r\nThe researchers’ ploy—nine months in the making—had failed. Slavik had won. In a trollish online chat with a\r\nPolish security team, he crowed about how all the efforts to seize his network had come to naught. “I don’t think\r\nhe thought it was possible to take down his botnet,” Werner says. Dejected, the two researchers were eager to try\r\nagain. But they needed help—from Pittsburgh.\r\nOver the past decade, the FBI’s Pittsburgh field office has emerged as the source of the government’s biggest\r\ncybercrime indictments, thanks in no small part to the head of the local cybersquad there, a onetime furniture\r\nsalesman named J. Keith Mularski.\r\nAn excitable and gregarious agent who grew up around Pittsburgh, Mularski has become something of a celebrity\r\nin cybersecurity circles. He joined the FBI in the late ’90s and spent his first seven years in the bureau working\r\nespionage and terrorism cases in Washington, DC. Jumping at the chance to return home to Pittsburgh, he joined a\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 12 of 19\n\nnew cyber \r\ninitiative there in 2005, despite the fact that he knew little about computers. Mularski trained on the job\r\nduring a two-year undercover investigation chasing identity thieves deep in the online forum DarkMarket. Under\r\nthe screen name Master Splyntr—a handle inspired by Teenage Mutant Ninja Turtles—Mularski managed to\r\nbecome a DarkMarket administrator, putting himself at the center of a burgeoning online criminal community. In\r\nhis guise, he even chatted online with Slavik and reviewed an early version of the Zeus malware program. His\r\nDarkMarket access eventually helped investigators arrest 60 people across three continents.\r\nEven after millions of dollars in thefts, neither the FBI nor the security industry had so much as a single Business\r\nClub member’s name.\r\nIn the years that followed, the head of the Pittsburgh office decided to invest aggressively in combating\r\ncybercrime—a bet on its increasing importance. By 2014, the FBI agents in Mularski’s squad, together with\r\nanother squad assigned to a little-known Pittsburgh institution called the National Cyber-Forensics and Training\r\nAlliance, were prosecuting some of the Justice Department’s biggest cases. Two of Mularski’s agents, Elliott\r\nPeterson and Steven J. Lampo, were chasing the hackers behind GameOver Zeus, even as their desk-mates\r\nsimultaneously investigated a case that would ultimately indict five Chinese army hackers who had penetrated\r\ncomputer systems at Westinghouse, US Steel, and other companies to benefit Chinese industry.\r\nThe FBI’s GameOver case had been under way for about a year by the time Werner and Stone-Gross offered to\r\njoin forces with the Pittsburgh squad to take down Slavik’s botnet. If they had approached any other law-enforcement agency, the response might have been different. Government cooperation with industry was still a\r\nrelatively rare phenomenon; the Feds’ style in cyber cases was, by reputation, to hoover up industry leads without\r\nsharing information. But the team in Pittsburgh was unusually practiced at collaboration, and they knew that the\r\ntwo researchers were the best in the field. “We jumped at the chance,” Mularski says.\r\nBoth sides realized that in order to tackle the botnet, they needed to work on three simultaneous fronts. First, they\r\nhad to figure out once and for all who was running GameOver—what investigators call “attribution”—and build\r\nup a criminal prosecution; even after millions of dollars in thefts, neither the FBI nor the security industry had so\r\nmuch as a single Business Club member’s name. Second, they needed to take down the digital infrastructure of\r\nGameOver itself; that’s where Werner and Stone-Gross came in. And third, they needed to disable the botnet’s\r\nphysical infrastructure by assembling court orders and enlisting the help of other governments to seize its servers\r\nacross the globe. Once all that was done, they needed partners in the private sector to be ready with software\r\nupdates and security patches to help recover infected computers the moment the good guys had control of the\r\nbotnet. Absent any one of those moves, the next effort to take down GameOver Zeus was likely to fail just as the\r\nprevious ones had.\r\nThe network was run through two password-protected British websites, which contained careful records, FAQs,\r\nand a “ticket” system for resolving technical issues.\r\nWith that, Mularski’s squad began to stitch together an international partnership unlike anything the US\r\ngovernment had ever undertaken, enlisting the UK’s National Crime Agency, officials in Switzerland, the\r\nNetherlands, Ukraine, Luxembourg, and a dozen other countries, as well as industry experts at Microsoft,\r\nCrowdStrike, McAfee, Dell SecureWorks, and other companies.\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 13 of 19\n\nFirst, to help nail down Slavik’s identity and get intelligence on the Business Club, the FBI teamed up with Fox-IT, a Dutch outfit renowned for its expertise in cyber-\r\nforensics. The Dutch researchers got to work tracing old\r\nusernames and email addresses associated with Slavik’s ring to piece together an understanding of how the group\r\noperated.\r\nThe Business Club, it turned out, was a loose confederation of about 50 criminals, who each paid an initiation fee\r\nto access GameOver’s advanced control panels. The network was run through two password-protected British\r\nwebsites, Visitcoastweekend.com and Work.businessclub.so, which contained careful records, FAQs, and a\r\n“ticket” system for resolving technical issues. When investigators got legal permission to penetrate the Business\r\nClub server, they found a highly detailed ledger tracking the group’s various ongoing frauds. “Everything radiated\r\nprofessionalism,” Fox-IT’s Michael Sandee explains. When it came to pinpointing the precise timing of\r\ntransactions between financial institutions, he says, “they probably knew better than the banks.”\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 14 of 19\n\nChad Hagan\r\nOne Day, after months of following leads, the investigators at Fox-IT got a tip from a source about an email\r\naddress they might want to look into. It was one of many similar tips they’d chased down. “We had a lot of bread\r\ncrumbs,” Mularski says. But this one led to something vital: The team was able to trace the email address to a\r\nBritish server that Slavik used to run the Business Club’s websites. More investigative work and more court orders\r\neventually led authorities to Russian social media sites where the email address was connected to a real name:\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 15 of 19\n\nEvgeniy Mikhailovich Bogachev. At first it was meaningless to the group. It took weeks’ more effort to realize\r\nthat the name actually belonged to the phantom who had invented Zeus and created the Business Club.\r\nSlavik, it turned out, was a 30-year-old who lived an upper-middle-class existence in Anapa, a Russian resort city\r\non the Black Sea. Online photos showed that he enjoyed boating with his wife. The couple had a young daughter.\r\nOne photo showed Bogachev posing in leopard-print pajamas and dark sunglasses, holding a large cat. The\r\ninvestigative team realized that he had written the first draft of Zeus when he was just 22 years old.\r\nThe team couldn’t find specific evidence of a link between Bogachev and the Russian state, but some entity\r\nseemed to be feeding Slavik specific terms to search for in his vast network of zombie computers.\r\nBut that wasn’t the most astounding revelation that the Dutch investigators turned up. As they continued their\r\nanalysis, they noticed that someone at the helm of GameOver had been regularly searching tens of thousands of\r\nthe botnet’s infected computers in certain countries for things like email addresses belonging to Georgian\r\nintelligence officers or leaders of elite Turkish police units, or documents that bore markings designating classified\r\nUkrainian secrets. Whoever it was was also searching for classified material linked to the Syrian conflict and\r\nRussian arms dealing. At some point, a light bulb went off. “These are espionage commands,” Sandee says.\r\nGameOver wasn’t merely a sophisticated piece of criminal malware; it was a sophisticated intelligence-gathering\r\ntool. And as best as the investigators could determine, Bogachev was the only member of the Business Club who\r\nknew about this particular feature of the botnet. He appeared to be running a covert operation right under the noses\r\nof the world’s most prolific bank robbers. The FBI and Fox-IT team couldn’t find specific evidence of a link\r\nbetween Bogachev and the Russian state, but some entity seemed to be feeding Slavik specific terms to search for\r\nin his vast network of zombie computers. Bogachev, it appeared, was a Russian intelligence asset.\r\nIn March 2014, investigators could even watch as an international crisis played out live inside the snow globe of\r\nBogachev’s criminal botnet. Weeks after the Sochi Olympics, Russian forces seized the Ukrainian region of\r\nCrimea and began efforts to destabilize the country’s eastern border. Right in step with the Russian campaign,\r\nBogachev redirected a section of his botnet to search for politically sensitive information on infected Ukrainian\r\ncomputers—trawling for intelligence that might help the Russians anticipate their adversaries’ next moves.\r\nThe team was able to construct a tentative theory and history of Bogachev’s spycraft. The apparent state\r\nconnection helped explain why Bogachev had been able to operate a major criminal enterprise with such impunity,\r\nbut it also shed new light on some of the milestones in the life of Zeus. The system that Slavik used to make his\r\nintelligence queries dated back approximately to the moment in 2010 when he faked his retirement and made\r\naccess to his malware far more exclusive. Perhaps Slavik had appeared on the radar of the Russian security\r\nservices at some point that year, and in exchange for a license to commit fraud without prosecution—outside\r\nRussia, of course—the state made certain demands. To carry them out with maximum efficacy and secrecy, Slavik\r\nasserted tighter control over his criminal network.\r\nThe discovery of Bogachev’s likely intelligence ties introduced some trickiness to the operation to take down\r\nGameOver—especially when it came to the prospect of enlisting Russian cooperation. Otherwise, the plan was\r\nrumbling along. Now that the investigators had zeroed in on Bogachev, a grand jury could finally indict him as the\r\nmastermind behind GameOver Zeus. American prosecutors scrambled to bring together civil court orders to seize\r\nand disrupt the network. “When we were really running, we had nine people working this—and we only have 55\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 16 of 19\n\ntotal,” says Michael Comber of the US Attorney’s office in Pittsburgh. Over a span of months, the team\r\npainstakingly went to internet service providers to ask permission to seize GameOver’s existing proxy servers,\r\nensuring that at the right moment, they could flip those servers and disable Slavik’s control. Meanwhile, the\r\nDepartment of Homeland Security, Carnegie Mellon, and a number of antivirus companies readied themselves to\r\nhelp customers regain access to their infected computers. Weekly conference calls spanned continents as officials\r\ncoordinated action in Britain, the US, and elsewhere.\r\nBy late spring 2014, as pro-Russian forces fought in Ukraine proper, the American-led forces got ready to move in\r\non GameOver. They’d been plotting to take down the network for more than a year, carefully reverse-engineering\r\nthe malware, covertly reading the criminal gang’s chat logs to understand the group’s psychology, and tracing the\r\nphysical infrastructure of servers that allowed the network to propagate around the globe. “By this point, these\r\nresearchers knew the malware better than the author,” says Elliott Peterson, one of the lead FBI agents on the case.\r\nAs Mularski recalls, the team checked off all the crucial boxes: “Criminally, we can do it. Civilly, we can do it.\r\nTechnically we can do it.” Working with a cast of dozens, communicating with more than 70 internet service\r\nproviders and a dozen other law enforcement agencies from Canada to the United Kingdom to Japan to Italy, the\r\nteam readied an attack to commence on Friday, May 30.\r\nThe week leading up to the attack was a frantic scramble. When Werner and Stone-Gross arrived in Pittsburgh,\r\nPeterson had them over to his family’s apartment, where his kids gawked at Werner and his German accent. Over\r\ndinner and Fathead beer, they took stock of their looming attempt. They were running way behind—Werner’s\r\ncode wasn’t close to being ready. Over the rest of the week, as Werner and Stone-Gross raced to finish writing,\r\nanother team assembled the last court orders, and still others ran herd on the ad hoc group of two dozen\r\ngovernments, companies, and consultants who were helping to take GameOver Zeus down. The White House had\r\nbeen briefed on the plan and was waiting for results. But the effort seemed to be coming apart at the seams.\r\nFor instance, the team had known for months that the GameOver botnet was controlled by a server in Canada. But\r\nthen, just days before the attack, they discovered that there was a second command server in Ukraine. The\r\nrealization made hearts drop. “If you’re not even aware of the second box,” Werner says, “how sure are you that\r\nthere’s not a third box?”\r\nBogachev readied for battle—wrestling for control of his network, testing it, redirecting traffic to new servers, and\r\ndeciphering the Pittsburgh team’s method of attack.\r\nOn Thursday, Stone-Gross carefully talked more than a dozen internet service providers through the procedures\r\nthey needed to follow as the attack launched. At the last minute, one key service provider backed out, fearful that\r\nit would incur Slavik’s wrath. Then, on Friday morning, Werner and Stone-Gross arrived at their office building\r\non the banks of the Monongahela River to find that one of the operation’s partners, McAfee, had prematurely\r\npublished a blog post announcing the attack on the botnet, titled “It’s ‘Game Over’ for Zeus and Cryptolocker.”\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 17 of 19\n\nAfter frantic calls to get the post taken down, the attack finally began. Canadian and Ukrainian authorities shut\r\ndown GameOver’s command servers, knocking each offline in turn. And Werner and Stone-Gross began\r\nredirecting the zombie computers into a carefully built “sinkhole” that would absorb the nefarious traffic, blocking\r\nthe Business Club’s access to its own systems. For hours, the attack went nowhere; the researchers struggled to\r\nfigure out where the bugs lay in their code.\r\nBy 1 pm, their sinkhole had drawn in only about a hundred infected computers, an infinitesimal percentage of the\r\nbotnet that had grown to as many as half a million machines. A line of officials stood behind Werner and Stone-Gross in a conference room, literally watching over their shoulders as the two engineers debugged their code.\r\n“Not to put any pressure on you,” Mularski urged at one point, “but it’d be great if you could get it running.”\r\nFinally, by evening Pittsburgh time, the traffic to their sinkhole began to climb. On the other side of the world,\r\nBogachev came online. The attack had interrupted his weekend. Perhaps he didn’t think much of it at first, given\r\nthat he had easily weathered other attempts to seize control of his botnet. “Right away, he’s kicking the tires. He\r\ndoesn’t know what we’ve done,” Peterson recalls. That night, yet again, Bogachev readied for battle—wrestling\r\nfor control of his network, testing it, redirecting traffic to new servers, and deciphering the Pittsburgh team’s\r\nmethod of attack. “It was cyber-hand-to-hand combat,” recalls Pittsburgh US attorney David Hickton. “It was\r\namazing to watch.”\r\nThe team was able to monitor Bogachev’s communication channels without his knowledge and knock out his\r\nTurkish proxy server. Then they watched as he tried to come back online using the anonymizing service Tor,\r\ndesperate to get some visibility into his losses. Finally, after hours of losing battles, Slavik went silent. The attack,\r\nit appeared, was more than he had bargained for. The Pittsburgh team powered on through the night. “He must’ve\r\nrealized it was law enforcement. It wasn’t just the normal researcher attack,” Stone-Gross says.\r\nBy Sunday night, nearly 60 hours in, the Pittsburgh team knew they’d won. On Monday, June 2, the FBI and\r\nJustice Department announced the takedown and unsealed a 14-count indictment against Bogachev.\r\nOver the coming weeks, Slavik and the researchers continued to do occasional battle—Slavik timed one counter‐\r\nattack for a moment when Werner and Stone-Gross were presenting at a conference in Montreal—but ultimately\r\nthe duo prevailed. Amazingly, more than two years later, the success has largely stuck: The botnet has never\r\nreassembled, though about 5,000 computers worldwide remain infected with Zeus malware. The industry partners\r\nare still maintaining the server sinkhole that’s swallowing up the traffic from those infected computers.\r\nFor about a year after the attack, so-called account-takeover fraud all but disappeared in the US. Researchers and\r\ninvestigators had long assumed that dozens of gangs must have been responsible for the criminal onslaught that\r\nthe industry endured between 2012 and 2014. But nearly all of the thefts came from just a small group of highly\r\nskilled criminals—the so-called Business Club. “You come into this and hear they’re everywhere,” Peterson says,\r\n“and actually it’s a very tiny network, and they’re much easier to disrupt than you think.”\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 18 of 19\n\nIn 2015, the State Department put a $3 million bounty on Bogachev’s head, the highest reward the US has ever\r\nposted for a cybercriminal. But he remains at large. According to US intelligence sources, the government does\r\nnot, in fact, suspect that Bogachev took part in the Russian campaign to influence the US election. Rather, the\r\nObama administration included him in the sanctions to put pressure on the Russian government. The hope is that\r\nthe Russians might be willing to hand over Bogachev as a sign of good faith, since the botnet that made him so\r\nuseful to them is defunct. Or maybe, with the added attention, someone will decide they want the $3 million\r\nreward and tip off the FBI.\r\nThe uncomfortable truth is that Bogachev and other Russian cybercriminals lie pretty far beyond America’s reach.\r\nBut the uncomfortable truth is that Bogachev and other Russian cybercriminals lie pretty far beyond America’s\r\nreach. The huge questions that linger over the GameOver case—like those surrounding Bogachev’s precise\r\nrelationship to Russian intelligence and the full tally of his thefts, which officials can only round to the nearest\r\n$100 million or so—foreshadow the challenges that face the analysts looking into the election hacks. Fortunately,\r\nthe agents on the case have experience to draw from: The DNC breach is reportedly being investigated by the\r\nFBI’s Pittsburgh office.\r\nIn the meantime, Mularski’s squad and the cybersecurity industry have also moved on to new threats. The criminal\r\ntactics that were so novel when Bogachev helped pioneer them have now grown commonplace. The spread of\r\nransomware is accelerating. And today’s botnets—especially Mirai, a network of infected Internet of Things\r\ndevices—are even more dangerous than Bogachev’s creations.\r\nNobody knows what Bogachev himself might be cooking up next. Tips continue to arrive regularly in Pittsburgh\r\nregarding his whereabouts. But there are no real signs he has reemerged. At least not yet.\r\nGarrett M. Graff (@vermontgmg) wrote about James Clapper in issue 24.12.\r\nThis article appears in the April issue. Subscribe now.\r\nSource: https://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nhttps://www.wired.com/2017/03/russian-hacker-spy-botnet/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.wired.com/2017/03/russian-hacker-spy-botnet/" ], "report_names": [ "russian-hacker-spy-botnet" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434051, "ts_updated_at": 1775791479, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28ce1c4a8de0504d34b195d8a7a4ce57f5a883c2.pdf", "text": "https://archive.orkl.eu/28ce1c4a8de0504d34b195d8a7a4ce57f5a883c2.txt", "img": "https://archive.orkl.eu/28ce1c4a8de0504d34b195d8a7a4ce57f5a883c2.jpg" } }