FBI agents in February 2011 searched and seized a SpyEye server they said Bendelladj operated in the Atlanta area. That server controlled more than 200 infected computers and contained information from many financial institutions, authorities said.
In June and July 2011, covert FBI sources communicated directly with Panin, who used his online nicknames, and bought a version of SpyEye.
Panin, whose real name wasn’t known at the time, and Bendelladj were indicted in December 2011.
Bendelladj was travelling from Malaysia to Egypt when he was arrested on 5 January 2013 during a stopover at Bangkok’s airport. Police seized laptops and external hard drives.
Panin was arrested the following July, when he flew through Atlanta’s airport.
Ray’s testimony offered a glimpse into the world of online marketplaces where cybercriminals advertise, buy and sell malicious software, using aliases to avoid arrest.
Panin advertised SpyEye as early as June 2010 on Darkode.com, a cybercrime forum dismantled by the FBI last July. Before it was taken down, Darkode.com was the most sophisticated of the cybercrime forums, frequented by the cybercrime elite with access limited to those with a trusted connection, Ray said.
With the cover of anonymity and payments made through online currency servers, reputation is extremely important on cybercrime forums, Ray said. After Panin’s June 2010 posting as Gribodemon, Bendelladj — posting as Bx1 — wrote a comment saying he’d worked with him before and vouched for him.
The use of aliases can be frustrating to those who track them, said Willis McDonald, a senior threat researcher at security firm Damballa. Frequently, a cybercriminal “will disappear into the background and come up with a new alias and a new piece of malware so that trail you’ve been trying to follow to track them down vanishes and they pop up under a new name and you have to start all over again trying to figure out who they are,” he said.
That’s why disabling the infrastructure for a cybercrime network isn’t nearly as effective for stopping the spread of a particular malware as catching the creator, McDonald and Clay said. Both said SpyEye infections had dwindled to negligible numbers within about a year after Panin’s arrest.