The age of criminal impunity might finally be coming to an end

Discount yesterday’s dramatic disruption of the Gameover Zeus botnet and CryptoLocker ransom malware, the real story is that the FBI has decided to name the Russian man, Evgeniy Bogachev, they believe masterminded what is undoubtedly the most important malware system in the world.

If simply naming a suspect doesn’t sound important, readjust your world view.  Complex malware has run riot over the last decade, reaping billions in easy money for its perpetrators, and yet even security experts would be hard put to name a single criminal responsible for any of this that has been put behind bars. These people have been the mystery at the heart of the malware boom.

Evgeniy Bogachev.jpg Blackpos.jpg.png essebar1_thumb160.png panin image.png russpaunch.png

That’s still the case - Bogachev and a number of other individuals named by the FBI as being part of his gang remain on the run and even if caught and handed over (unlikely given Russia’s almost geo-political decision to leave criminals alone on the basis that they largely attack Westerners) - there’s the small matter of a trial and due process; they remain accused, we should point out, rather than guilty.  But the last few months still mark an important and probably historic change in the way these crimes are approached by the authorities. The tactic is simple - find out who they are, arrest them, failing which name them so everyone knows their names. In short, make their lives more difficult.

A sign that a change was afoot came with last December’s sudden unplugging of the successful and dangerous Blackhole Exploit Kit after the arrest (unusually by Russian police) of its alleged creator, still known only as ‘Paunch’. Western agencies had been after this guy for at least two years and may have played a role in his apprehension.

It continued in January aftert the FBI named the alleged teen Russian author of the BlackPOS malware later used by others in the huge Target data breach. In February came news of the arrest of alleged SpyEye author Aleksandr Panin last summer while taking a break in the Dominican Republic, not long after which we learned that fellow Russian citizen Farid Essebar (‘Diabl0’), creator of Zotob, had been arrested in Bangkok.

The authorities were even able to grab the man accused of being behind the infamous Guccifer hacks on celebrities after tracking him to a small town in Romania.

The Pièce de résistance was probably May's ostentatious decision by US prosecutors to release the names and pictures of five Chinese men they accuse of being involved with the world-famous espionage unit, PLA 61398, aka Comment Crew, for stealing IP from US companies. What was so surprising about this? All five are apparently full-time members of the Chinese Army, an extraordinary moment because it broke diplomatic ettiquette over the naming of espionage suspects.

The policy of going after the people who make and use malware sounds obvious in the context of conventional crimes such as burglary, extortion, violence and theft but it has taken years for it to emerge as the policing model for cybercrime.  A major issue was the diffuculty of tracking cybercriminals across national borders, a 20th Century obstacle is now gradually being hurdled. Police forces around the world have grasped that cybercrime is a global industry rather than a national one and must be tackled as such.

A major obstacle remains the attitude of Russia, not coincidentally where a disproportionate number of the most active and talented cyber-malware creators seem to reside.  But the parade of faces and names is a start.  Not before time, the FBI is making the point that malware is the handiwork of a relatively small number of real criminals who are just as vulnerable to capture as any other law-breaker.

Gameover Zeus has been disrupted for a fortnight US and UK police rather optimistically believe; if it ever happens putting its makers behind bars might get rid of it forever.