Dutch authorities say more arrests related to the Bredolab botnet may occur as investigators continue to examine the business arrangements behind the cybercrime operation.
One arrest was made on Tuesday by Armenian police of a 27-year-old man accused of being the mastermind behind Bredolab, which included as many as 29 million compromised computers worldwide. The man, who was not identified, was nabbed after returning from Moscow to Armenia's capital, Yerevan. Security experts say the man rented out time on his botnet to other cybercrime players.
"We are also investigating the customers of the Armenian suspect to see if we can identify some other cybercriminals," said Wim De Bruin, spokesman for the Public Prosecution Service in Rotterdam.
Dutch officials want to prosecute the man, who claims to have both Russian and Armenian citizenship, De Bruin said. Several international treaties make it possible for the man to be prosecuted in the Netherlands, and Dutch officials are waiting for a decision by the Armenian government.
Officials at Armenia's Prosecutor's General Office could not be reached on Wednesday.
If the man is extradited, he will face criminal hacking charges for allegedly running Bredolab, launching a distributed denial-of-service attack and money laundering, De Bruin said. He could face between four to six years in prison.
The arrest followed a unique sting action on Monday by the Dutch High Tech Crime Team, the Dutch Forensic Institute, Govcert, the Dutch computer emergency response team, and the security vendor Fox IT.
The group took control of 143 servers used to manage Bredolab, which were rented from the hosting company LeaseWeb. People whose computers were infected with Bredolab were sent a message that their PC needed to be scanned, and the command-and-control servers were cut off from the Internet.
The Armenian man is then suspected of launching a denial-of-service attack against investigators when he realized he'd lost control of Bredolab. The Bredolab program can be used to spy on people's computers, collect passwords and online banking details and upload other malware to the computer.
Computers infected with Bredolab were instructed to seek out passwords for Web servers. If a password was found, Bredolab's controller would install the malware on the Web page, said Ronald Prins, founder of Fox IT, who helped with the takedown. Users with unpatched software who viewed the page would be infected with Bredolab, enlarging the botnet.