Skip to content ↓ | Skip to navigation ↓

The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes.

29-year-old Mark Vartanyan, who went by the online handle of “Kolypto”, was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition to the United States occurred last December, against the wishes of Russia who argued that the evidence against Vartanyan was weak and the case was politically-motivated.

Nonetheless, Vartanyan has now admitted his guilt as a plea bargain with US federal prosecutors who have agreed not to seek a prison sentence of more than ten years.

A maximum term of ten years may still sound like a lot of time for anyone to waste their life behind bars (it is!) but it’s still a lot better than the 25 or more prosecutors might have sought instead.

The Citadel malware first caught the attention of security researchers in late 2011, when it was found being made available for sale on Russian-language crime forums.

Citadel made it relatively easier for online fraudsters to steal banking credentials, credit card information, and personal data with the intention of breaking into victim’s bank accounts and making unauthorised transactions.

Citadel malware email

In addition, Citadel could hijack control of users’ Windows PCs and even attempt to grab the master passwords of some third-party password managers, and block access to anti-virus vendor websites.

To increase its chances of success, Citadel could be used in targeted attacks exploiting Microsoft zero-day vulnerabilities to infect firms, as well as more traditional attacks.

And it’s clear that Citadel was very much a serious commercial enterprise for its developer. Some editions of the malware even incorporated a built-in Customer Relationship Management (CRM) system to provide quick and effective support to its criminal customers, which the developers were happy to brag about in online postings:

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers. One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

Vartanyan may be heading rapidly to prison, but his malware is still out there in the hands of many other criminals who could potentially exploit it to steal from innocent computer users. One of the frustrations with fighting malware is that even after the perpetrators have been put away, the crimes can keep being committed.

Vartanyan, who is scheduled to be sentenced in June, isn’t the first person to be charged in connection with the Citadel malware.

In September 2015, 22-year-old Russian national Dmitry Belorossov – who went by the online handle of “Rainerfox” – was sentenced to 4.5 years in prison after he admitted using the Citadel malware to commit fraud, and hijacking control of some 7000 computers.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.