Eight years after US law enforcement opened a first case in the operations of the Mariposa (Butterfly Bot, BFBOT) malware gang, officials are now moving forward with new charges and arrest warrants against four suspects.
The original case started way back in May 2011, when US officials first filed a complaint against three European hackers. The investigation into this group’s operations unearthed a cyber-crime empire and eventually led to the takedown of the infamous Darkode hacking forum, a famous meeting place for high-end hackers.
Last week, US officials unsealed new documents in this investigation, including charges against a fourth, US-based hacker.
The four suspects now are:
- Matjaz Skorjanc, aka iserdo aka serdo, 32, of Maribor, Slovenia;
- Florencio Carro Ruiz, aka NeTK aka Netkairo, 40, of Vizcaya, Spain;
- Mentor Leniqi, aka Iceman, 35, of Gurisnica, Slovenia;
- Thomas McCormick, aka fubar, 26, of Washington state, in the United States.
According to new court documents obtained by ZDNet, the four are charged with creating and running the Mariposa malware (referred to as the Butterfly Bot or BFBOT in court documents; “mariposa” meaning “butterfly” in Spanish).
More specifically, US officials say Skorjanc created the malware and then partnered with Ruiz and Leniqi to advertise it on Darkode, a hacking forum that Skorjanc helped created and manage.
US officials say the three put the malware up for sale on Darkode for a price of €350 starting in 2008. According to its ad, the malware could self-propagate to other computers once it infected a victim, could steal banking credentials, and could carry out DDOS attacks.
Skorjanc was the malware’s author, but Ruiz and Leniqi provided customer support and assistance.
McCormick was a Darkode user who bought and later resold the Mariposa bot as an affiliate. He also sold copies of the Zeus banking trojan, and also worked as a “sales manager” for another malware strain named ngrBot, created by two other unnamed suspects.
The four not only sold copies of the Mariposa bot, but they also actively infected victims and sold access to the infected hosts in “pay-per-install” schemes that let other cyber-criminals install additional malware on these systems, such as ransomware or banking trojans.
Mariposa and Darkode takedown
In the short span of only two years, Mariposa became one of the largest botnets in existence, infecting over one million computers.
The botnet grew too much to be ignored, and was more aggresive than most, because of its self-propagating features. Spanish police, working with the FBI, shut down the Mariposa botnet in 2010.
The takedown was coordinated with arrests, with Spanish authorities arresting Ruiz and two others co-conspirators, while Slovenian police arrested Skorjanc and his girlfriend.
Skorjanc received a four years and ten months prison sentence in December 2013 and was released from prison by Slovenian authorities last year.
However, work on investigating Mariposa operations also pointed authorities towards the place it was being sold on, the Darkode hacking forum.
Even to this day, the name Darkode maintains its reputation as being one of the web’s most notorious hacking forums. The forum had no more than 300 users, but they were all high-end hackers, such as the creator of the Dendroid malware, the creator of the GovRAT malware (also known as BestBuy or Popopret), the author of the SpyEYE malware, Lizard Squad members, and various spammer groups.
The reasons why US officials kept charges against Skorjanc, Ruiz, Leniqi, and McCormick sealed until 2019 are unclear. It may be that they wanted to wait for Skorjanc to serve his prison sentence in Slovenia.
It may also be that they wanted to incorporate the data from the Darkode seizure into their case, which appears they did. The new court documents are brimming with citations to private messages the four had exchanged on Darkode forum, not included in the original 2011 complaint.
While McCormick is already in US custody, being arrested since December 2018, Skorjanc, Leniqi, and Ruiz still remain at large.
Related malware and cybercrime coverage: