Skip to main content
Press Release

Russian Developer of the Notorious “Citadel” Malware Sentenced to Prison

For Immediate Release
U.S. Attorney's Office, Northern District of Georgia

ATLANTA - Dimitry Belorossov, a/k/a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud.  Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods.

“Global cyber-crime requires a global response, and this case is a perfect example,” said U.S. Attorney John Horn. “This defendant committed computer hacking offenses on victims in the United States from the relative safety of his home country of Russia, but he was arrested by our law enforcement partners in Spain. As malware and hacking toolkits continue to victimize computer users around the world, we will step up our efforts to focus internationally on the criminals who develop these programs.”

“The FBI, in working with its international partners, continues to demonstrate that international boundaries no longer provide a safe haven for cybercriminals targeting U.S. individuals or interests domestically.  Successful investigation and prosecution of cases such as this are directly attributable to the increased capabilities and determination of our cyber trained investigators and our foreign based legal attachés working collectively to not only disrupt and dismantle these foreign based hacking efforts, but also to bring those individuals responsible to justice,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office.

According to U.S. Attorney Horn, the charges and other information presented in court:  In late 2011, a malicious software toolkit named “Citadel” began appearing for sale on invite-only Internet website forums frequented by cybercriminals. Citadel was a sophisticated form of malware known as a “banking Trojan” designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers.  Citadel electronically infected the computers of unsuspecting individuals and financial institutions, creating “bots,” which cybercriminals, such as Belorossov, then remotely accessed and controlled.

Cybercriminals, including Belorossov, distributed and installed Citadel onto victim computers through a variety of infection methods, including malicious attachments to spam emails and commercial Internet ads containing malware or links to malware.  Since 2011, multiple versions of Citadel have been distributed and operated throughout the world.  Citadel became one of the most advanced crimeware tools available in the underground market, as it had the capability, among other things, to block antivirus sites on infected computers. According to industry estimates, Citadel, and other botnets like it, infected approximately 11 million computers worldwide and are responsible for over $500 million in losses.

In 2012, Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for U.S.-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.

In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the Internet and electronically communicating with other cybercriminals via email and instant messaging.

For example, in 2012 Belorossov made numerous postings to Citadelmovement.com, an online forum in which Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware.  In those postings, which were in Russian, Belorossov shared his concurrence with the improvements to Citadel recommended by others and commented on the efficacy of additional criminal functions other customers had recommended as enhancements to the Citadel malware.

Belorossov, 22, of St. Petersburg, Russia, has been sentenced by U.S. District Court Chief Judge Thomas W. Thrash Jr., to four years, six months in prison, to be followed by three years of supervised release, and ordered to pay restitution in the amount of $322,409.09.  Belorossov was convicted on July 18, 2014, after he pleaded guilty.

This case was investigated by the Federal Bureau of Investigation.

Assistant U.S. Attorneys Steven D. Grimberg and Scott Ferber prosecuted the case.

For further information please contact the U.S. Attorney’s Public Affairs Office at USAGAN.PressEmails@usdoj.gov or (404) 581-6016.  The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga

Updated September 29, 2015

Topic
Cybercrime