This article is more than 1 year old

Remember that Citadel bank-slurping malware? Its main man was just jailed for five years

Trojan was used to swipe $500m from victims' accounts

Russian programmer Mark Vartanyan has been sentenced to five years in US federal prison for developing and spreading the Citadel malware that stole $500m (£383m) from bank accounts around the world.

Citadel is a variant of the Zeus banking Trojan, the source code of which leaked online in 2011. These software nasties could infect Windows PCs to loot victims' online cash accounts. They could also steal people's personal info for identity thieves to exploit.

From 2012 to 2014, while living in Russia and later Norway, Vartanyan took that leaked code and improved it, building new modules with extra functions, and generally making his crimeware tougher and more resilient to antivirus. He worked with Russian fella Dimitry Belorossov (aka Rainerfox) to maintain and upgrade Citadel for nearly two years. It managed to infect roughly 11 million machines globally, and was responsible for siphoning off over $500m to organized criminals and their cohorts, prosecutors estimated.

Citadel was one of the earliest examples of malware-as-a-service available on dark-web forums. Essentially, crooks bought copies, and flung them at victims via email, drive-by downloads, and so on, directing the stolen cash into their pockets.

At its height, a copy of Citadel and its web-based control panel would have cost you $2,399, along with a $125 monthly fee for code updates. Additional features could be bought: for example, $395 would get you a service whereby the malware was checked against known antivirus signatures and adapted to escape detection.

Belorossov was arrested while on a visit to Spain, and extradited to America. In 2015, he was sentenced to four years and six months in the clink after pleading guilty to conspiracy to commit computer fraud. He'll be out before his partner in crime, and is likely to be expelled from the US indefinitely.

Vartanyan was extradited to America from Norway in December last year, and in March he too decided to plead guilty to a single charge of conspiracy to commit computer fraud in exchange for a lighter punishment. He could have been sent down for 25 years, but for sparing taxpayers a lengthy trial, he faced a maximum sentence of ten years.

On Wednesday this week, he was thrown in the slammer by Atlanta district Judge Mark Cohen for half that. Vartanyan was given two years of credit for time spent behind bars in Norway awaiting his extradition to the US. ®

More about

More about

More about


Send us news

Other stories you might like