The U.S has re-opened sealed indictment charges against Skorjanc, issuing an international arrest warrant which led to his detention by law enforcement in Germany
BillyReport 2 Oct 2019 2
The United States has re-indicted convicted author of the Mariposa Botnet and Chief Technical Officer of Darkode Cybercrime forum NiceHash, Matjaž “Iserdo” Škorjanc. This was executed via an extradition order issued by the U.S after an international arrest warrant was executed for his arrest. German Police arrested Škorjanclast week.
In December of 2013, Škorjancwas charged and sentenced in Slovenia to four years of imprisonment for being responsible for the creation of the malicious software that served the infamous Mariposa botnet.
Identified in 2008, the Mariposa botnet was a dominant crime machine, described as one of the biggest botnets created, infecting more than a million compromised computer systems. It operated with a plug-and-play system that enabled even novices hacking access to harvested data from thousands of vulnerable PCs and staging mutiple debilitating attacks on various websites for as little as $500 ranging up to $2,000 USD.
Škorjancand two other men believed to have been co-creators of the Mariposa Botnet was indicted by the Department of Justice (DOJ) in 2011, an indictment that carried on until it was unsealed again in June of this year, with a fourth conspirator for allegedly promoting the Mariposa botnet online as well as managing the Darkode forum.
Škorjanchas been shrouded in controversy since his four-year sentencing first in 2013, and in 2017 his company NiceHash in Slovenia, lost 4,465 Bitcoins close to $52 million USD in value under suspicious circumstances. He stated strongly that he had no part in the disappearance of the Bitcoins.
NiceHash posted on its homepage after the theft,
Your bitcoins were stolen and we are working with international law enforcement agencies to identify the attackers and recover the stolen funds. We understand it may take some time and we are working on a solution for all users that were affected.
They offered BTC rewards for promising leads on the case. Law enforcement in the country is yet to make any headway of the whereabouts of the lost proceeds, but are still investigating the theft.
At this time, only one of the indicted four is based in the United States, another administrator of the Darkode forum, Thomas K. McCormick who used the moniker “Fubar”. He is accused of creating the botnet “Ngrbot” and attempting to market it and in some cases selling variations of the Mariposa Botnet as well as the ZeuS banking malware. Criminal patrons would use the malware to steal user passwords and credit cards, appropriate victim search results and sometimes even heavilyspam email accounts. He was arrested and charged in December of last year.
A search warrant was executed for McCormick’s dorm room in the University of Massachusetts in December of 2013, and there Police found several removable drives with the data of tens of thousands of stolen credit card records. He confessed that he was indeed “Fubar” on Darkode, but insisted he had left the forum some years back and had no ties or relationship with it as of 2013. He concluded that in that time, he had interned at Microsoft multiple times and Cisco once.
Information suggests that he shared sensitive information concerning his dealings with other cybercriminals online and revealed his relationship with KrebsOnSecurity and the data he often passed on to management of the website. A memo prepared by the FBI quotes him stating,
TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address. TM passed this information on to Brian Krebs.
Management of KrebsOnSecurity have shared that they indeed had a working relationship with McCormick, stressing that in multiple instances he would share information with a member of the team about his privileged access to Škorjanc,at times disclosing information about impending upgrades and features exclusive to the ZeuS trojan. Brian Krebs of KrebsOnSecurity said,
Every so often, I would reach out to Fubar to see if he coud convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.
It is unclear at this time when a date would be set for trial.