Skip links

Zeus, IcedID malware kingpin faces 40 years in slammer

A Ukrainian cybercrime kingpin who ran some of the most pervasive malware operations faces 40 years in prison after spending nearly a decade on the FBI’s Cyber Most Wanted List.

Vyacheslav Igorevich Penchukov, 37, pleaded guilty to two counts related to his leadership role in both the Zeus and IcedID malware operations this week, netting millions of dollars in the process.

Penchukov’s plea will be seen as the latest big win for US law enforcement in its continued fight against cybercrime and those that enable it.

However, authorities took their time getting him in ‘cuffs. Penchukov first became involved in the Zeus banking trojan as early as May 2009 but was only arrested over a decade later in Geneva, Switzerland in 2022.

Zeus’ primary goals were to recruit machines into its botnet and to act as a banking trojan, stealing various information used for financial fraud, such as bank account information, passwords, and PINs. 

“Penchukov and his co-conspirators then falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims’ bank accounts, causing the banks to make unauthorized transfers of funds from the victims’ accounts, resulting in millions of dollars in losses to the victims,” said the Department of Justice on Thursday.

“The enterprise used residents of the United States and elsewhere as ‘money mules to receive wired funds from victims’ bank accounts into their own bank accounts, who then withdrew and wired funds overseas to accounts controlled by Penchukov’s co-conspirators.”

The FBI et al dismantled Zeus in 2014 after previously claiming that one of its variants, Gameover Zeus, had infected up to 1 million PCs globally, causing in excess of $100 million in losses.

Like many other major malware strains that have come and gone, Zeus also had various different versions and iterations developed based on its source code. 

The SpyEye RAT, for example, was developed as a successor to Zeus and was armed with a number of additional features such as keylogging and card stealer capabilities, all with a view to facilitating financial fraud. The US nabbed two of its leaders back in 2016 who are now eight years deep into a combined 24-year sentence.

Also known as Vyacheslav Igoravich Andreev, and sometimes just ‘Tank’, Penchukov’s role in the Zeus operation landed him a spot on the FBI’s Cyber Most Wanted List, an accolade that would do very little to stop him from carrying on as normal.

Undeterred by the 2014 takedown of Zeus, SpyEye’s head honchos, and of course being firmly in the FBI’s crosshairs, Penchukov returned to cybercrime in 2018, taking up a leadership role in the IcedID operation.

IcedID was first spotted in 2017 and continues to be disseminated by various operations today, including Emotet, Raspberry Robin, and Bumblebee.

It’s perhaps no surprise Penchukov found his way to IcedID in 2018. At the time, like Zeus, it was primarily a banking malware and was the new thing on the scene, potentially representing an exciting albeit not entirely unfamiliar project to sink his teeth into.

More recently, and perhaps why it became such a hot target for US authorities, IcedID became a precursor to ransomware and was linked to a 2020 attack on the University of Vermont Medical Center (UVM). 

The facility incurred losses upwards of $30 million, the DoJ said, and jeopardized critical patient services for two weeks after, creating a risk to life.

“Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk,” said US attorney Michael Easley for the eastern district of North Carolina. 

“The Justice Department and FBI Cyber Squad won’t stand by and watch it happen, and won’t quit coming for the world’s most wanted cybercriminals, no matter where they are in the world. This operation removed a key player from one of the world’s most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge.”

Penchukov was eventually arrested in 2022 and extradited to the US a year later. This week, he pleaded guilty to one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense relating to Zeus, and one count of conspiracy to commit wire fraud in relation to IcedID. 

Each count carries a maximum sentence of 20 years. His sentencing date is set for May 9, 2024. ®