The people behind malware and cybercrime

The people behind malware and cybercrime

As interesting as the techniques used in creating new malware are the people behind the code and the lengths they go to in order to hide themselves. The malware writers are a small but important piece of the puzzle however they are part of a wider category of cybercriminal.

In this piece I explore some of the people behind well known malware and other cybercrimes. Some people, and their actions, may be defined as criminal in a true legal sense but I make no statement on the morality of them. Is cyber-vigilantism justified (“doing right”) even if the actions are illegal? I have my own opinion but here I will try to stick to report facts with some opinion of personalities rather than of their morality.


A group of people who are mainly motivated by money than politics, if we are talking about private citizens. Otherwise they are government sponsored actors who are paid contractors who write malware for their government rather than for money. ‘Slavik’ may be one of the few who potentially did both.

The former tend to be based in Russia, Ukraine or Eastern Europe, while the latter seem to be based in the US (at least the ones who make the news).

Slavik: Zeus, GameOver, CryptoLocker

A good insight to the complexity of cybercrime can be found in today’s Wired article: Inside the Hunt for Russia’s Most Notorious Hacker

This is one of the best articles I’ve read in a long time. Credit to the author for an engaging piece. The article follows the rise of Zeus malware and the later mutations into GameOver. The mastermind behind the this malware also created some of the most well known and prolific ransomware.

The lengths that the organisation went to disguise their activity is impressive as well as the potential involvement with the Russian government to protect the “Slavik” from prosecution in the west.

What’s interesting is that the Wired article gives a good indication of Slavik’s operational security (OpSec). He was difficult to trace identify. This highlights the importance of one’s actions in order to stay both secure and private; it is arguably more important than the technical measures used to keep one secure. In the first attempt to take his network the researchers looked close to winning with 99% control, but Slavik had built in redundancy with a secondary layer of communication.

One of the clues that gave up his real identity was his use of an email address connected to his real name:

The team was able to trace the email address to a British server that Slavik used to run the Business Club’s websites. More investigative work and more court orders eventually led authorities to Russian social media sites where the email address was connected to a real name: Evgeniy Mikhailovich Bogachev.

This is the most surprising thing in many ways that he let operational security slip on something so silly. Given the professional nature of everything else I’m left to assume two possible reasons: (1) silly human error, (2) the domains had been registered long before he ever became successful.

The second point would be reasonably easy to dismiss with some research (I think). It is my opinion that everyone, even security experts, have poor practices and poor passwords hidden in their ‘closet’. Fortunately for him it would seem that he may have some powerful allies to protect him.

Kolypto: Citadel

The Citadel malware apparently infected 11 million computers and is known for stealing financial information from its victims. One of the creators of the malware was recently extradited to the US. The original creator is believed to still be at large.

Graham Cluley provided a summary in a recent blog post: Author of Citadel malware, used to steal $500 million from bank accounts, pleads guilty

Equation Group

A group of people who have been linked to the NSA and are believed to have written or at least contributed to some of the most ‘powerful’ malware yet see: Stuxnet and Flame. Their actions would be deemed illegal if they were private citizens but while they are government sponsored then the acts will deemed as necessary.

Interestingly, according to the Vault 7 leak it would seem that “Equation Group” may not be a single group of people but rather a toolset. The implication is that the group would not necessarily be a subgroup of the NSA but perhaps a toolset shared amongst several US government agencies. That’s just speculation of my part.

One commenter wrote that “the Equation Group as labeled in the report does not relate to a specific group but rather a collection of tools” used for hacking.

However, it is much easy to state that the people who wrote the tools are the “Equation Group” regardless of which organisation they work for.

Stuxnet: an interesting and advanced piece of malware. A description of which would take me far from the intent of this article. It was discovered in 2010 and suggested to have targeted the Natanz nuclear plant in Iran. The origin of this malware is guessed to be either the US and / or Israeli intelligence agencies.

Flame: discovered in 2012 this malware is also suspected to have links to the creators of Stuxnet. Journalists reported further cooperation between US and Israeli intelligence agencies.

Some of the code written by the Equation Group is believed to have been leaked by another group known as the “Shadow Brokers” (see below).

Wikipedia: Equation Group

History of Malware

A reasonable recounting of the history of malware can be found in a series of articles on medium. The author’s history of malware articles are good but I’m disinclined to recommend anything.



Carding is the practice of cloning and trafficking credit cards. Primarily, this involves stealing and then selling the credit card details plus the accompanying personal information. Brian Krebs is a journalist turned and now one of the leading experts on carding. He has written some excellent articles on his website about carding, skimming, and the people who are involved.

As with malware writing, it would seem that Russia and Eastern Europe are the leading sources of this activity.

KrebsOnSecurity: Cards Stolen in Target Breach Flood Underground Markets

Wikipedia: Carding


The motivations for hacktivists is political rather than financial. The attacks aren’t malware based but rather about website defacement or denial of service.

The Jester

Cyber vigilante living in the US. As far as we know he isn’t a malware coder but rather a vigilante who is pro-American. However, I include him here as his activities are over the line in terms of being illegal. That he hasn’t been prosecuted make you wonder as to whether he has a special arrangement with the US government. Not only are his activities overlooked but rather he is exalted. It is worth noting that his laptop is in a US museum. The Jester is strongly, and notably, opposed to Anonymous and Wikileaks.

From what I can tell no one has unmasked the real person (or persons). Part of the reason is that the US government are not pursuing him for criminal activity, but rather they see him as an ally. This assumes that he isn’t actually a public profile for a government agency: something like a social media manager for a three letter acronym. The only people trying to unmask him are private citizens such as people who identify themselves with the Anonymous collective.

If US government is not pursuing you then you have a good chance of staying unknown. I’m very sure they knew who he is, but don’t care. There has been some indication that he is a military veteran too. Moreover, he does display good operational security. We all tend to give away hints of who we are or where we are from, but it is difficult to do this over a long period time and in public view.

Interestingly, he advises against the use of Tor but does suggest the use of I2P which is a competing “Anonymity” network.

Jester’s Court


A group whose history is always misremembered. I’ve seen many historical recounts of their history from supposed experts but in every recount I’ve found mistakes. Events are either over or under embellished.

Originating from 4chan this loose group of people are perhaps the most famous of all hacktivists. One ‘problem’ with attribution to Anonymous is that anyone can claim to be anonymous. This isn’t a coherent group in any conventional sense. As there is no coherence there is defining rule for membership: someone can claim to be a public spokesperson for the group but it is somewhat meaningless. This is not a group held together by conventional rules. Even the use of the Guy Fawkes mask which denotes some sort of membership it does indicate whether that person is engaged in hacking or criminal activity.

What I think is more important to consider is that some people will congregate together in a group with similar ideals and call themselves Anonymous. However, another group of people with starkly different ideals can also congregate together and called themselves Anonymous. The only shared trait between the two groups is that they are likely male and have a desire to label themselves with the collective noun “Anonymous”.

Operational Security will be mixed. Use of Tor and encrypted chat channels and apps is a start, but not necessarily much better than amateur techniques.

Wikipedia is probably as good a resource as any: Anonymous

Lauri Love

A name linked to the Anonymous group. He is UK born and currently awaiting extradition to the US on charges related to hacking US government computers. His political beliefs are strongly to the left. He is also the only person in this long list that I’ve actually met. Lauri is a friend of a friend although we barely spoke despite both living in and studying in Glasgow in the late 2000s.

His extradition appeal is interesting in that it carries a huge sentence (it does seem excessive given the impact) and that having mental health issues seems to be both a trend with ‘hackers’ and as a strong defence against being extradited. This also appears to be true of Gary Mackinnon who was convicted of similar crimes years before.

Furthermore, I note that a UK judge ruled that Lauri did not have to give up passwords or private keys. This is seems to be an important ruling for protecting privacy although debateably making crime solving harder.

I did read about how he was caught but I don’t recall at the time of writing. I would like to review this and provide a write up of his operational security.

Wikipedia: Lauri Love

Gary Mackinnon

Gary is wanted for extradition to the US on grounds of hacking government computers, but the extradition request was denied by the UK government.

He gained access to US government systems remotely because of the use of weak default passwords. One of the biggest mistakes to make in security; default passwords tend to be weak and publicly known.

Interesting takeaways from this court cases are:

On 16 October 2012, Home Secretary Theresa May announced to the House of Commons that the extradition had been blocked, saying that “Mr McKinnon is accused of serious crimes. But there is also no doubt that he is seriously ill […] He has Asperger’s syndrome, and suffers from depressive illness.


On 14 December, the DPP, Keir Starmer, announced that McKinnon would not be prosecuted in the United Kingdom, because of the difficulties involved in bringing a case against him when the evidence was in the United States.

This reaffirms that mental health is a solid defence in the UK against being extradited to the US. I don’t doubt the veracity in either Gary’s or Lauri’s case, but just pointing out that the UK justice system appears to give this factor high importance.

Moreover, it is interesting that Gary won’t be prosecuted in the UK because the evidence is in another country. I understand this and it does make me wonder if it could ever be any another way. Although Gary was living in the UK his actions affected computers in another country. His actions were criminal, from a technical point of view, in both the UK and the US. Obviously not being a lawyer my opinion is worth almost nothing from a legal point of view.

Wikipedia: Gary Mackinnon

Phineas Fisher

Infamous hacker of Hacking Team. Definite political motivation against the actions of Hacking Team. Obviously his actions, like those of Hacking Team, are illegal for the public (at least in most companies).

His take down of Hacking Team was impressive and a fascinating read: Hack Back

Despite some suggestions that he is too active on Twitter he seems to be displaying good operational in keeping his private, real, identity separate from his hacker identity. If he continues to make high profile hacks and to continue using social media then he may eventually be exposed.

Shadow Brokers

A team of currently unknown people who leaked data from the NSA (TAO) and from the Equation Group. Real identities are currently unknown.

This story if true (i.e. not assuming a self-dox) would highlight potentially poor operational security at certain three letter acronym organisations.

NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage

Wikipedia: Shadow Brokers


Black Marketeers

A confluence of carders, malware writers, drug dealers, and others illegal market participants. This is not a single group of people, nor even those occupying a single geographic region, but rather a loose ‘collection’ of people that I’m grouping together who have participated or helped to facilitate the trade of illegal goods online.

Silk Roads

The Silk Road was touted as an anonymous marketplace which was only accessible Tor web browser. Transactions were conducted via Bitcoin.

The marketplace was created by Ross Ulbricht. A physics student who became interested in Bitcoin and deregulated markets. It was one of the first that I recall existing within the Tor network (sometimes called the Dark Web). It was possible to buy drugs, counterfeit goods, stolen credit cards weapons, fraudulent identification, and so on.

After the take-down of the Silk Road a number of others followed on but were also shut down. Similar black market places still exist. One flaw of the Silk Road stemmed from the fact that it was centralised. Newer marketplaces are decentralised and are likely to be harder to take down. That doesn’t mean that individuals can’t be arrested but rather taking down the whole market ought to prove very difficult.

Wikipedia: Silk Road

Wikipedia: Darknet Markets


Less concerned with soapboxing ideas and more about subversively spreading ideas or a causing a little chaos and upset. Whether they are included as a subset of hacktivists is also open to debate. The motivations do not seem political in a conventional sense.

Andrew Auernheimer (Weev)

Controversial hacker who was jailed for finding a security flaw in AT&T’s email servers. He was released in April 2014. He was one of a group called GNAA and Goatse Security. Despite their notoriety spawning from trolling they have conducted serious research as well.

Wikipedia is probably as good a resource as any: Weev.


Another example of a hacker group with a sense of humour whom also conducted serious research. Their motivations did not appear to be political or financial, but ‘fun’, which is why they are listed in this section of the article. Read about their antics on their Wikipedia page. I believe the group has split up.

Wikipedia: LulzSec

Leave a Reply