Ukrainian hacker and cyber crime ring-leader Vyacheslav Igorevich Penchukov has been sentenced to nine years in prison for his role in two notorious malware schemes.
Penchukov, who was known in criminal circles by the pseudonym Tank, famously co-headed hacking group Zeus before later joining another lucrative malware operation, IcedID.
After sitting on the Federal Bureau of Investigation’s (FBI) ‘most wanted’ cyber list for more than a decade, Penchukov has been handed two concurrent nine-year sentences by a US federal court in Lincoln, Nebraska.
The 38-year-old hacker pleaded guilty to one count of conspiracy to commit a racketeer influenced and corrupt organisations (RICO) act offence, and one count of conspiracy to commit wire fraud.
According to early court documents, Penchukov refused the opportunity to go to trial and willingly acknowledged he may have needed to forfeit the proceeds of his illegal actions – initially estimated at up to $103.5 million ($US70 million).
“I understand this, but I don't have such amounts of money,” he said.
On Thursday, District Judge John Gerrard ordered Penchukov pay more than $108 million ($US73 million) in restitution and forfeited funds for his crimes, before handing him a further three years of supervised release for each count.
Cyber security’s ‘catch me if you can’
Earlier this year, Penchukov admitted to holding a “leadership role” in the Zeus malware group since 2009, but it took more than a decade of cat-and-mouse with law enforcement to arrive at this point.
As reported by Wired, Zeus’ flagship malware first appeared in late 2006 and made use of keylogger programs to covertly steal people’s banking login information as they typed.
Where Zeus stood out from other keyloggers was in its criminal business model, which saw members log into compromised bank accounts to fraudulently send money to decentralised people acting as “money mules”, who would then cash out the funds.
“These mules received [the payments] in their own accounts, and then wired that money to overseas accounts controlled by [the] defendant's co-conspirators,” court documents read.
Operating as Tank, Penchukov effectively co-headed the “wide-ranging racketeering enterprise” to infect “thousands of business computers” and syphon tens of millions of dollars across small businesses in the US and Europe, according to the US Justice Department.
Penchukov was on the FBI's 'most wanted' cyber list for more than a decade. Photo: Shutterstock
By 2009 – when the FBI started investigating Zeus – the operation had become much more sophisticated, with its leaders setting up instant messaging alerts to quickly notify members when a new victim had been compromised.
These messages, however, led to Penchukov’s first run-in with the FBI, who seized and analysed them to identify him and other members.
One message from Tank exposed his daughter’s date of birth, name, and birth weight, which law enforcement traced to birth records to ultimately find a paternal connection with Pechukov.
A raid of his Donetsk apartment was conducted in 2010, but FBI and Ukrainian officials arrived to an empty property – Penchukov was tipped off.
MIT Technology Review reports that agents suspected “Ukrainian corruption” after the failed raid, detailing a wealthy “family connection” to high-level Ukrainian officials which offered Penchukov both protection and resources.
Notably, Penchukov continued a “very public” side hustle as “DJ Slava Rich” in the years to follow, confidently playing DJ sets at clubs while in the sights of law enforcement.
While he was publicly named in a February 2012 indictment alongside other Zeus members, by 2015 he had changed his name to Vyacheslav Igoravich Andreev.
It wasn’t until late 2022 that Penchukov was reportedly arrested in Geneva, Switzerland while travelling to meet his wife.
By February 2024 he had pleaded guilty to multiple charges, admitted to his role in Zeus, and further conceded a similar leadership role at IcedID — a malware group which is believed to have yielded $29.4 million (US$19.9 million) in 2021 alone.
Penchukov was initially scheduled to be sentenced on 9 May while facing a maximum penalty of 20 years in prison for each guilty count, though court documents reveal the US government requested a less severe sentence after Penchukov signed a plea agreement in February.
The conditions of this plea deal are unclear, however law enforcement initiatives such as Operation Endgame are actively seeking information regarding members from IcedID and other hacking groups.
