The Hunt for the Financial Industry's Most-Wanted Hacker

The malware known as ZeuS and its rogue creator have been at the cutting edge of cyber-crime for nearly a decade

In any global outbreak, it’s important to identify Patient Zero. In the movies, you get a leggy Gwyneth Paltrow. In the nine-year online epidemic that helped create cybercrime as we know it, you get “fliime.”

That was the name used by somebody who went on the online forum Techsupportguy.com on October 11, 2006, at 2:24 a.m., saying he’d found some bad code on his sister’s computer. “Could someone please take a look at this,” he wrote.

Fliime probably didn’t realize this was history in the making. But the malicious program that had burrowed into the PC was a new breed, capable of vacuuming up more user logins and website passwords in one day than competing malware did in weeks. With repeated enhancements, the malware and its offspring became juggernauts of cyber bank robbery—turning millions of computers into global networks of zombie machines enslaved by criminals. Conservative estimates of their haul reach well into hundreds of millions of dollars.

Investigators studying the code knew its creator only by aliases that changed almost as frequently as the malware itself: A-Z, Monstr, Slavik, Pollingsoon, Umbro, Lucky1235. But the mystery coder gave his product a name with staying power; he called it ZeuS. Like the procreation-minded god of Greek mythology, this ZeuS fathered powerful descendants—and became a case study of the modern cybercrime industry.

This is the story of a nasty piece of code, and the hunt for its creator. 

Photographer: Asger Carlsen for Bloomberg Businessweek; Set Design: Dave Bryant

A few months before ZeuS made its debut on fliime’s sister’s computer, Don Jackson landed his dream job at Dell SecureWorks, a cybersecurity outfit that works closely with the U.S. government and Fortune 500 companies. He’d spent the previous eight years in information security at Blue Cross Blue Shield in Atlanta. It was the equivalent of graduating from neighborhood beat cop to elite SWAT team member.

Jackson, an Alabama native who speaks at a cautious pace and projects zero swagger, came well prepared. As a side project to his day job, he’d taught himself to read and write Russian and had begun frequenting online forums popular among cybercriminals, posing as a crooked coder.

There, ZeuS caused an immediate sensation; Jackson had never seen such intense interest in a new piece of malware. Writing malicious code is no easier than creating legitimate software. Do it sloppily, and your malware will alert victims by slowing down their computers, interfering with other programs or crashing entire systems. ZeuS operated seamlessly, Jackson says. Beyond that, its author maintained a feverish pace of improvements.

“It was just a bestseller,” Jackson says. “People just loved it. It was a living coding project, and it had all the state-of-the-art features.”

By mid-2007, ZeuS had evolved into something like enterprise software, bundling together all the tools for a DIY cyber-theft operation. Crucially, the package included features to track and manage machines it infected, making it much easier to build zombie networks. These so-called botnets are the foundation for online scams of every stripe. They’re not only sources for the data harvested from each of the computers; they’re also a force multiplier that hackers can use to unleash floods of spam and heavy traffic to shut down targeted sites.

Within a year of its introduction, the software was developing ways to foil malware hunters—the human kind like Jackson as well as automated antivirus programs. Once inside a new computer, ZeuS rejiggered its own code, altering the patterns that antivirus would look for. Hackers could also turn on a feature that sent stolen data through “proxy servers”—fake locations that hid the real path and destination and complicated the task of retrieving it.

All this Jackson tracked as SecureWorks clients became infected and sought the company’s help, sending in samples of code that he deconstructed and analyzed. By June 2007, he’d begun to realize the scope of the problem: Just two gangs of attackers were collecting more than a gigabyte, or about a billion characters, of stolen data from 10,000 infected machines daily, he wrote in a report that month.

“Nobody knows how many people purchased the Trojan code, how many attacks are underway, and how many are planned,” Jackson wrote. “Meanwhile, corporate PCs and home PC users are bleeding sensitive information by the gigabytes.”

The situation quickly got worse, though few besides Jackson and his colleagues realized it. Most of the technology world was too busy with the iPhone, which Apple launched on June 29, 2007. Almost immediately, consumers began receiving e-mails promising links to free iPhone screensavers. Those who clicked them ended up with the latest ZeuS variant instead. When Jackson got his hands on the new code, he couldn’t believe his eyes.

The code now allowed hackers to insert themselves into the middle of an online banking session. First, they combed through stolen data to identify infected machines that had access to commercial bank accounts, where even large transfers wouldn’t raise alarms. Whenever one such machine logged into a bank website, the hacker could see it on an administration interface that came bundled in the ZeuS kit and piggyback onto the legitimate session. The victim might see on his screen a page citing delays because of maintenance or a box asking for a PIN code or Social Security number, while the hacker used the stolen access to clean out the account. It was a nightmare for bank security; victims had logged themselves in, so the sessions seemed 100 percent legitimate.

Competing malware tried the same thing with stolen credentials but tripped fraud alerts by failing to mimic a human’s requests closely enough, according to Jackson. This code was clearly the work of a serious programmer, someone who brought a new level of rigor to malware creation.

Jackson knew that someone claiming to be ZeuS’s author hung out on a private forum called Mazafaka, under the handle A-Z. Under the pretense of buying A-Z’s wares, the investigator struck up a correspondence. A-Z owned a boat and liked to sail, Jackson learned, and lusted after a Mercedes-Benz SLR. The hacker mentioned a university in Moscow and schooling in St. Petersburg, but it wasn’t ever clear whether he’d had formal training or legitimate employment.

His product was expensive, around $3,000 for the basic model, with add-ons that cost still more. That summer, customers who expected service to match the price grew restless. Message boards lit up with complaints that A-Z wasn’t keeping up, and competitors began reverse-engineering the code, undercutting the market with cheap or free pirated copies. By August 2007, A-Z announced online that he was closing up shop and ending sales of ZeuS. 

That turned out to be a feint. ZeuS reemerged in 2008 with something rare in the chaotic world of malware: an end-user agreement. Don’t redistribute, don’t study the code, don’t send it to antivirus companies. It’s not clear whether anybody ever broke those rules, nor whether ZeuS’s maker ever held anybody accountable, but it signaled he was serious about protecting his IP. By 2009, the malware’s protection had evolved into a hardware-based license: Each buyer got an encrypted file that could be unlocked only with a key unique to his or her computer. There’d be no sharing.

No one knew for sure whether the reemergent ZeuS was the work of the same coder who’d introduced it originally. But the drive to innovate remained constant. Using the aliases Monstr and Slavik, the author circulated new test features only to a trusted group of clients. He worked mainly with a gang called JabberZeuS, so named after the code incorporated a chat module based on IM software Jabber, starting in 2009, that sent stolen credentials in real time by instant message. Now the hackers also had an option to take virtual control of a victim computer—something like when tech support remotes into your PC to fix a problem. That add-on alone cost $10,000, the price for getting around high-security settings that required any banking activity to come from a predesignated computer.

The choreography could be intricate, but it was extremely effective. In Bullitt County, Ky., just south of Louisville, JabberZeuS hackers infected the county treasurer’s computer, stealing the login and password for the county's bank account. Then they changed the password on the county’s bank account as well as the contact e-mail of record—meaning that security codes would be sent straight to them. They added fictitious employees to the county payroll, then authorized automatic transfers to the bogus workers, wiring out more than $400,000, according to documents in a later lawsuit. Money mules—people hired to pretend to be the fake employees receiving the fake paychecks—picked up the money and carted it off.

One security company, Damballa, estimated that ZeuS had infected 3.6 million computers in the U.S. in 2009, making it the top botnet threat. The JabberZeuS botnet was responsible that year for at least $100 million in bank losses—more than all traditional, non-cyber crime against banks put together, according to SecureWorks.

In May 2009, a rash of fraudulent electronic payments from banks spurred the FBI into action. The subsequent investigation, dubbed Operation Trident Breach, found a long list of victims, including a sisterhood of Franciscan nuns in Chicago and the Massachusetts town of Egremont. It took a year and a half, but on Sept. 30, 2010, law enforcement in the U.S., Ukraine, and the U.K. arrested or detained more than 150 people.

Mark Patterson, whose construction company, Patco, was robbed of $588,000 in 2009 by ZeuS Trojan.
Mark Patterson, whose construction company, Patco, was robbed of $588,000 in 2009 by ZeuS Trojan.
Photographer: Craig Dilger/The New York Times via Redux

The arrestees were part of the constellation around a Ukrainian gang that broke into the computers of 390 U.S. companies and used more than 3,500 money mules, according to the FBI. All told, victims’ bank accounts were hit with losses of $70 million.

During the JabberZeuS investigation, Jackson discovered an important clue—not to who the coder was, but to where he was. Jackson found a computer that had been used as a temporary botnet control center. On it was a photo of a man in sunglasses, flashing three fingers in front of his chest. Behind him, visible through windows onto a street, was a palm tree. Jackson passed the image on to an Air Force researcher he’d met. A month later, an answer came back: It looked like the photo was taken in Anapa, Russia, a Black Sea resort town.

The program’s author wasn’t among those arrested, but days after law enforcement pounced, the cybercrime world got another shock: ZeuS and its biggest competitor, SpyEye, planned to merge. SpyEye’s creator, known as Harderman or Gribodemon, had first gained notoriety by promoting his malware as a “ZeuS Killer.” Now he announced he was taking over his rival.

“Good day!” He posted in Russian on one black-market forum. “I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore. … He asked me to pass on that he was happy to work with everyone.”

It was an effective disappearing trick, though the deal proved short-lived. In May 2011, the ZeuS source code leaked online. Some researchers think it was Gribodemon behind the leak, some theorize it was the ZeuS author himself. By accident or by design, ZeuS was now in effect an open source project—and that turned out to be a great business strategy, says Sean Sullivan, a security adviser for F-Secure, a Helsinki-based cybersecurity company. Previously, the ZeuS author had a business he couldn’t scale without making himself too big a target for law enforcement. (Witness the JabberZeuS arrests.) The leak allowed him to focus on new money-making ventures, while investigators were distracted by a new generation of ZeuS offspring.

“So now law enforcement can’t see the forest for the trees,” Sullivan says. 

The comeback for the creator of ZeuS took shape in a private botnet venture that began to raise alarm bells in late 2011. Instead of selling the malware for criminals to build their own botnets, he and his new gang built their own and rented parts of it out to other criminals for a fee. That way, the coder could become the administrator of his own botnet and control the operation’s security himself.

In January 2012, the FBI issued a warning to companies to beware of a new ZeuS variant spreading through e-mails that purported to be from government agencies, including the Fed and the FDIC. The malware was “appropriately called 'Gameover,'” according to the FBI, because “once the crooks get into your bank account, it’s definitely ‘game over.’” The malware had some dastardly new functionality, including launching denial-of-service attacks to distract bank security and delay discovery of fraudulent transactions. By July, the Gameover bot stretched to an estimated 1.6 million computers.

As banks got better at defending themselves against ZeuS’s predations, the Gameover gang developed a novel business model to supplement bank robbery: ransom.

The new malware, distributed in spam sent over the Gameover botnet, appeared in 2013. Unwary people who clicked on e-mailed links received an ominous message: All your files have just been encrypted; pay ransom of several hundred dollars or you’ll never get access again. Other forms of ransomware were essentially big bluffs—the files weren’t really encrypted. This version, called Cryptolocker, was not, and researchers couldn’t find any way to break it.

For two years the FBI watched the botnet grow with no idea how to attack it, says Thomas Grasso, a supervisory special agent in the FBI’s Cyber division based in Pittsburgh. It appeared that the criminals had built an unassailable fortress.

In previous ZeuS botnets, the weakest link was the command and control servers through which hackers issued commands to infected computers and the computers sent stolen data back. Those servers gave investigators something like a fixed address to go after, often through domain names hard-coded into the malicious software. Gameover ZeuS hid the command centers by constantly changing their location on the Internet and diverting traffic through up to 2,000 proxy servers. Gameover also deployed a decentralized structure: Infected computers could pass commands among each other, peer to peer, rather than each separately communicating with a command server.

“They looked at things that the good guys had done in the past, both law enforcement and private sector, to affect botnets, and they built this in such a way as to be impervious,” says Grasso. “And to be quite honest with you, we really thought it was.” 

The breakthrough came in the fall of 2013, says Grasso, when private partners, including SecureWorks, came up with a way to break the botnet. Grasso helped coordinate a team of about 10 FBI agents and private researchers from some 20 different companies to take down the bot by slowly placing moles inside the system—gradually swapping in government-controlled computers and servers for malicious ones and seizing control of proxy addresses. Then they got court orders allowing them to seize and redirect the botnet’s administration to their own servers. On June 2, 2014, the FBI and the Department of Justice announced the takedown, along with another piece of news: the name of the man they called ZeuS’s creator.

Source: FBI via Bloomberg

A court document unsealed that day showed that he’d been betrayed not by his code but by a human traitor. The tipster had handed the FBI an e-mail address used by the Gameover ZeuS administrator. That led them to Evgeniy Mikhailovich Bogachev, a 30-year-old with a shaved head.

And yes, he was a resident of Anapa, the Black Sea resort with the tell-tale palm tree that Jackson had spotted years earlier. Bogachev would have been all of 22 when ZeuS first appeared on Techsupportguy.com. He remains at large.

Some of his coder brethren have drifted, one by one, into the hands of law enforcement. The U.S. got SpyEye’s author, Aleksandr Panin, as he passed through the Atlanta airport in July 2013. He pleaded guilty, and awaits sentencing—perhaps as long as 30 years. Neither Panin nor Bogachev could be reached for comment.

FBI Assistant Director for Cyber Security Joseph Demarest (right) listens while U.S. Attorney for the Western District of Pennsylvania David Hickton speaks during a briefing at the Foreign Press Center Feb. 24 in Washington.
FBI Assistant Director for Cyber Security Joseph Demarest (right) listens while U.S. Attorney for the Western District of Pennsylvania David Hickton speaks during a briefing at the Foreign Press Center Feb. 24 in Washington.
Photographer: Brendan Smialowski/AFP/Getty Images

In February, the FBI announced a $3 million reward for information that could lead to his arrest, the biggest bounty ever put on a cybercriminal.

“We are not going to allow people to commit crimes and get away with it just because it’s difficult to try and capture them,” says David Hickton, the U.S. attorney for the Western District of Pennsylvania, where the charges were brought.

ZeuS, meanwhile, has become a permanent gift to the cyber underground. SecureWorks documented attacks that targeted more than 1,400 financial institutions across more than 80 countries—just from 2014 through March 2015. Since the ZeuS source code leak, almost all banking malware has incorporated its features, according to SecureWorks.

Jackson moved to Charleston, S.C., last year to become director of threat intelligence at PhishLabs, another cybersecurity company. Last June, soon after the takedown, he marveled at the ZeuS author’s ability to avoid capture.

“To create a tool that may be responsible since its inception for a billion dollars in damages, and still to evade arrest despite all that up to this point, is just amazing to me,” Jackson said. “Until he’s in custody, and he’s in custody somewhere where he’ll stay in custody, I don’t think we’ll see the last of it.”