June 23, 2015

Swedish Co-Creator of Blackshades Malware That Enabled Users Around the World to Secretly and Remotely Control Victims’ Computers Sentenced to 57 Months in Prison

Preet Bharara, the United States Attorney for the Southern District of New York, announced that ALEX YÜCEL, the owner of an organization known as “Blackshades” that since 2010 sold and distributed to thousands of people in more than 100 countries a sophisticated and pernicious form of malicious software, or “malware,” known as the Blackshades Remote Access Tool, or “RAT,” was sentenced today in Manhattan federal court to 57 months. The sentence was imposed by U.S. District Judge P. Kevin Castel. YÜCEL pled guilty to computer hacking on February 18, 2015.

Manhattan U.S. Attorney Preet Bharara said: “Alex Yucel created, marketed, and sold software that was designed to accomplish just one thing—gain control of a computer, and with it, a victim’s identity and other important information. This malware victimized thousands of people across the globe and invaded their lives. But Yucel’s computer hacking days are now over.”

According to the allegations in documents filed in Manhattan federal court, and statements made at today’s sentencing and other court proceedings:

Beginning in 2010, the “Blackshades” organization, which YÜCEL owned and controlled, sold and distributed malware to thousands of cybercriminals throughout the world. Blackshades’ flagship product was the RAT—a sophisticated piece of malware that enabled cybercriminals secretly and remotely to gain control over a victim’s computer. After installing the RAT on a victim’s computer, a user of the RAT had free rein to, among other things, access and view documents, photographs, and other files on the victim’s computer, record all of the keystrokes entered on the victim’s keyboard, steal the passwords to the victim’s online accounts, and even activate the victim’s web camera to spy on the victim—all of which could be done without the victim’s knowledge. A Blackshades user could also exploit victims’ computers for Distributed Denial of Service (“DDoS”) attacks by commanding Blackshades-infected computers to repeatedly send requests to targeted websites in an effort to disable those websites and deny service from those websites to legitimate visitors.

The RAT was typically advertised on forums for computer hackers and marketed as a product that conveniently combined the features of several different types of hacking tools. Copies of the Blackshades RAT were available for sale, typically for $40 each, on a website maintained by Blackshades. After purchasing a copy of the RAT, a user had to install the RAT on a victim’s computer—i.e., “infect” a victim’s computer. The infection of a victim’s computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims’ computers.

The RAT contained tools known as “spreaders” that helped users of the RAT maximize the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim’s social media service, making it appear as if the message had come from the initial victim. For example, a RAT user could send an instant message, or IM, to potential victims that appeared to come from the initial victim, inviting them to click on a link that appeared to lead to a legitimate website, but would instead install the RAT on the potential victim’s computer.

YÜCEL co-created the Blackshades RAT with Michael Hogue and operated the Blackshades organization with the help of several employees whom YÜCEL paid to advertise the RAT on various Internet forums and to provide customer support. The RAT was purchased by several thousand users in more than 100 countries and used to infect more than half a million computers worldwide. Blackshades generated sales of more than $350,000 between September 2010 and April 2014.

* * *

YÜCEL, 24, a Swedish national, was arrested in Moldova in November 2013. He was the first defendant ever to be extradited from Moldova to the United States. In addition to the prison term, YÜCEL was sentenced to three years’ supervised release, and forfeiture of $200,000 and the computer equipment used.

Brendan Johnston, an administrator for the Blackshades organization, pled guilty in November 2014, before U.S. District Judge Jesse M. Furman to conspiracy to commit computer hacking. On June 19, 2015, Johnston was sentenced to one year and one day in prison.

Marlen Rappa, a customer of Blackshades who purchased the RAT and used it to infect victims’ computers, spy on those victims using their web cameras, and steal personal files from their computers, pled guilty in October 2014, before U.S. District Judge Valerie E. Caproni. On April 22, 2015, Rappa was sentenced to one year and one day in prison.

Kyle Fedorek, a customer of Blackshades who purchased the RAT and used it to steal financial and other account information from more than 400 victims, pled guilty in August 2014 before U.S. Magistrate Judge Gabriel W. Gorenstein. On February 19, 2015, Fedorek was sentenced to two years in prison.

Michael Hogue, the co-creator of the RAT, pled guilty before Judge Castel in January 2013, and is awaiting sentencing.

Mr. Bharara praised the outstanding investigative work of the Federal Bureau of Investigation.

The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Sarah Lai and Daniel Noble are in charge of the prosecution.