Jabber Zeus

Jabber Zeus was a cybercriminal syndicate active primarily from 2009 to 2010 and associated with a Zeus Trojan variant also called Jabber Zeus or ZeuS 2.1.0.X. It was described as the second main iteration of the Zeus malware enterprise, succeeding Zeus and preceding Gameover Zeus. The group was composed of hackers and money launderers based in Russia, Ukraine, and the United Kingdom, with leadership activity tied to eastern Ukraine around Donetsk. The syndicate targeted primarily small and mid-sized businesses, using spam-delivered malware to steal banking credentials, account numbers, passwords, PINs, and one-time passcodes. The malware exfiltrated stolen data and alerts in real time via the Jabber protocol. Jabber Zeus then used social engineering and a large money mule network to move stolen funds through U.S. and overseas accounts; reporting in the provided content attributes at least $70 million to $80 million in thefts to the group, with the true total likely higher. The content identifies key members including Vyacheslav Igorevich Penchukov (aka "tank" or "The Tank"), described as managing the overall scheme in Ukraine and as second in command to Slavik; Ivan Viktorvich Klepikov (aka "petr0vich"), who managed IT administration, web hosting, and domain names; Alexey Bron (aka "thehead"), who specialized in moving money internationally; Maksim Yakubets, who managed and recruited money mules; Yevhen Kulibaba; Yuriy Konovalenko; Alexey Tikonov; and "MrICQ," identified in the content as Yuriy Igorevich Rybtsov and described as a developer who handled notifications of newly compromised organizations and laundered proceeds. The content also states that Evgeniy Bogachev was the primary developer of Jabber Zeus and the original Zeus kit. The syndicate referred to itself as the "business club." Operationally, investigators obtained a New York server in 2009 that contained extensive Russian- and Ukrainian-language Jabber chat logs, exposing victim references, stolen credentials, operational details, and the structure of the money mule network. The group used thousands of money mules across multiple countries, including the United States, Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia. The malware was later enhanced with features including a domain generation algorithm, regular expression support, file infection capability, and encrypted distribution. The content also notes that the malware was known as Licat and Murofet. Law enforcement disruption culminated in Operation Trident Breach, a joint effort involving U.S. and international partners, which led to dozens of arrests and raids in 2010, including actions in Donetsk. The network was disrupted but not fully dismantled; the Zeus creator "Slavik" remained unidentified in the reporting, and the group later re-emerged as Gameover Zeus. The content further states that some Jabber Zeus members later formed Evil Corp.