Ukrainian Hacking Figure Captured and Extradited to the U.S.
A Ukrainian national, previously indicted in 2012 for his involvement with a notorious hacking collective that pilfered millions from American enterprises, has been apprehended in Italy and is now under U.S. federal custody, as reported by KrebsOnSecurity.
Yuriy Igorevich Rybtsov, a 41-year-old from Donetsk, Ukraine, which is currently under Russian control, has resurfaced in American legal documents, where he was initially referenced only by his alias “MrICQ.”
A 13-year-old indictment filed in Nebraska indicated that MrICQ served as a developer for the cybercriminal faction known as “Jabber Zeus.”
The moniker Jabber Zeus originates from the specialized malware employed by the group—a modified iteration of the ZeuS banking trojan.
This malicious software facilitated the theft of banking credentials, alerting the hackers via Jabber instant messenger each time a new target input a one-time passcode during transactions on financial institution websites.
Their primary targets were small to medium-sized businesses, where they pioneered “man-in-the-browser” attacks that surreptitiously captured data inputted in web forms.
Once they infiltrated a company’s accounts, the Jabber Zeus operatives would alter payrolls to inject numerous “money mules,” individuals ensnared through sophisticated remote work schemes tasked with managing bank transfers.
These mules subsequently channeled the misappropriated payroll funds—less a commission—through wire transfers to accomplices located in Ukraine and the United Kingdom.
The indictment from 2012 identified MrICQ as “John Doe #3,” indicating he was responsible for managing the notifications of newly compromised victims. The U.S. Department of Justice (DOJ) asserted that MrICQ also assisted the group in laundering their ill-gotten gains through electronic currency exchange services.
Two sources with knowledge of the Jabber Zeus investigation confirmed Rybtsov’s arrest in Italy, although specifics regarding the timing and conditions of his capture remain ambiguous.
A summary of recent judicial decisions published by the Italian Supreme Court revealed that Rybtsov lost a final appeal in April 2025 to contest his extradition to the United States.
According to the mugshot website lockedup[.]wtf, Rybtsov was transferred to Nebraska on October 9 and is being detained under a warrant issued by the U.S. Federal Bureau of Investigation (FBI).
The data breach monitoring service Constella Intelligence uncovered compromised records from the business profiling site bvdinfo [.]com, indicating that Rybtsov resided at an address on 59 Barnaulska St. in Donetsk.
Further investigation revealed that the same building was linked to a business owned by Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus collective in Ukraine.
Penchukov was arrested in 2022 while en route to meet his spouse in Switzerland. In the previous year, a federal court in Nebraska sentenced him to 18 years in prison and mandated over $73 million in restitution.
Lawrence Baldwin, the founder of myNetWatchman, a Georgia-based threat intelligence firm, initiated tracking and counteraction against the Jabber Zeus gang in 2009. Baldwin strategically infiltrated the Jabber chat server utilized by the Ukrainian hackers, enabling him to intercept their daily discussions, including those involving MrICQ.
These real-time chat logs were shared with various state and federal law enforcement entities and facilitated significant outreach efforts by Baldwin, who warned numerous small businesses across the nation of impending attacks on their payroll accounts.
Despite Baldwin’s proactive measures, many businesses suffered substantial financial losses. Yet, insights gleaned from the intercepted Jabber Zeus conversations laid the groundwork for multiple stories covering small enterprises battling banks over considerable monetary losses.
Baldwin emphasized that Jabber Zeus was ahead of its contemporaries in various domains. Their intercepted dialogues revealed attempts to forge a tailor-made botnet in collaboration with Evgeniy Mikhailovich Bogachev, a Russian national on the FBI’s “Most Wanted” list, for whom a $3 million bounty has been established for credible information leading to his capture.
The central innovation of Jabber Zeus lay in an alert system that Mr. ICQ received whenever a victim entered a one-time password on a phishing site mimicking legitimate banks. Internally, this feature was dubbed “Leprechaun.”
The malware was capable of altering the HTML code displayed in the victim’s browser to discreetly capture any passcodes sent by the bank for multi-factor authentication.
“These hackers had compromised so many victims that they were overwhelmed by a barrage of stolen banking credentials,” asserted Baldwin.
“However, the essence of Leprechaun was its focus on isolating the most lucrative credentials—commercial bank accounts equipped with two-factor authentication, which they recognized as prime targets due to the greater financial stakes.”
Baldwin added that the Jabber Zeus Trojan also featured a unique “backconnect” component, enabling the hackers to relay their exploits through the victim’s own infected device.
“The Jabber Zeus cadre operated directly within the victim’s banking environment using the victim’s own IP address, emulating their devices,” he explained. “That Trojan dismantled the perceived security of online banking effortlessly.”
Despite maintaining communication with the original author of ZeuS, the intercepted communications reveal that Bogachev often disregarded the team’s requests for assistance.
The government asserts that the true mastermind behind Jabber Zeus was Maksim Yakubets, a 38-year-old hacker of Ukrainian descent with Russian citizenship, known by the pseudonym “Aqua.”
The intercepted chats illustrate frequent interactions between Aqua and key members like MrICQ and Tank, as Aqua orchestrated the group’s operational maneuvers from Russia.
Yakubets/Aqua later rose to prominence as the head of an elite cybercrime organization known internally as “Evil Corp.” This cadre was responsible for the creation and deployment of the Dridex (also referred to as Bugat) trojan, a sophisticated tool that extracted over $100 million from numerous businesses in the United States and Europe.
A 2019 report regarding the government’s $5 million reward for information leading to Yakubets’s arrest included segments of conversations among Aqua, Tank, Bogachev, and other Jabber Zeus members discussing coverage of their victims.
Baldwin and I were extensively interviewed for a new six-part podcast series by the BBC that explores the history of Evil Corp. Episode One delves into the origins of Zeus, while the second episode scrutinizes the group’s investigation by former FBI agent Jim Craig.
Source link: Krebsonsecurity.com.
