'Happy hacker' arrest: Did police just nab a cyber crime 'botmaster'?

An Algerian arrested at an airport in Thailand this week has defrauded 217 banks worldwide of tens of millions of dollars, Thai officials charge. They also say the FBI has been hunting him for three years.

Pornchai Kittiwongsakul/AFP/Getty Images
Hamza Bendelladj of Algeria (c.), is escorted by Thai police officers during a press conference at the Immigration Police Bureau in Bangkok, Thailand, Monday. Bendelladj, whom news reports call the 'happy hacker' for his post-arrest sunbeam-bright smile, has defrauded 217 banks worldwide of tens of millions of dollars, Thai officials charge.

American and Thai authorities may well have jointly scooped up one of the world's top 20 bank-hacking criminal masterminds, someone who is part of a global cyber-conspiracy to commit bank fraud to the tune of $100 million. Or, the man arrested in Bangkok on Sunday may simply be a happy-go-lucky guy with a bunch of computer equipment and an odd sense of humor.

How else to explain the capture of the quirky Hamza Bendelladj, whom news reports call the "happy hacker" for his post-arrest sunbeam-bright smile, seeming almost pleased to be in custody?

Whether walking handcuffed with police through the Bangkok airport where he was captured or whether sitting later at a police press conference, the 24-year-old Algerian – characterized by Thai police as a cyber bank robber who defrauded hundreds of banks of millions of dollars through online fraud – kept right on grinning.

Mr. Bendelladj only smiled when Thai police alleged he had infiltrated the computer networks of 217 banks – and then stole tens of millions of dollars. The "tools of his trade," police officials claimed during the press conference, lay on a table in front of him: two laptop computers, a satellite phone, external hard drives, and other equipment.

Authorities also allege that Bendelladj's chief tool was a nasty piece of malicious software – a criminal banking trojan program called SpyEye. Used in conjunction with phony Web pages, SpyEye was deposited on the computers of unwary visitors to those websites from December 2009 to September 2011, according to a report in the Nation, a Bangkok news website. After credentials were harvested, Bendelladj could invade a bank account and drain it, authorities allege.

"With just one transaction, he could earn 10 to 20 million dollars," police Lt. Gen. Phanu Kerdlabphol told reporters, as Bendelladj sat, beaming, beside him. "He's been traveling the world flying first-class and living a life of luxury."

Bendelladj, who reportedly earned a computer science degree at a university in Algeria in 2008, has denied that he used the money for personal expenses and travel and said he was not connected to any cybercrime syndicate, the Nation reported.

He also denied Thai officials' claims that he was on the FBI's Ten Most Wanted list. (Indeed, he is not.)

"I'm not in the top 10, maybe just 20th or 50th," Bendelladj said with a laugh. "I am not a terrorist."

Still, Bendelladj now sits in a Thai jail awaiting extradition to the United States. The Federal Bureau of Investigation, through its offices in Georgia, has been pursuing him for three years, Thai police said. The FBI tipped off Thai police about Bendelladj's visit, so that they could arrest him at Bangkok’s Suvarnnabhumi airport, where he was awaiting a connecting flight to Cairo after arriving from Malaysia, Immigration Police Deputy Chief Preecha Thimamontri said at the press conference.

The FBI has not released any information about Bendelladj's alleged criminal activities. "We are not in a position to comment because it's part of an ongoing investigation," an FBI spokesman told the Monitor. The case, she said, is being handled by the FBI's office in Georgia's Northern district.

Even so, emerging clues suggest that the FBI may have helped nab one of the world's top 20 bank-hacking criminal masterminds – part of an ongoing global conspiracy that has stolen more than $100 million over the past six years.

Bendelladj's possible role in the fraud has been explored by Brian Krebs, a respected cybersecurity blogger in the US. He says Bendelladj "fits the profile" of a hacker nicknamed “bx1,” with whom he communicated online in 2011. Mr. Krebs was startled to discover that the hacker he knew through online messaging appears to have the same contact information as an anonymous "John Doe" identified by Microsoft, in a legal papers filed last March, as an operator of botnets powered by the ZeuS and SpyEye banking trojans.

Krebs said someone using the e-mail address daniel.h.b@universityofsutton.com contacted him via Microsoft’s MSN instant message service. That account used the alias “Daniel,” as well as the nickname bx1. Krebs also has photo identification cards, leaked onto the Internet last fall, that include the name Hamza “Daniel” Bendelladj and a picture that bears a striking resemblance to the "happy hacker" arrested in Thailand.

"I didn’t fully appreciate why I found this case so interesting until I started searching the Internet and my own servers for his e-mail address," Krebs wrote on his blog Thursday. "Turns out that in 2011, I was contacted via instant message by a hacker who said he was operating botnets using the Zeus and SpyEye Trojans. This individual reached out to me repeatedly over the next year, for no apparent reason except to brag about his exploits."

Of course, Krebs's digital bread crumbs are not conclusive in tying Bendelladj to a global bank-fraud conspiracy. Still, a former federal investigator who spent years tracking bank-robbing cyber criminals says Bendelladj's Mideast connections, educational background, and travel patterns are noteworthy.

"Based on what I've seen in news reports so far, this guy fits a profile of being the kind of typical hacker being bred in that region of the world," says Jason Smolanoff, a cyber investigator with the FBI for 12 years until 2011 and now a vice president with Stroz Friedberg. a global risk management firm.

Mr. Smolanoff spent most of his years at the FBI tracking cyber fraudsters who used Zeus and other malware to drain bank accounts. The preliminary reports coming out of Bangkok about Bendelladj are reminiscent, he says, of an FBI sting in which he participated, Operation Physh Phry (because it was a phishing scam that used fake e-mail to help defraud the unwary).

In October 2009, he says, the FBI Physh Phry ended with charges against more than 50 individuals in the US and nearly 50 Egyptian citizens, with charges including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft.

"In Egypt, at the time, this type of thing was an easy way to make money with what they thought was really low risk," he says. "It's still a prevalent problem in Egypt and across northern Africa. The Thai police say he got into 217 banks. This guy could have been doing small transactions across multiple banks to avoid getting caught – and still have stolen millions."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to 'Happy hacker' arrest: Did police just nab a cyber crime 'botmaster'?
Read this article in
QR Code to Subscription page
Start your subscription today