Connect with us

Hi, what are you looking for?



Fraudster Pockets $3.2 Million in Six Months via SpyEye Botnet

The SpyEye Trojan has a well-earned place of respect in cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research by Trend Micro provides yet another reminder of why.

The SpyEye Trojan has a well-earned place of respect in cyber-underground as an adaptable and effective piece of malware. Those same traits have also made it a bane for countless victims and the security community, and new research by Trend Micro provides yet another reminder of why.

According to Trend Micro, a hacker in his early 20s known by the cyber-alias “Soldier” led a bank fraud operation that netted $3.2 million in six months. Powered by the SpyEye crimeware kit and aided by money mules and an accomplice believed to reside in Hollywood, Soldier commanded a botnet of more than 25,000 computers between April 19 and June 29 that compromised bank accounts and made off with the profits.

Most of the victims were in the U.S., but there were a handful of victims in 90 other countries as well. Among the affected organizations were banks, educational facilities and government agencies.

“Using the IP addresses of the victims that were recorded by the SpyEye command and control server, we were able to determine the network to which the IP address was assigned,” blogged Loucif Kharouni, senior threat researcher at Trend Micro. “We found that a wide variety of large organizations and US multi-nationals in a variety of sectors were represented in the victim population.”

“We do not believe these large organizations and US multi-nationals were originally the intended target, we instead believe that they were impacted following end user compromise,” the researcher continued. “Bots (infected victim systems) are routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.”

Of the 25,394 systems infected by the operation between April 19 and June 29, 57 percent were Windows XP computers. Some 4,500, or 18 percent, were running Windows 7.

SpyEye was in the news for other reasons earlier this week when news broke that a version of the Trojan was observed targeting Android devices.

“Because the cyber-criminals are so good at socially engineering their victims in to installing their crimeware agents (whether that be at the PC or mobile level), merely shifting the banking authentication process to another device (i.e. the mobile phone) does not pose a significant problem to the criminals,” Gunter Ollmann, vice president of research at Damballa, told SecurityWeek. “Financial institutes need to focus on back-office correlation and anomaly detection systems to identify fraud attempts – rather than continually try to push security components in to their customer’s hands. Cyber-criminals will always be able to defeat consumer security solutions because they are smarter that the “average” customer that a bank is developing their security solution for.”

Advertisement. Scroll to continue reading.

He added that the attention malware authors are paying towards mobile devices may be driven by banks increasingly moving multi-factor authentication processes to mobile phones.

Compromises on the scale Soldier was involved in are not unusual for cyber-criminals using toolkits, Kharouni blogged, but that doesn’t mean the amount stolen isn’t cause for concern. “Such information gives us a clearer view of what goes on within a botnet as prominent as those created with SpyEye,” the researcher wrote. “As we attain more information on how cybercriminals do business, their targets, and what kind of information they seek, hopefully it will lead us to discover how to dismantle these operations and prevent them from stealing a users’ hard-earned money.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.