A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of tens of millions of {dollars} from U.S. companies was arrested in Italy and is now in custody in the US, KrebsOnSecurity has realized.<\/p>\n
Sources near the investigation say Yuriy Igorevich Rybtsov<\/strong>, a 41-year-old from the Russia-controlled metropolis of Donetsk, Ukraine, was beforehand referenced in U.S. federal charging paperwork solely by his on-line deal with \u201cMrICQ<\/strong>.\u201d In line with a 13-year-old indictment<\/a> (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group often known as \u201cJabber Zeus<\/strong>.\u201d<\/p>\n Picture: lockedup dot wtf.<\/p>\n<\/div>\n The Jabber Zeus title is derived from the malware they used \u2014 a customized model of the ZeuS banking trojan<\/a> \u2014 that stole banking login credentials and would ship the group a Jabber on the spot message every time a brand new sufferer entered a one-time passcode at a monetary establishment web site. The gang focused largely small to mid-sized companies, they usually had been an early pioneer of so-called \u201cman-in-the-browser\u201d assaults, malware that may silently intercept any knowledge that victims submit in a web-based type.<\/p>\n As soon as inside a sufferer firm\u2019s accounts, the Jabber Zeus crew would modify the agency\u2019s payroll so as to add dozens of \u201ccash mules,\u201d folks recruited via elaborate work-at-home schemes to deal with financial institution transfers. The mules in flip would ahead any stolen payroll deposits \u2014 minus their commissions \u2014 by way of wire transfers to different mules in Ukraine and the UK.<\/p>\n The 2012 indictment\u00a0concentrating on the Jabber Zeus crew named MrICQ as \u201cJohn Doe #3<\/strong>,\u201d and mentioned this individual dealt with incoming notifications of newly compromised victims. The Division of Justice (DOJ) mentioned MrICQ additionally helped the group launder the proceeds of their heists via digital forex change companies.<\/p>\n Two sources conversant in the Jabber Zeus investigation mentioned Rybtsov was arrested in Italy, though the precise date and circumstances of his arrest stay unclear. A abstract of current selections<\/a> (PDF) printed by the Italian Supreme Court docket states that in April 2025, Rybtsov misplaced a closing attraction to keep away from extradition to the US.<\/p>\n In line with the mugshot web site lockedup[.]wtf<\/strong>, Rybtsov arrived in Nebraska on October 9, and was being held underneath an arrest warrant from the U.S. Federal Bureau of Investigation<\/strong> (FBI).<\/p>\n The information breach monitoring service Constella Intelligence<\/a> discovered breached data from the enterprise profiling web site bvdinfo[.]com exhibiting {that a} 41-year-old Yuriy Igorevich Rybtsov labored in a constructing at 59 Barnaulska St. in Donetsk. Additional looking on this deal with in Constella finds the identical condominium constructing was shared by a enterprise registered to Vyacheslav \u201cTank\u201d Penchukov<\/strong>, the chief of the Jabber Zeus crew in Ukraine.<\/p>\n Vyacheslav \u201cTank\u201d Penchukov, seen right here performing as \u201cDJ Slava Wealthy\u201d in Ukraine, in an undated picture from social media.<\/p>\n<\/div>\n Penchukov was arrested in 2022<\/a> whereas touring to satisfy his spouse in Switzerland. Final 12 months, a federal courtroom in Nebraska sentenced Penchukov to 18 years in jail<\/a> and ordered him to pay greater than $73 million in restitution.<\/p>\n Lawrence Baldwin<\/strong> is founding father of myNetWatchman<\/a>, a menace intelligence firm based mostly in Georgia that started monitoring and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained entry to the Jabber chat server utilized by the Ukrainian hackers, permitting Baldwin to snoop on the each day conversations between MrICQ and different Jabber Zeus members.<\/p>\n Baldwin shared these real-time chat data with a number of state and federal regulation enforcement companies, and with this reporter. Between 2010 and 2013, I spent a number of hours every day alerting small companies throughout the nation that their payroll accounts had been about to be drained by these cybercriminals.<\/p>\n These notifications, and Baldwin\u2019s tireless efforts, saved numerous would-be victims an excessive amount of cash. Normally, nonetheless, we had been already too late. However, the pilfered Jabber Zeus group chats offered the idea for dozens of tales printed right here about small companies preventing their banks<\/a> in courtroom over six- and seven-figure monetary losses.<\/p>\n Baldwin mentioned the Jabber Zeus crew was far forward of its friends in a number of respects. For starters, their intercepted chats confirmed they labored to create a extremely custom-made botnet immediately with the creator of the unique Zeus Trojan \u2014 Evgeniy Mikhailovich Bogachev<\/strong>, a Russian man who has lengthy been on the FBI\u2019s \u201cMost Needed\u201d record. The feds have a standing $3 million reward<\/a> for data resulting in Bogachev\u2019s arrest.<\/p>\n Evgeniy M. Bogachev, in undated photographs.<\/p>\n<\/div>\n The core innovation of Jabber Zeus was an alert that MrICQ would obtain every time a brand new sufferer entered a one-time password code right into a phishing web page mimicking their monetary establishment. The gang\u2019s inner title for this element was \u201cLeprechaun<\/strong>,\u201d (the video under<\/a> from myNetWatchman reveals it in motion). Jabber Zeus would truly re-write the HTML code as displayed within the sufferer\u2019s browser, permitting them to intercept any passcodes despatched by the sufferer\u2019s financial institution for multi-factor authentication.<\/p>\n \u201cThese guys had compromised such a lot of victims that they had been getting buried in a tsunami of stolen banking credentials,\u201d Baldwin advised KrebsOnSecurity. \u201cHowever the entire level of Leprechaun was to isolate the highest-value credentials \u2014 the industrial financial institution accounts with two-factor authentication turned on. They knew these had been far juicier targets as a result of they clearly had much more cash to guard.\u201d<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/rybtsov-lockedup.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2022\/11\/tank-dj.png\")
<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2019\/12\/bogachev.png\")
<\/p>\n