Russian Citadel Malware Developer Gets 5-Year Sentence

Notorious Banking Trojan Tied to 11 Million Infections, $500 Million in Losses
Russian Citadel Malware Developer Gets 5-Year Sentence
Citadel bot-building screen. (Source: Malwarebytes)

A Russian citizen was sentenced Wednesday in Georgia federal court to serve five years in prison after he pleaded guilty to helping develop and distribute the notorious banking Trojan called Citadel.

See Also: Is Cyberstorage the New Paradigm for Data Security?

Mark Vartanyan, aka "Kolypto," pleaded guilty March 20 to one count of computer fraud, for which he had faced up to 10 years imprisonment.

Prosecutor Steven Grimberg told the court Wednesday at Vartanyan's sentencing hearing that the defendant had shown remorse and cooperated with the FBI and Justice Department, Associated Press reports. It notes that Vartanyan will get credit for time served, which includes two years spent in a Norwegian prison.

Vartanyan was extradited from Norway to the United States in December 2016, when he was 28 years old.

While Vartanyan admitted to providing software development expertise to help refine Citadel, it's not clear if he was a major player in the cybercrime ring behind the malware.

Major Losses Tied to Citadel

Citadel - a variant of the notorious Zeus banking Trojan - first appeared for sale in 2012 on underground cybercrime marketplaces. It was offered as a malware-as-a-service product to which users subscribed.

The Justice Department has tied Citadel botnets to infections of 11 million PCs worldwide that caused more than $500 million in fraud.

The malware was used to steal funds from a number of financial services firms, including American Express, Bank of America, HSBC, PayPal, Royal Bank of Canada and Wells Fargo. But it was programmed to avoid infecting institutions in Ukraine or Russia, in what was a likely sign that its developers wanted to avoid angering authorities in those countries (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

Citadel, run by a controller who used the alias "Aquabox," appeared to be based in Eastern Europe, according to Microsoft. Aquabox was assisted by an estimated 81 lieutenants - or botnet herders - who helped develop, distribute, update and sell the malware.

In 2013, the FBI, working with Microsoft, disrupted more than 1,000 Citadel botnets. Microsoft said 455 of those botnets were hosted in 40 U.S.-based data centers, while the rest were distributed across dozens of overseas countries.

From Ukraine to Norway

It's unclear when in the course of its Citadel investigation the FBI identified Vartanyan.

Mark Vartanyan. (Source: Facebook profile photograph)

In 2012, Vartanyan began working as a software engineer for a mobile healthcare data company called Dignio, based in Fredrikstad, Norway, and relocated from Ukraine to Norway in 2014 at the request of his employer, Norway Today reported. In interviews, Dignio lauded the programming work that Vartanyan did, while the Russian called it a "dream job."

In October 2014, however, Vartanyan was arrested by Norway's National Criminal Investigation Service, commonly known as Kripos, at the FBI's request, after he was indicted in U.S. federal court in Georgia on suspicion of helping to develop or sell Citadel. Based on the charges originally filed against him, he faced up to 75 years in U.S. prison.

Present at Vartanyan's 2014 interrogation was FBI cyber special agent Mark C. Ray, who had traveled to Fredrikstad, Norwegian newspaper Verdens Gang reported. According to news reports, the FBI had previously attempted to visit Vartanyan at his prior address in Ukraine, but had not been able to find him.

After his arrest in Norway, Vartanyan denied any wrongdoing and fought the extradition request. After two years, however, Norway's Court of Appeal upheld the extradition request.

The court's decision was condemned by Moscow. Russian Foreign Ministry spokeswoman Maria Zakharova labeled the charges as being "politically motivated" and claimed it was "part of the worldwide hunting for Russian citizens by American secret services and has nothing to do with ... justice."

Citadel Support Request to Aquabox

According to evidence presented at the extradition hearings in Norway, the FBI identified Vartanyan as part of a fake tech-support service. In June 2012, working undercover, an FBI agent obtained two versions of Citadel from an underground seller using the handle "Aquabox," and then filed a bug report - over fake problems - with the seller, who then requested that the problems be documented in screenshots and uploaded to the file-sharing site, the Norwegian Broadcasting Corporation, aka NRK, reported.

From August 2012 to January 2013, the FBI tracked 48 file uploads to SendSpace from the suspect's IP address, including Citadel updates as well as a "" that included purported fixes for the errors identified by the undercover FBI agent, NRK reported.

In interviews with Norwegian media outlets, Vartanyan claimed that his PC must have been infected by Citadel malware and the IP address hijacked by criminals.

Another Russian Also Sentenced Over Citadel

In addition to the charges against Vartanyan, authorities filed similar charges against another Russian citizen, Dimitry Belorossov, a.k.a. Rainerfox, who was arrested in Spain, at the FBI's request, and then extradited to the United States.

In July 2014, at the age of 22, he pleaded guilty to running a Citadel botnet beginning in 2012, and having infected 7,000 PCs with the malware. In September 2015, he was sentenced to serve four years and six months in prison and pay $322,409 in restitution, followed by three years of parole.

Authorities appear to have tracked St. Petersburg, Russia-based Belorossov thanks to his participation in an online, Russian-language Citadel user group called In the online forum, "Belorossov discussed his Citadel botnet and recommended improvements to the Citadel malware," according to the U.S. Attorney's Office. "In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the internet and electronically communicating with other cybercriminals via email and instant messaging."

It's not clear if authorities have identified - or know the precise location of - the individual known as Aquabox.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.