A Slovenian man convicted of authoring the destructive and once-prolific Mariposa botnet and running the infamous Darkode cybercrime forum has been arrested in Germany on request from prosecutors in the United States, who’ve recently re-indicted him on related charges.
The Slovenian Press Agency reported today that German police arrested Matjaž “Iserdo” Škorjanc last week, in response to a U.S.-issued international arrest warrant for his extradition.
In December 2013, a Slovenian court sentenced Škorjanc to four years and ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after its inception, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.
Škorjanc and his hacker handle Iserdo were initially named in a Justice Department indictment from 2011 (PDF) along with two other men who allegedly wrote and sold the Mariposa botnet code. But in June 2019, the DOJ unsealed an updated indictment (PDF) naming Škorjanc, the original two other defendants, and a fourth man (from the United States) in a conspiracy to make and market Mariposa and to run the Darkode crime forum.
More recently, Škorjanc served as chief technology officer at NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies like bitcoin. In December 2017, approximately USD $52 million worth of bitcoin mysteriously disappeared from the coffers of NiceHash. Slovenian police are reportedly still investigating that incident.
It will be interesting to see what happens with the fourth and sole U.S.-based defendant added in the latest DOJ charges — Thomas K. McCormick, a.k.a “fubar” — allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.”
Between 2010 and 2013, Fubar would randomly chat me up on instant messenger apropos of nothing to trade information about the latest goings-on in the malware and cybercrime forum scene.
Fubar frequently knew before anyone else about upcoming improvements to or new features of ZeuS, and discussed at length his interactions with Iserdo/Škorjanc. Every so often, I would reach out to Fubar to see if he could convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.
On Dec. 5, 2013, federal investigators visited McCormick at his University of Massachusetts dorm room. According to a memo filed by FBI agents investigating the case, in that interview McCormick acknowledged using the “fubar” identity on Darkode, but said he’d quit the whole forum scene years ago, and that he’d even interned at Microsoft for several summers and at Cisco for one summer.
A subsequent search warrant executed on his dorm room revealed multiple removable drives that held tens of thousands of stolen credit card records. For whatever reason, however, McCormick wasn’t arrested or charged until December 2018.
According to the FBI, back in that December 2013 interview McCormick voluntarily told them a great deal about his various businesses and online personas. He also apparently told investigators he talked with KrebsOnSecurity quite a bit, and that he’d tipped me off to some important developments in the malware scene. For example:
“TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address,” the memo states. “TM passed this information on to Brian Krebs.”
Read more of the FBI’s interview with McCormick here (PDF).
News of Škorjanc’s arrest comes amid other cybercrime takedowns in Germany this past week. On Friday, German authorities announced they’d arrested seven people and were investigating six more in connection with the raid of a Dark Web hosting operation that allegedly supported multiple child porn, cybercrime and drug markets with hundreds of servers buried inside a heavily fortified military bunker.
Phirst!
Hope they throw the book at this dude.
Great story! I wondered what had happened to these bad actors. It never ceases to amaze me when you look at how “professional” their websites and marketing appear. I’m sure many KOS readers wonder why they don’t just switch to legitimate businesses; after all the demand is there, and no one would be looking for them anymore.
I know – I’m the naive optimist. ?
I think there are some kinds of people that would rather “beat the system” than “make the system.” People will do things for “workouts” that they won’t want to do for “work.”
Easy.
There’s more money with no delays or bills in doing things the blackhat way.
I own a legitimate Consulting / PenTest firm, and it’s sickening how much more a Blackhat can make per engagement. You *need* my business and others like me, but don’t want to pay a quarter of what it will cost when you’re attacked.
I’d never go blackhat, as I enjoy my freedom, but when I can click “Go” on a phishing/mining campaign, do nothing, and sit back and watch the $ roll in….
I know a lot of people may disagree with you, but that’s the sad reality. I hear the same questions asked about bug bounties. “Why aren’t more blackhats doing bug bounties?” Same answer you gave. They get way more money breaching a company and selling personal information on the dark web rather than (i) reporting a bug, (ii) waiting for the client to respond, (iii) having them validate if it’s a legitimate bug or not, (iv) probably have the client say that it doesn’t affect them, (v) maybe have a little back and forth to prove its legitimacy, (vi) then you’re either getting a small bounty in reference to the amount of work you put in, or the client could just close out the report as Not Applicable.
The first bug I found was when I still had no idea how the platforms worked. It was an information disclosure bug that was a result from a leftover endpoint they forgot to remove in their application. That particular company didn’t offer bounties, but I’ve often wondered how much I could have gotten for that bug had the company provided a bounty–or had it been put on the dark web. Which, like you, I enjoy my freedom too much to do something so stupid.
“Fubar” – When you get arrested by your own government and then extradited to the United States for prosecution
Oh, I remember ‘Mariposa’.
Those botnets made it so easy for attackers to compromise the victims’ networks; while it costs the victims so much money to protect themselves from such threats.
The world has not been the same since…
BTW, Thanks for this update Brian!
Anyone believing that Iserdo had nothing to do with the NiceHash hack of 62M of BTC while he was serving as the CTO is living in a dream world.
That would be nice hash they are smoking!
Well, when you hire a criminal as your CTO, what could possibly go wrong?
Book ’em, Danno!
Two interesting takedowns within a week in Germany? I wonder if authorities have a new tool up their sleeve, like a compromise of TOR or some such thing. Regardless, everybody that has an ethernet connection should know that there is no such thing as anonymity in reality. Signals come and go from known physical addresses, somebody just has to make the effort to connect the dots. Just as one can make it computationally intensive to rip a password hash, but one can’t make it impossible to do when the resources are basically limitless.
A thought to the wiseguys: The fly that keeps landing on your forehead in a room full of flies is usually the one that gets swatted first…
When I saw the name fubar, I immediately thought of foonet for some reason.
Talk about a blast from the past…..
“On or about December 5, 2013” appears a lot in the indictment. The indictment was filed December 4th, 2018, one day before the statute of limitations on things like wire fraud (5 years). I wonder why they waited so long?
Lol fubar been a fed before 2013.
Funny how mafi put so much trust into him. Everyone told him he was a fed from the jump.
All the real OG’s are still active. The real dk is not public or known to any researchers and never will be. The circle is under 12 and will remain.
Keep telling yourself that buddy. Enjoy prison.
I’ve been out of the game too long. statute of limitations.
Those of us who were smart took the blackhat money and invested it into legit online business.
I do however still keep in touch with old colleagues.
The dk raid taught those who are still at large a valuable lesson. The ones who are still active are beyond careful at this point. Probably a little too overcautious if you ask me.
“The real dk is not public or known to any researchers and never will be. ”
Al Capone, John Gotti, Mussolini, and Richard Nixon all thought they could get away with it. Good luck!
Skorjanc was already sentenced for that crime in Slovenia.
Article 14 of International Covenant on Civil and Political Rights:
“No one shall be liable to be tried or punished again for an offence for which he has already been finally convicted or acquitted in accordance with the law and penal procedure of each country.”
Considering statute of limitations are up for 2 out of the 3 charges, it just seems like FBI has a little too much time on their hands.
Lets hope he falls out of the plane on the way to the US.
So long as the sentences for these crimes stays pathetic, they will continue to encourage more criminals. Hell, if you get a million, spend 10 years in jail, still have the million – which is a hell of a lot more than I have after working 10 years. It’s a wonder more IT people aren’t criminals, it pays well, the punishment is mild at worst. And it might land you a job working for super criminals (governments) with unlimited benefits.
XHTML: You can use these tags:
Comment
Click image for my skimmer series.
A New York Times Bestseller!
Badguy uses for your PC
Tools for a Safer PC
Spammers Duke it Out
Your email account may be worth far more than you imagine.
eBanking Best Practices for Businesses
Innovations from the Underground
ID Protection Services Examined
The reasons for its decline
File 'em Before the Bad Guys Can
A crash course in carding.
Sign up, or Be Signed Up!
Finding out is not so easy.
...For Online Safety.