For more than a decade, Vyacheslav Igorevich Penchukov—a Ukrainian who used the online hacker name “Tank”—managed to evade cops. When FBI and Ukrainian officials raided his Donetsk apartment in 2010, the place was deserted and Penchukov had vanished. But the criminal spree came to a juddering halt at the end of 2022, when he traveled to Switzerland, was arrested, then was extradited to the United States.
Today, at a US federal court in Lincoln, Nebraska, a judge sentenced Penchukov to two concurrent nine-year sentences, after he pleaded guilty to two charges of conspiracy to participate in racketeering and a conspiracy to commit wire fraud. United States District Judge John M. Gerrard also ordered Penchukov to pay more than $73 million, according to court records. The court also ordered three years of supervised release for each count and said they should run concurrently.
Both charges carried a maximum sentence of up to 20 years each. According to court documents, however, the US government and Penchukov’s lawyers both requested a less severe sentence following him signing a plea agreement in February. It is unclear what the terms of the plea deal include. At the time, documents show, Penchukov could also face having to repay up to $70 million—less than the combined amount he's ordered to pay in restitution and forfeited funds. “I understand this, but I don’t have such amounts of money,” he said in court earlier this year.
The US prosecution of Penchukov—who has been on the FBI's “most wanted” cyber list for more than a decade—is a rare blow against one of the most well-connected leaders of a prolific 2010s cybercrime gang. It also highlights the ongoing challenges Western law enforcement officials face when taking action against Eastern European cybercriminals—particularly those based in Russia or Ukraine, which do not have extradition agreements with the US.
Ahead of the sentencing, the Department of Justice refused to comment on the case, and the FBI and Penchukov’s lawyers did not respond to WIRED’s requests for comment.
When the Ukrainian pleaded guilty in February—a number of charges were dropped following him signing the plea agreement—he admitted to being one of the leaders of the Jabber Zeus hacking group, starting in 2009, that used the Zeus malware to infect computers and steal people’s bank account information. The group used the details to log in to accounts, withdraw money, and then send it to various money mules—stealing tens of millions from small US and European businesses.
“The defendant played a crucial role, a leadership role, in this scheme by directing and coordinating the exchange of stolen banking credentials and money mules,” prosecutors said in court earlier this year. They would steal thousands from victim companies, often draining their accounts.
Penchukov, who was also a well-known DJ in Ukraine, also admitted to a key role organizing the IcedID (also known Bokbot) malware, which collected the victim’s financial details and allowed ransomware to be deployed on systems. He was involved from November 2018 to at least February 2021, officials say. Investigators found he kept a spreadsheet detailing the $19.9 million income IcedID made in 2021.
“I never thought that we would ever see any of Jabber Zeus crew” face justice in the US, says Jim Craig, a senior director at cybersecurity firm Intel 471, who was previously a special agent in the FBI and helped lead the investigation into the Zeus cybercriminals and Penchukov, who is in his late thirties, starting in July 2009. Craig, who attended the sentencing, said he was happy with the result. Penchukov has aged since US investigators originally published photos of him, Craig says, and the criminal boss spoke during the sentencing hearing to apologize for his actions.
The Zeus malware, linked to FBI-wanted Russian Evgeniy Bogachev, first appeared online around the end of 2006 and in part used keyloggers to steal people’s banking information when they entered it online. The cybercriminals would log into accounts and send money to people acting as mules, who would cash out the funds. “It was just a really big jump in capabilities,” Keith Jarvis, a senior researcher at cybersecurity company Secureworks, says of the Zeus malware. “The volume of it was so out of control, and the banks didn't have a really good handle on it.”
By 2009, when the FBI’s investigations were starting, the Zeus gang had developed Jabber Zeus, adding the Jabber instant messenger into the setup. “When there was a compromise, they would get notified, and they could immediately have an operator jump on and start conducting the fraud automatically,” Jarvis says. They later developed Gameover Zeus and the group’s members—including Bogachev and, according to US prosecutors, an FBI-wanted Maksim Yakubets—eventually morphed into building some of the most disruptive ransomware of the past decade. (Bogachev and Yakubets, respectively, have $3 million and $5 million rewards on their heads from the US government).
In 2010, as detailed by WIRED’s 2017 cover story chronicling the hunt for the Zeus creators, the FBI and other law enforcement agencies had identified Penchukov and other members by analyzing their Jabber chat messages seized from a US-based server. “Ultimately we ran across a message where Tank had talked about his daughter,” Craig says. Penchukov disclosed her date of birth, name, and birth weight, which were used in cooperation with Ukraine’s security service to determine there was only one girl born that day with those details, and Penchukov was her father. The FBI investigators traveled to Donetsk, Ukraine, to arrest members of the gang.
Operation Trident Breach collared more than 50 people around the world in September 2010—with some members later being sentenced—but Penchukov wasn’t one of them. “It was quite obvious that Tank was tipped off,” Craig says. “There was no sign of him, and it was quite clean. You could definitely tell no one had been there a few days,” Craig recounts of the raid on Penchukov’s apartment. As detailed by MIT Technology Review, officials suspected corruption and family connections to high-level Ukrainian officials. Plus Russian investigators involved in the case “ghosted” other officials on the day the arrest was due to take place.
Penchukov was first publicly named in a February 2012 indictment, detailing his and other Zeus members’ alleged crimes. In 2015 he changed his name to Vyacheslav Igoravich Andreev. Jarvis, from Secureworks, says Penchukov can be considered one of the “elder statesmen” of this era of cybercrime, and everything has always indicated he was in charge of “running” the money mules the groups used and organizing the finances.
In November 2022 it was reported that Penchukov had been arrested in Geneva when he was “traveling to meet up with his wife.” The circumstances of his arrest are unclear, and Swiss authorities declined to comment on the case.
Since the Zeus gang were at their height, their particular brand of bank fraud—directly accessing victims accounts and moving money from them—has declined in prominence. Ransomware and data extortion, using cryptocurrency to launder money, has become the primary tactic of Russia-linked cybercriminals, earning them more than $1.1 billion in 2023.
Craig, the former FBI investigator, says one outstanding question will be how much Penchukov cooperated with officials and if he revealed anything about other criminals. “The significance of him being caught is important to show that law enforcement is not going to stop—wherever they go, there's going to be a chance and opportunity for them to get caught,” Craig says.
Update 7/11/2024, 12:40 pm ET: Updated to clarify the amount of money Penchukov will be forced to turn over to authorities.
