The private hackers taking on cyber criminals

Russian gangs targeting banks represent the biggest cyber crime threat to Britain, say police

By day, he earns a living making parts for French power plants. By night, he is a lone fighter armed with a laptop taking on Russian organised cyber crime gangs.

For a decade, the 27-year-old – under his nom de guerre Xylitol - has pitted his wits against increasingly sophisticated Eastern European groups who have plundered billions from banks and held businesses to ransom after cracking into their systems.

The former hacker says his home-based efforts – for which he is not paid - have led to “multiple arrests” in concert with private cyber security firms and international law enforcement. In response, the amateur cyber-sleuth has been threatened and targeted by criminals in what he calls “information warfare” to muddy his reputation.

So high are the stakes and the ferocity of the battle, that Xylitol takes care with his personal security and gives only vague details of where he lives in France, close to the Swiss border. “To live happy, live hidden," he said in an email to The National.

But the challenge he, and the rest of the cyber security industry, faces is huge and growing from so-called banking Trojans, named after the deception used by Greek soldiers hidden inside the belly of a wooden horse, according to police.

The malicious software or 'malware' relies on users being tricked into loading the virus on their computers, which then allows the gangs to spy and steal their private banking information.

Russian-speaking gangs seeking to plunder bank details represent the biggest cyber crime threat to the UK, with top tier criminals using techniques that match the sophistication of elite national agencies, according to British police in its latest annual threat assessment.

The use of similar software by different crime groups has suggested that they are “working more closely together than previously assessed” rather than in direct opposition, said Britain’s National Crime Agency.

“The threat from cyber crime to the UK continues to evolve in terms of its complexity,” it said. “Russian language OCGs [organised crime groups] behind financial Trojans present the biggest cyber crime threat to the UK.

“They are just one of a broader range of forms of malicious software (malware) designed to disrupt, damage or gain unauthorised access to a victim’s device.”

Ranged against them is a public-private coalition of law enforcement agencies, private security firms and individuals such as Xylitol.

The authorities have had success against a small number of the perpetrators, who have been foolish enough to travel outside of their protected zone in Russia on holiday to jurisdictions where they faced arrest and extradition.

Hamza Bendelladj is escorted by Thai police officers on January 7, 2013. Bendelladj, nicknamed the 'smiling hacker', was sentenced to 15 years in prison in 2016. He hacked banks and financial companies worldwide, amassing huge amounts in illicit earnings. AFP
Hamza Bendelladj, nicknamed the 'smiling hacker', hacked banks and financial companies worldwide, amassing huge amounts in illicit earnings. AFP

They included Russian Aleksandr Andreevich Panin, who was jailed for nine-and-a-half years in the United States in 2016, after being arrested in Atlanta, Georgia, while passing through on an international flight.

He and partner-in-crime Algerian Hamza Bendelladj used a virus package known as SpyEye that is believed to have infected more than 50 million computers worldwide and cost global banks some $1 billion, according to the US department of justice.

The pair used the malware themselves but also sold it for up to $10,000 a time to other criminals. While private sector companies and law enforcement were trying to identify the two men behind the scam, Xylitol targeted their sales operation, posting copied versions of the malware on to hacker sites, rendering them worthless. As the criminals revamped their code, so did Xylitol, in a relentless game of cat-and-mouse.

The two men were arrested and jailed. Bendelladj, who was picked up in Thailand, was jailed for 15 years.

There are one or two of these chaps who have made a mistake of going on holiday where there are places with extradition treaties. The vast majority have not and will not

Senior British cyber security expert

The man accused of providing them with an older version of the malware, Evgeniy Mikhailovich Bogachev, is believed to be in Russia and has eluded the efforts of US police since 2012 to capture him. He is suspected of being responsible for a similar banking trojan known as GameOver ZeuS that netted more than $100m.

The FBI has a list of ‘most wanted’ cyber criminals that are dominated by Russians and Iranian hackers. Mr Bogachev has a $3 million reward on his head.

“There are one or two of these chaps who have made a mistake of going on holiday where there are places with extradition treaties,” said a senior British cyber security expert, who declined to be named because of the sensitivity of his work. “The vast majority have not and will not.”

The warnings come as Europol, the European policing agency, has warned that technological advances in artificial intelligence and the roll out of the 5G network will have a “profound impact” on the criminal landscape.

By 2021, customers using mobile phone banking apps will outstrip those turning up in UK branches, according to a consultancy Caci. Yet a report by a US-based consultancy, Arxan, in April found there was a “systemic problem” in banking apps it tested and identified “severe vulnerabilities” that opened them to threat of criminal takeover.

The National first contacted Xylitol five years ago via another French former hacker who was recommended by a senior British cyber security official.

“I still do the same things, just it's not the same threats and same actors as five years ago,” he said this week.

He pointed to messages by sellers of bank hacking kits that indicated they were wary of his abilities to disrupt their operations following the Bendelladj case. “Remember Xylitol is somewhere,” one seller wrote in a message discovered by Xylitol and posted on his Twitter feed.

“Actors of today who write banking trojans learned from previous arrests,” he said. “Now they try to stay under the radar.”

Updated: September 5, 2019 04:22 PM


Editor's Picks
Sign up to:

* Please select one

Most Read