Skip to content ↓ | Skip to navigation ↓

The Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts has pleaded guilty to his crimes.

29-year-old Mark Vartanyan, who went by the online handle of “Kolypto”, was arrested in the Norwegian town of Fredrikstad in 2015 at the request of the FBI. His extradition to the United States occurred last December, against the wishes of Russia who argued that the evidence against Vartanyan was weak and the case was politically-motivated.

Nonetheless, Vartanyan has now admitted his guilt as a plea bargain with US federal prosecutors who have agreed not to seek a prison sentence of more than ten years.

A maximum term of ten years may still sound like a lot of time for anyone to waste their life behind bars (it is!) but it’s still a lot better than the 25 or more prosecutors might have sought instead.

The Citadel malware first caught the attention of security researchers in late 2011, when it was found being made available for sale on Russian-language crime forums.

Citadel made it relatively easier for online fraudsters to steal banking credentials, credit card information, and personal data with the intention of breaking into victim’s bank accounts and making unauthorised transactions.

Citadel malware email

In addition, Citadel could hijack control of users’ Windows PCs and even attempt to grab the master passwords of some third-party password managers, and block access to anti-virus vendor websites.

To increase its chances of success, Citadel could be used in targeted attacks exploiting Microsoft zero-day vulnerabilities to infect firms, as well as more traditional attacks.

And it’s clear that Citadel was very much a serious commercial enterprise for its developer. Some editions of the malware even incorporated a built-in Customer Relationship Management (CRM) system to provide quick and effective support to its criminal customers, which the developers were happy to brag about in online postings:

“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers. One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”

Vartanyan may be heading rapidly to prison, but his malware is still out there in the hands of many other criminals who could potentially exploit it to steal from innocent computer users. One of the frustrations with fighting malware is that even after the perpetrators have been put away, the crimes can keep being committed.

Vartanyan, who is scheduled to be sentenced in June, isn’t the first person to be charged in connection with the Citadel malware.

In September 2015, 22-year-old Russian national Dmitry Belorossov – who went by the online handle of “Rainerfox” – was sentenced to 4.5 years in prison after he admitted using the Citadel malware to commit fraud, and hijacking control of some 7000 computers.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Håkon Dahle

    The author has probably not been at any hearing where the evidence against Mark Vartanyan has been presented. His article seems to be a pumped up version of the public statement made by FBI. I have – during the extradiction hearings in Norway – listened several times to what the FBI presents as evidence. For sure, this is not a case against “the author of Citadel” or even a key contributor. It seemed that his role was limited to be hired as a freelancer to develop some common technical part of the solution. FBI did not claim any evidense against Vartanyan of data breach, access to private credentials or stolen money.

  • Jim W

    How would a PC user be infected with this malware?

  • Håkon Dahle

    During the excemptioin trials in Norway I listened to the evidence provided by FBI. What they have is a list of file names and a couple of IP adresses. There was no mention of unauthorized access, data breach, stolen credentials nor stolen money. Nada. So this is definitely not The Author of Citadell. At the most he may be a freelancer that did a job for the authors, so making it sound like the FBI caught a big fish can not be justified. But he may also be innocent…

  • kevin Mass

    OMG! $500 million!. I doubt how would it be possible a PC be infected by this malware??

<!-- -->