A federal investigation into a Russian cybercrime ring led Secret Service agents to the doorstep of a 29-year-old Los Angeles man the United States
calls an “extremely sophisticated and well-connected cybercriminal” who
allegedly used malware to steal cash from thousands of U.S. bank
accounts.
Alexander
Tverdokhlebov was arrested in an early-morning raid Feb. 1 on a
four-count wire-fraud indictment alleging that he worked with a Russian
colleague in 2009 and 2010 to attack U.S. financial institutions. He
allegedly used a botnet of 10,000 hacked PCs.
Tverdokhlebov is being held in the
Metropolitan Detention Center in Los Angeles pending a bail review in
Alexandria, Virginia, where he’s charged.
Long before the Kremlin was known for hacking political campaigns,
Russian hackers and their peers in Ukraine dominated the for-profit
cybercrime underworld, from the large-scale credit-card heists of the
mid-2000s to today’s ransomware threat. And banking botnets have been a staple of Russian cybercrime for nearly a decade.
Instead of stealing passwords for a
hacker to use later, the malware will wait for the victim to log in to
their online banking, then splice itself into the connection and slip in
a rogue funds transfer without setting off alarms at the bank. If the
victim happens to check their balance or transaction history, the
malware will even rewrite it on the fly to conceal the theft.
The
Russian-made Zeus malware first proved the concept in 2009, and is
behind, by some estimates, billions of dollars in losses over the years.
Zeus’s alleged author, Evgeniy Bogachev, was even among the Russians sanctioned by President Obama last December in retaliation for the Kremlin’s election hacking, and the FBI has a $3 million reward out for his arrest.
The U.S. discovered Tverdokhlebov
while examining the online chats of a different Russian: Vadim Polyakov,
a 32-year-old St. Petersburg man who pleaded guilty last year to a
million-dollar concert-ticket scam. Polyakov ran a crime ring that
hacked consumers’ StubHub accounts to buy thousands of e-tickets for
resale. He was arrested in Spain and extradited to the U.S. In July, a
New York judge sentenced him to four to 12 years in state prison.
Court records don’t indicate how
the Secret Service obtained Polyakov’s ICQ chat logs. The most likely
scenario is that Spanish authorities seized Polyakov’s laptop at his
arrest. In any event, the chat logs showed Polyakov conversing in
Russian with a fellow cyberthief who let slip enough information to
identify Tverdokhlebov as a suspect, specifically his first name, his
girlfriend’s full name, and his home address and his phone number.
The
indictment against Tverdokhlebov is based entirely on the years-old
chats, with no hard information about specific thefts, suggesting that
the feds are using it as a wedge to try and pry more evidence from
Tverdokhlebov’s arrest and the search of his computers.
Over
government objections, a magistrate judge set Tverdokhlebov’s bail at
$100,000 last week but stayed the man’s release pending a government
appeal, set to be heard in Virginia on Friday. The feds are urging that
Tverdokhlebov be held without bail, claiming that he has few ties to the
U.S. and enough underworld contacts to flee to Mexico and from there to
Russia.
Tverdokhlebov was born
in Russia and obtained U.S. citizenship in 2009 after marrying an
American. According to prosecutors, the two have since divorced.
Secret
Service agents have spent the days since Tverdokhlebov’s arrest opening
his safe-deposit boxes. Three boxes in California were packed with
$172,000 in $100 bills. A key locked in one box turned out to fit a
fourth safe-deposit box in Las Vegas, where on Tuesday the feds found an
additional $100,000.
“The large quantity of cash, as
well as their distribution in safe-deposit boxes in different states,
suggests that defendant may have concealed funds elsewhere in
preparation for flight,” prosecutors wrote, urging that Tverdokhlebov be
kept in jail.
Tverdokhlebov’s attorney, William
Cummings, countered in a filing Thursday that his client is legitimately
employed in Los Angeles and that the charges in the Virginia indictment
are old.
Cummings also implied
that with every cash-filled safe deposit box the feds find, his client
becomes an even better candidate for pre-trial release. “The defendant,
if he were on release, could now not go to Las Vegas to access that
money,” he wrote.
