A federal investigation into a Russian cybercrime ring led Secret Service agents to the doorstep of a 29-year-old Los Angeles man the United States calls an “extremely sophisticated and well-connected cybercriminal” who allegedly used malware to steal cash from thousands of U.S. bank accounts.
Alexander Tverdokhlebov was arrested in an early-morning raid Feb. 1 on a four-count wire-fraud indictment alleging that he worked with a Russian colleague in 2009 and 2010 to attack U.S. financial institutions. He allegedly used a botnet of 10,000 hacked PCs.
Tverdokhlebov is being held in the Metropolitan Detention Center in Los Angeles pending a bail review in Alexandria, Virginia, where he’s charged.
Long before the Kremlin was known for hacking political campaigns, Russian hackers and their peers in Ukraine dominated the for-profit cybercrime underworld, from the large-scale credit-card heists of the mid-2000s to today’s ransomware threat. And banking botnets have been a staple of Russian cybercrime for nearly a decade.
Instead of stealing passwords for a hacker to use later, the malware will wait for the victim to log in to their online banking, then splice itself into the connection and slip in a rogue funds transfer without setting off alarms at the bank. If the victim happens to check their balance or transaction history, the malware will even rewrite it on the fly to conceal the theft.
The Russian-made Zeus malware first proved the concept in 2009, and is behind, by some estimates, billions of dollars in losses over the years. Zeus’s alleged author, Evgeniy Bogachev, was even among the Russians sanctioned by President Obama last December in retaliation for the Kremlin’s election hacking, and the FBI has a $3 million reward out for his arrest.
The U.S. discovered Tverdokhlebov while examining the online chats of a different Russian: Vadim Polyakov, a 32-year-old St. Petersburg man who pleaded guilty last year to a million-dollar concert-ticket scam. Polyakov ran a crime ring that hacked consumers’ StubHub accounts to buy thousands of e-tickets for resale. He was arrested in Spain and extradited to the U.S. In July, a New York judge sentenced him to four to 12 years in state prison.
Court records don’t indicate how the Secret Service obtained Polyakov’s ICQ chat logs. The most likely scenario is that Spanish authorities seized Polyakov’s laptop at his arrest. In any event, the chat logs showed Polyakov conversing in Russian with a fellow cyberthief who let slip enough information to identify Tverdokhlebov as a suspect, specifically his first name, his girlfriend’s full name, and his home address and his phone number.
The indictment against Tverdokhlebov is based entirely on the years-old chats, with no hard information about specific thefts, suggesting that the feds are using it as a wedge to try and pry more evidence from Tverdokhlebov’s arrest and the search of his computers.
Over government objections, a magistrate judge set Tverdokhlebov’s bail at $100,000 last week but stayed the man’s release pending a government appeal, set to be heard in Virginia on Friday. The feds are urging that Tverdokhlebov be held without bail, claiming that he has few ties to the U.S. and enough underworld contacts to flee to Mexico and from there to Russia.
Tverdokhlebov was born in Russia and obtained U.S. citizenship in 2009 after marrying an American. According to prosecutors, the two have since divorced.
Secret Service agents have spent the days since Tverdokhlebov’s arrest opening his safe-deposit boxes. Three boxes in California were packed with $172,000 in $100 bills. A key locked in one box turned out to fit a fourth safe-deposit box in Las Vegas, where on Tuesday the feds found an additional $100,000.
“The large quantity of cash, as well as their distribution in safe-deposit boxes in different states, suggests that defendant may have concealed funds elsewhere in preparation for flight,” prosecutors wrote, urging that Tverdokhlebov be kept in jail.
Tverdokhlebov’s attorney, William Cummings, countered in a filing Thursday that his client is legitimately employed in Los Angeles and that the charges in the Virginia indictment are old.
Cummings also implied that with every cash-filled safe deposit box the feds find, his client becomes an even better candidate for pre-trial release. “The defendant, if he were on release, could now not go to Las Vegas to access that money,” he wrote.