"As opposed to arresting the guy who broke into your home, we've arrested the guy that gave him the crowbar, the map, and the best houses in the neighborhood. And that is a huge break in the investigation of cyber crimes," said Jeffrey Troy, deputy assistant director for the FBI's cyber division, in a statement.
Over the course of two years, the FBI has been working with authorities in both Slovenia and Spain. That collaboration likewise led to the arrest earlier this year of three suspected Mariposa botnet operators, responsible for renting the botnet to customers in different countries, with the largest uptake occurring in Spain. The suspects have been named by authorities only by their handles: "Netkairo," "Jonyloleante," and "Ostiator." All three are currently being prosecuted in Spain.
Mariposa, which was active from 2008 until earlier this year, when it was finally shut down, stole website passwords and financial information, including people's credit card and bank account data, and also served as a platform for launching denial-of-service and malware attacks. Security experts say that as many as 13 million PCs may have been infected by the botnet.
According to Panda Security in Spain which, together with Canada's Defence Intelligence, helped investigators uncover the identities of Mariposa's creator and operators, Mariposa sold online for between $650 and $2,000. Attackers used it to create almost 10,000 unique pieces of malicious software and over 700 separate botnets, ultimately stealing financial data from people in more than 200 countries.
Successful financial botnets, such as Zeus, often seem to feature a clear division of labor between the software's authors, who focus on refining the toolkit; the distributors, who rent it out; and the buyers, who actually use it to launch attacks.
"What's exciting about these arrests is that it's the first time that the authors have been targeted. Typically, the operators of the botnets are caught, but it's extremely rare to have caught the author of the build kit behind the botnet," said Christopher Davis, CEO of Defence Intelligence, in a statement.