{
	"id": "0fe9f749-d88e-4a7a-b356-59d1cdbd6f1d",
	"created_at": "2026-04-06T00:12:52.765769Z",
	"updated_at": "2026-04-10T03:33:15.486781Z",
	"deleted_at": null,
	"sha1_hash": "8fb9a97444f7d3e55f3e5d2f78f4838da36c6a3c",
	"title": "Top Zeus Botnet Suspect “Tank” Arrested in Geneva",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1246608,
	"plain_text": "Top Zeus Botnet Suspect “Tank” Arrested in Geneva\r\nPublished: 2022-11-15 · Archived: 2026-04-05 13:03:56 UTC\r\nVyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that\r\nstole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been\r\narrested in Switzerland, according to multiple sources.\r\nWanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland.\r\nTank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses.\r\nPenchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus\r\nCrew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a\r\npowerful, custom-made version of the Zeus banking trojan.\r\nThe U.S. Federal Bureau of Investigation (FBI) declined to comment for this story. But according to multiple\r\nsources, Penchukov was arrested in Geneva, Switzerland roughly three weeks ago as he was traveling to meet up\r\nwith his wife there.\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 1 of 6\n\nPenchukov is from Donetsk, a traditionally Russia-leaning region in Eastern Ukraine that was recently annexed by\r\nRussia. In his hometown, Penchukov was a well-known deejay (“DJ Slava Rich“) who enjoyed being seen riding\r\naround in his high-end BMWs and Porsches. More recently, Penchukov has been investing quite a bit in local\r\nbusinesses.\r\nThe JabberZeus crew’s name is derived from the malware they used, which was configured to send them a Jabber\r\ninstant message each time a new victim entered a one-time password code into a phishing page mimicking their\r\nbank. The JabberZeus gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called “man-in-the-browser” attacks, malware that can silently siphon any data that victims submit via a web-based form.\r\nOnce inside a victim company’s bank accounts, the crooks would modify the firm’s payroll to add dozens of\r\n“money mules,” people recruited through work-at-home schemes to handle bank transfers. The mules in turn\r\nwould forward any stolen payroll deposits — minus their commissions — via wire transfer overseas.\r\nTank, a.k.a. “DJ Slava Rich,” seen here performing as a DJ in Ukraine in an undated photo from social media.\r\nThe JabberZeus malware was custom-made for the crime group by the alleged author of the Zeus trojan —\r\nEvgeniy Mikhailovich Bogachev, a top Russian cybercriminal with a $3 million bounty on his head from the\r\nFBI. Bogachev is accused of running the Gameover Zeus botnet, a massive crime machine of 500,000 to 1 million\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 2 of 6\n\ninfected PCs that was used for large DDoS attacks and for spreading Cryptolocker — a peer-to-peer ransomware\r\nthreat that was years ahead of its time.\r\nInvestigators knew Bogachev and JabberZeus were linked because for many years they were reading the private\r\nJabber chats between and among members of the JabberZeus crew, and Bogachev’s monitored aliases were in\r\nsemi-regular contact with the group about updates to the malware.\r\nGary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in\r\nhis blog from 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter,\r\nMiloslava, had been born and gave her birth weight.\r\n“A search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that\r\nday,” Warner wrote. This was enough to positively identify Tank as Penchukov, Warner said.\r\nUltimately, Penchukov’s political connections helped him evade prosecution by Ukrainian cybercrime\r\ninvestigators for many years. The late son of former Ukrainian President Victor Yanukovych (Victor Yanukovych\r\nJr.) would serve as godfather to Tank’s daughter Miloslava. Through his connections to the Yanukovych family,\r\nTank was able to establish contact with key insiders in top tiers of the Ukrainian government, including law\r\nenforcement.\r\nSources briefed on the investigation into Penchukov said that in 2010 — at a time when the Security Service of\r\nUkraine (SBU) was preparing to serve search warrants on Tank and his crew — Tank received a tip that the SBU\r\nwas coming to raid his home. That warning gave Tank ample time to destroy important evidence against the\r\ngroup, and to avoid being home when the raids happened. Those sources also said Tank used his contacts to have\r\nthe investigation into his crew moved to a different unit that was headed by his corrupt SBU contact.\r\nWriting for Technology Review, Patrick Howell O’Neil recounted how SBU agents in 2010 were trailing Tank\r\naround the city, watching closely as he moved between nightclubs and his apartment.\r\n“In early October, the Ukrainian surveillance team said they’d lost him,” he wrote. “The Americans were unhappy,\r\nand a little surprised. But they were also resigned to what they saw as the realities of working in Ukraine. The\r\ncountry had a notorious corruption problem. The running joke was that it was easy to find the SBU’s\r\nanticorruption unit—just look for the parking lot full of BMWs.”\r\nAUTHOR’S NOTE/BACKGROUND\r\nI first encountered Tank and the JabberZeus crew roughly 14 years ago as a reporter for The Washington Post,\r\nafter a trusted source confided that he’d secretly gained access to the group’s private Jabber conversations.\r\nFrom reading those discussions each day, it became clear Tank was nominally in charge of the Ukrainian crew,\r\nand that he spent much of his time overseeing the activities of the money mule recruiters — which were an\r\nintegral part of their victim cashout scheme.\r\nIt was soon discovered that the phony corporate websites the money mule recruiters used to manage new hires had\r\na security weakness that allowed anyone who signed up at the portal to view messages for every other user. A\r\nscraping tool was built to harvest these money mule recruitment messages, and at the height of the JabberZeus\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 3 of 6\n\ngang’s activity in 2010 that scraper was monitoring messages on close to a dozen different money mule\r\nrecruitment sites, each managing hundreds of “employees.”\r\nEach mule was given busy work or menial tasks for a few days or weeks prior to being asked to handle money\r\ntransfers. I believe this was an effort to weed out unreliable money mules. After all, those who showed up late for\r\nwork tended to cost the crooks a lot of money, as the victim’s bank would usually try to reverse any transfers that\r\nhadn’t already been withdrawn by the mules.\r\nWhen it came time to transfer stolen funds, the recruiters would send a message through the fake company\r\nwebsite saying something like: “Good morning [mule name here]. Our client — XYZ Corp. — is sending you\r\nsome money today. Please visit your bank now and withdraw this payment in cash, and then wire the funds in\r\nequal payments — minus your commission — to these three individuals in Eastern Europe.”\r\nOnly, in every case the company mentioned as the “client” was in fact a small business whose payroll accounts\r\nthey’d already hacked into.\r\nSo, each day for several years my morning routine went as follows: Make a pot of coffee; shuffle over to the\r\ncomputer and view the messages Tank and his co-conspirators had sent to their money mules over the previous\r\n12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the\r\nprocess of being robbed by the Russian Cyber Mob.\r\nMy spiel on all of these calls was more or less the same: “You probably have no idea who I am, but here’s all my\r\ncontact info and what I do. Your payroll accounts have been hacked, and you’re about to lose a great deal of\r\nmoney. You should contact your bank immediately and have them put a hold on any pending transfers before it’s\r\ntoo late. Feel free to call me back afterwards if you want more information about how I know all this, but for now\r\nplease just call or visit your bank.”\r\nIn many instances, my call would come in just minutes or hours before an unauthorized payroll batch was\r\nprocessed by the victim company’s bank, and some of those notifications prevented what otherwise would have\r\nbeen enormous losses — often several times the amount of the organization’s normal weekly payroll. At some\r\npoint I stopped counting how many tens of thousands of dollars those calls saved victims, but over several years it\r\nwas probably in the millions.\r\nJust as often, the victim company would suspect that I was somehow involved in the robbery, and soon after\r\nalerting them I would receive a call from an FBI agent or from a police officer in the victim’s hometown. Those\r\nwere always interesting conversations.\r\nCollectively, these notifications to victims led to dozens of stories over several years about small businesses\r\nbattling their financial institutions to recover their losses. I never wrote about a single victim that wasn’t okay with\r\nmy calling attention to their plight and to the sophistication of the threat facing other companies.\r\nThis incessant meddling on my part very much aggravated Tank, who on more than one occasion expressed\r\nmystification as to how I knew so much about their operations and victims. Here’s a snippet from one of their\r\nJabber chats in 2009, after I’d written a story for The Washington Post about their efforts to steal $415,000 from\r\nthe coffers of Bullitt County, Kentucky. In the chat below, “lucky12345” is the Zeus author Bogachev:\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 4 of 6\n\ntank: Are you there?\r\ntank: This is what they damn wrote about me.\r\ntank: http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html#more\r\ntank: I’ll take a quick look at history\r\ntank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court\r\ntank: Well, you got [it] from that cash-in.\r\nlucky12345: From 200K?\r\ntank: Well, they are not the right amounts and the cash out from that account was shitty.\r\ntank: Levak was written there.\r\ntank: Because now the entire USA knows about Zeus.\r\ntank: 😀\r\nlucky12345: It’s fucked.\r\nOn Dec. 13, 2009, one of Tank’s top money mule recruiters — a crook who used the pseudonym “Jim Rogers” —\r\ntold his boss something I hadn’t shared beyond a few trusted confidants at that point: That The Washington Post\r\nhad eliminated my job in the process of merging the newspaper’s Web site (where I worked at the time) with the\r\ndead tree edition.\r\njim_rogers: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington\r\nPost. We are giddily awaiting confirmation 🙂 Good news expected exactly by the New Year! Besides\r\nus no one reads his column 🙂\r\ntank: Mr. Fucking Brian Fucking Kerbs!\r\nAnother member of the JabberZeus crew — Ukrainian-born Maksim “Aqua” Yakubets — also is currently\r\nwanted by the FBI, which is offering a $5 million reward for information leading to his arrest and conviction.\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 5 of 6\n\nAlleged “Evil Corp” bigwig Maksim “Aqua” Yakubets. Image: FBI\r\nUpdate, Nov. 16, 2022, 7:55 p.m. ET:: Multiple media outlets are reporting that Swiss authorities confirmed they\r\narrested a Ukrainian national wanted on cybercrime charges. The arrest occurred in Geneva on Oct. 23, 2022.\r\n“The US authorities accuse the prosecuted person of extortion, bank fraud and identity theft, among other things,”\r\nreads a statement from the Swiss Federal Office of Justice (FOJ).\r\n“During the hearing on 24 October, 2022, the person did not consent to his extradition to the USA via a simplified\r\nproceeding,” the FOJ continued. “After completion of the formal extradition procedure, the FOJ has decided to\r\ngrant his extradition to the USA on 15 November, 2022. The decision of the FOJ may be appealed at the Swiss\r\nCriminal Federal Court, respectively at the Swiss Supreme Court.”\r\nSource: https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nhttps://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/"
	],
	"report_names": [
		"top-zeus-botnet-suspect-tank-arrested-in-geneva"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fb9a97444f7d3e55f3e5d2f78f4838da36c6a3c.pdf",
		"text": "https://archive.orkl.eu/8fb9a97444f7d3e55f3e5d2f78f4838da36c6a3c.txt",
		"img": "https://archive.orkl.eu/8fb9a97444f7d3e55f3e5d2f78f4838da36c6a3c.jpg"
	}
}