Russian jailed for eight years in the US for writing code that sifted botnet logs for web banking creds for fraudsters

Harvested usernames, passwords used to drain victims' coffers


A Russian programmer has been sentenced to eight years behind bars in America for his part in a massive cybercriminal network that hacked into and drained victims' bank accounts.

Aleksandr Brovko, 36, was arrested in the Czech Republic in 2019 and extradited to America following a lengthy probe into Russian hacking rings. He was, according to the US government, “a member of elite, online forums designed for Russian-speaking cybercriminals to gather and exchange tools and services for crime.”

Brovko was born and raised in a middle-class Russian household and got a degree in systems engineering in 2006. However, according to court documents [PDF], he lost his job at a printing and advertising business “after a disagreement with the company’s management.”

He then did some work for a former classmate “who was looking for help in directing internet traffic to certain websites,” which became an entry point into the world of cyberfraud. Brovko claims he was ashamed of the work though couldn’t find another job that paid as well.

Brovko was almost certainly fingered by the mastermind of the scheme: Alexander Tverdokhlebov, who emigrated from Russia in 2007, gained US citizenship, and lived in California. He was collared and sent down for nine years in 2017 for running a botnet of an estimated 500,000 infected computers. Brovko’s indictment in 2018 repeatedly references evidence given to the authorities by “A.T.”

The caper worked like this: Tverdokhlebov would obtain access to thousands of hacked PCs, all remote-controlled by malware that also harvested people's usernames and passwords from those computers. Brovko was tasked with sifting through the logs of these botnets for internet banking credentials vacuumed by the malware, which were subsequently used by fellow conspirators to steal millions of dollars from Americans' accounts in fraudulent transfers.

Brovko wrote software to trawl through this data automatically. He also performed manual searches on the data and tested whether username-password combinations for bank accounts still worked. Prosecutors claim he noted down the amount of money in people’s accounts to flag up those most worth targeting.

Quality check

“Where his computer code could not effectively parse the data, Brovko supplemented his computer-automated efforts with manual searches of the data,” his indictment [PDF] noted.

“Brovko’s second role was to perform quality checks on the victim information he had identified. He did this, for example, by attempting to log in to victims’ online banking accounts using the stolen usernames and passwords he had identified. If he was able to log in, he would know that the username-and-password combination was still valid.”

webcam

Brit webcam criminal snared in FBI LuminosityLink creepware sting spared prison

READ MORE

For his efforts, Brovko was paid roughly $70,000 a year by Tverdokhlebov, money his lawyer claimed was used to support his wife and son. He also sold his services to other cybercriminals and even tried to sell some banking credentials himself through online criminal networks. When the police raided his home, they seized a large amount of equipment that was then used as evidence against him.

He pleaded guilty in the US in February to conspiracy to commit wire fraud and bank fraud, with a second charge of conspiracy to commit access device fraud dropped as part of a plea deal that Brovko reached with the authorities.

Despite facing eight years in jail and a further five years of supervised release, Brovko came off easy: the recommended sentencing for his crimes was 20 to 24 years. He was also given a nominal $100 fine when formal sentencing recommended anywhere between $50,000 to $200m.

The official announcement of his sentence claimed Brovko was part of a “$100m botnet conspiracy,” though that figure is a little suspect: it was based on details of 200,000 devices and PCs stored on Brovko’s computer gear multiplied by $500, the minimum dollar value required by law for a charge of unauthorized device access.

Money problems

As such, his lawyer argued the $100m loss calculation used by the government was “excessive and arbitrary and should not be given much weight.” The attorney also said America's Sentencing Commission noted such a calculation “substantially overstates the seriousness of the offense.”

The bigger problem in this case is that Brovko is blamed for a greater financial loss than the man who actually operated the system, Tverdokhlebov, solely because the latter “happened to have a smaller amount of stolen data on his computers at the time of his arrest,” Brovko's lawyer said. The lawyer thus argued Brovko should not be given a longer jail term than Tverdokhlebov, which is something the judge ultimately agreed with, giving him eight years in the clink compared to Tverdokhlebov’s nine.

US Attorney for eastern Virginia Zachary Terwilliger said of the sentence: “Aleksandr Brovko used his programming skills to facilitate the large-scale theft and use of stolen personal and financial information, resulting in over $100 million in intended loss. Our office is committed to holding these criminals accountable and protecting our communities as cybercrime becomes an ever more prominent threat.” ®


Biting the hand that feeds IT © 1998–2020