Jabber Zeus

Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine. It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.

Jabber Zeus was operational from around 2009 until 2010. The crew, consisting of nine core members, sent spam emails containing the Trojan to small businesses. The Trojan would send the victim's banking information, including one-time passwords, in real-time, using the Jabber protocol, to the criminals, who would use the information to drain the victim's bank account of funds and launder it using a massive network of money mules, where it would eventually reach the group. The malware may also have been used for espionage. In September 2010, the Trojan was updated to include several other capabilities designed to enhance its security.

Between September 30 and October 1 of 2010, several key members and money mules for the group were arrested in a joint operation between the Federal Bureau of Investigation, the Russian Federal Security Service, the Security Service of Ukraine, and police agencies in the United Kingdom and the Netherlands. Although the individuals arrested in Ukraine were quickly released due to core member Vyacheslav Penchukov's government connections and no conspirators were arrested in Russia, the group was effectively shut down by the arrests. A year later, in September 2011, the group and malware would re-emerge as Gameover Zeus.

Core members
An indictment filed in the District of Nebraska on August 22, 2012, listed nine core Jabber Zeus members:
 * Evgeniy Bogachev, alias "lucky12345", a resident of Russia. Bogachev was the primary developer of the Jabber Zeus malware and the preceding Zeus Trojan creation kit.
 * Vyacheslav Penchukov, aliases "tank" and "father", a resident of Ukraine. Penchukov coordinated the movement of stolen bank credentials, as well as the money mule network. He was the first person to be notified by the malware of an infection and the only member of the crew to communicate with Bogachev.
 * Yevhen Kulibaba, alias "jonni", a resident of the United Kingdom. Kulibaba was the alleged ringleader of the group, but this is disputed by Brian Krebs and Patrick O'Neill, who state that Penchukov or Bogachev, respectively, was the leader.
 * Yuriy Konovalenko, alias "jtk0", a resident of the United Kingdom. Konovalenko served as Kulibaba's right-hand man in the UK, providing him with banking details from victims and money mules, and collecting data from his co-conspirators.
 * Ivan Klepikov, aliases "petr0vich" and "nowhere", a resident of Ukraine. Klepikov was a system administrator for the crew.
 * Alexey Bron, alias "thehead", a resident of Ukraine. Bron managed the transfer of funds using the online payment service WebMoney.
 * Alexey Tikonov, alias "kusanagi", a resident of Russia. Tikonov was a coder for the criminal enterprise.
 * Maksim Yakubets, alias "aqua", a resident of Russia. Yakubets managed and recruited money mules for the group.
 * "mricq", real name unknown, a resident of Ukraine. "mricq" was a coder for the crew.

The indictment charged the core members with bank and computer fraud, racketeering, and identity theft.

Modus operandi and the Jabber Zeus malware
The Jabber Zeus crew operated by distributing, usually via spam emails, and installing the namesake malware onto victims' computers, then using it to gain access to their bank accounts. Money would be stolen from the accounts and transferred to a network of money mules who would launder the money before it eventually reached the criminals. The money mules were usually unaware that they were handling stolen finances. The FBI claimed in 2010 that more than 3,500 such money mules existed. The Jabber Zeus crew primarily targeted small businesses. In 2010, investigators estimated that at minimum, $70 million had been stolen by the criminals, with the true number being much higher.

The crew's activity dates back to at least 2009. The initial version of the Jabber Zeus malware was built from the standard Zeus kit, then known as Zeus 2. The malware was mainly distinguished from other Zeus variants by a modification allowing it to send victims' banking credentials, particularly one-time passwords, to the criminals as soon as the victim logged in. The message was sent via the Jabber protocol, hence the name "Jabber Zeus". In September 2010, Bogachev provided the crew with a specialized version of the malware, known as ZeuS 2.1.0.X. This contained other unique capabilities, including a domain generation algorithm to prevent shutdown attempts, regular expression support, and the ability to infect files. The malware was additionally protected by an encryption key that required Penchukov to purchase each copy individually at a cost of $10,000 per copy.

Infected machines, as with other Zeus variants, formed a botnet that could be accessed and controlled by the group. Analysis of several Zeus variants, including Jabber Zeus, uncovered attempts by this botnet to search for secret and sensitive information in Georgia, Turkey, and Ukraine, leading to suspicion that the malware was additionally used for espionage on behalf of Russia.

On September 11, 2011, the Jabber Zeus malware was updated to Gameover Zeus, the final known variant of Zeus developed by Bogachev.

Conflict with Brian Krebs
On July 2, 2009, the Washington Post published a story by Brian Krebs describing the Jabber Zeus crew's theft of $415,000 from the government of Bullitt County, Kentucky. Shortly after, Krebs was contacted by an individual who had hacked into the crew's Jabber instant message server and was able to read private chats between them. The members of the syndicate were also aware of the Washington Post story, and expressed frustration that their exploits were now public information; in a chat between Penchukov and Bogachev, the former claimed that "now the entire USA knows about Zeus", to which Bogachev concurred: "It's fucked." Members of the crew would keep up with Krebs's writing thereafter.

Krebs also gained access to the messages sent to the money mules by the group, exploiting a security flaw in the money mule recruitment websites that allowed an automated scraper to grab messages sent to any other user; users could, after logging in, read messages to other users by changing a number in the URL. With this access, he was able to prevent and write about several breach attempts by the crew by contacting victim businesses. On December 13, 2009, the crew discovered that Krebs had been let go by the Washington Post prior to this information becoming public, and celebrated the event, with a money mule recruiter hoping for an eventual confirmation of the rumor: "Good news expected exactly by the New Year!"

Operation Trident Breach
In September 2009, the Federal Bureau of Investigation (FBI) obtained a search warrant for a server in New York that was suspected of being tied to the Jabber Zeus enterprise. The server was discovered to contain the crew's chats, which the FBI began monitoring. Shortly thereafter, they began to share information from the chats with Russia's Federal Security Service (FSB) and the Security Service of Ukraine (SBU). Penchukov was identified around this time; he had sent a message on July 22 containing his newborn daughter's name and weight, which was correlated with Ukrainian birth records. In April 2010, the crew became aware that they were being monitored, possibly tipped off by a corrupt SBU agent, but continued to send messages using the compromised server for a time.

The FBI organized Operation Trident Breach, a collaboration between the FBI, FSB, SBU, and police agencies in the UK and the Netherlands, in 2010 to capture the leaders of the Jabber Zeus group. The operation was mainly coordinated in June 2010, at a house owned by SBU director Valeriy Khoroshkovskyi, with the agencies planning to arrest the suspects on September 29 of that year. However, the operation was pushed back several times, eventually to October 1, at the request of the SBU, by which point they had lost track of Penchukov. Penchukov had been tipped off about the upcoming operation and had gone into hiding.

Between September 30 and October 1, 2010, Operation Trident Breach was executed, resulting in the arrest of 39 US citizens, 20 UK residents, and five Ukrainians. There were no arrests in Russia. The operation had started a day early in response to reports that Penchukov and other suspects had been tipped off. Among the arrested were Kulibaba and Konovalenko, who were convicted in the UK in 2011, then extradited to the US in 2014, and Klepikov, who was not extradited due to the Ukrainian constitution's prohibition on extraditing citizens and eventually let go along with the other arrested Ukrainians. Penchukov, leveraging his connections with Ukrainian president Viktor Yanukovych and local authorities in his hometown of Donetsk, managed to get the charges against himself dropped. Despite the escape of several key members, the syndicate was disrupted and effectively shut down by the operation.

Identification of Bogachev and Yakubets
Bogachev and Yakubets's identities were not publicly known until after Jabber Zeus dissolved and reformed into Gameover Zeus in the wake of the arrests; they were only known by their pseudonyms, "lucky12345" and "aqua", respectively, as members of the group. Bogachev was also known as "Slavik", though he was not identified as such in the 2012 indictment.

Bogachev was identified in 2014, after a source pointed investigators working for Fox-IT, a security research company, to one of his email addresses. Although Bogachev had used a VPN to administer the Gameover Zeus botnet, he had used the same VPN to access his personal accounts, allowing investigators, who had previously penetrated the botnet's command servers, to tie the system to Bogachev.

Yakubets was formally identified in a criminal complaint on November 14, 2019, based on evidence collected from 2010 to 2018. An attempt to determine who rented the Jabber server the FBI breached in 2009 uncovered no leads, as the server was rented under a false name. On July 9, 2010, US authorities sent a mutual legal assistance request to Russia for information regarding "aqua"; Russian authorities responded with evidence that "aqua" was Yakubets, obtained from his email account, which used the "aqua" pseudonym, but contained emails identifying him by his real name, as well as his address. On December 25, 2012, a woman who was found to be living at Yakubets's address identified her spouse as Yakubets in a visa application and listed a boy traveling with her as her son. The child's name was found in intercepted chat logs between Yakubets and Penchukov from 2009. On March 19, 2018, Microsoft, following a court order, provided records connecting Yakubets's Skype account and his email. On August 12, 2018, Yakubets's now-ex-wife and her son applied for another visa, again listing Yakubets as the woman's ex-husband.

Arrest of Penchukov
Penchukov was arrested in Geneva, Switzerland, on October 23, 2022, and his extradition to the United States was granted on November 15. Penchukov's arrest was given by CNN writer Sean Lyngaas and Krebs as an example of the opportunities to arrest cybercriminals opened up by the Russian invasion of Ukraine as they flee the country for their own safety.