Weissblick - Fotolia

Russian Citadel malware developer cuts deal with US authorities

US Justice Department set to sentence a second Russian hacker for helping to develop Citadel malware that netted $500m, but says investigations are continuing

A Russian hacker accused of helping to create Citadel malware that is believed to be responsible for the theft of $500m from millions of people in 90 countries has reportedly cut a deal with US authorities.

Mark Vartanyan has pleaded guilty to charges related to computer fraud and is co-operating with investigators in return for a reduced sentence of no more than five years, the Washington Times reports.

Citadel was developed to infect computer networks of major financial and government institutions around the world and steal user credentials to carry out fraudulent transactions, diverting money to cyber criminals.

Investigators found that, once a computer was infected with Citadel malware – a variant of the Zeus banking Trojan – it began monitoring and recording the victim’s keystrokes.

This tactic, known as keylogging, gives cyber criminals information to gain direct access to a victim’s bank account or any other online account to withdraw money or steal personal identities.

Investigators found criminals were adapting and evolving their attack methods by blocking victims’ access to legitimate anti-virus/anti-malware sites to make it harder to remove the threat.

Citadel also introduced a business model that enabled users to request additional functionality and tweaks. Extra toolkit plug-ins for greater functionality were also available for a fee.

The malware sold for up to $2,500 and received regular automated updates to enable it to avoid detection by antivirus software and other signature-based security controls.  

Read more about Citadel malware

Vartanyan, 29, who used the pseudonym Kolypto, was arrested in Norway in October 2014 and extradited to the US in December 2016.

Vartanyan, originally from Moscow, was allegedly involved in distributing Citadel while living in Ukraine between August 2012 and January 2013, and while living in Norway from April to June 2014.

In June 2013, Microsoft, security firm Agari and the Financial Services Information Sharing and Analysis Center (FS-ISAC) worked with the FBI to disrupt the Citadel botnet and eventually the malware’s source code was reportedly leaked, which helped antivirus firms to identify and block it.

In September 2015, another Russian, Dimitry Belorossov, was arrested and sentenced to four and a half years in jail after pleading guilty to charges related to Citadel’s distribution.

Vartanyan is scheduled for sentencing on 21 June 2017.

Despite the two arrests, the US Justice Department said its investigation into Citadel malware is continuing, indicating that further arrests may be made.

Read more on Hackers and cybercrime prevention