IcedID kingpin gets nine years in prison for financial fraud • The Register

A Ukrainian malware kingpin who evaded law enforcement for a decade will face nine years in prison for his role in the IcedID malware operation.

Vyacheslav Igorevich Penchukov pleaded guilty to two charges relating to two separate indictments in two different cases in a plea agreement [PDF] in February. He was already sentenced on the racketeering count in the earlier case (4:11-CR-3074), originally filed in Nebraska, and yesterday received a nine-year sentence for the conspiracy count of the North Carolina indictment (7:22-CR-87) in a Lincoln, Nebraska court.

Penchukov’s role in IcedID, one of the campaigns disrupted by Europol’s Operation Endgame in May, saw him use information from the malware’s panel to manipulate the PCs at two financial services companies to steal money from victims.

The first count of the North Carolina indictment (7:22-CR-87 – PDF) encompassed the blame for developing and administering IcedID, and thus aimed to assign responsibility for the malware’s myriad successful attacks to Penchukov. 

However, this count was ultimately dismissed and the cybercriminal, who also used the aliases “Tank”, “Father”, “TopBro”, and “Zevs,” made a deal under which he pleads guilty only for his role in stealing funds from victims using malware.

In addition to the nine-year prison sentence, which will be served alongside a concurrent sentence imposed in the Nebraska case, the documents for which are sealed, Penchukov will spend another three years on supervised release once he gets out.

The Ukrainian will also be paying a hefty sum to the US government – more than $54 million in restitution and just shy of $20 million in forfeiture funds.

“Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk,” said US attorney Michael Easley for the eastern district of North Carolina at Penchukov’s February plea hearing.

“The Justice Department and FBI Cyber Squad won’t stand by and watch it happen, and won’t quit coming for the world’s most wanted cybercriminals, no matter where they are in the world. This operation removed a key player from one of the world’s most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge.”

Penchukov has been given the opportunity to appeal the decision. The Register contacted his lawyer about whether he would be pursuing an appeal but did not receive an immediate response.

A tricky customer

Penchukov is said to be part of the Zeus malware gang, which spun up around May 2009, and he quickly became a target for US authorities having been part of an operation that the FBI said in 2014 infected more than 1 million PCs, causing more than $100 million in damages.

Despite the law enforcement disruption of Zeus, which landed Penchukov on the FBI’s Cyber Most Wanted list, the miscreant evaded the cops for more than ten years. He even managed to retain his freedom after cops arrested five other alleged members following a series of property searches in Ukraine in 2010.

He was eventually arrested after he traveled to Geneva, Switzerland in 2022, where he was then extradited a year later to face justice in the US.

Penchukov’s sentencing this week might be a frustrating one for the feds as they would likely have wanted the first count of the North Carolina indictment to result in a prison term too. It was arguably the more damning of the two and had it not been dropped in the pleas deal it would have put the Ukrainian behind bars for considerably longer than the nine years he got.

The first count related to the development and wilful dissemination of the IcedID malware, and repeated deliberate attempts to break into protected computers – a heftier charge than simply accessing the data it stole to defraud victims. It also would have implicated Penchukov in various phishing, data theft, and ransomware attacks.

IcedID frozen out

The Europol-led Operation Endgame sought to heavily disrupt many of the world’s most impactful malware strains earlier this year. It followed Operation Cronos, led by the UK’s National Crime Agency, and many takedown efforts like it in the past.

IcedID was among these malware strains targeted, which also included Bumblebee, SystemBC, Pikabot, Smokeloader, and Trickbot. They were selected because they are malware loaders, programs with their own malicious capabilities but are also often used to install other malware and ransomware after the initial infection. 

Endgame led to four arrests in Ukraine and Armenia, plus the seizure of more than 100 servers and more than 2,000 domains. The taskforce has released weekly updates on its website, teasing its next steps, but has fallen short of making any other major announcements since May.

Today’s update, however, indicated it was merely taking a break, and would continue to work to disrupt operations and arrest the criminals behind them. At one point in the update, which came in the form of a video (S1E08), a diagram suggested authorities will be prioritizing efforts to unmask and track down one individual connected to IcedID, as well as those behind Conti, Pikabot, and three other malware strains. ®