Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine.
[1][19] The Jabber Zeus crew operated by distributing, usually via spam emails,[20] and installing the namesake malware onto victims' computers, then using it to gain access to their bank accounts.
[25] This contained other unique capabilities, including a domain generation algorithm to prevent shutdown attempts, regular expression support, and the ability to infect files.
[29] On July 2, 2009, the Washington Post published a story by Brian Krebs describing the Jabber Zeus crew's theft of $415,000 from the government of Bullitt County, Kentucky.
[30] Shortly after, Krebs was contacted by an individual who had hacked into the crew's Jabber instant message server and was able to read private chats between them.
On December 13, 2009, the crew discovered that Krebs had been let go by the Washington Post prior to this information becoming public, and celebrated the event, with a money mule recruiter hoping for an eventual confirmation of the rumor: "Good news expected exactly by the New Year!
"[15] In September 2009, the Federal Bureau of Investigation (FBI) obtained a search warrant for a server in New York that was suspected of being tied to the Jabber Zeus enterprise.
[12] Penchukov was identified around this time; he had sent a message on July 22 containing his newborn daughter's name and weight, which was correlated with Ukrainian birth records.
[15] In April 2010, the crew became aware that they were being monitored, possibly tipped off by a corrupt SBU agent, but continued to send messages using the compromised server for a time.
The operation was mainly coordinated in June 2010, at a house owned by SBU director Valeriy Khoroshkovskyi, with the agencies planning to arrest the suspects on September 29 of that year.
Penchukov, leveraging his connections with Ukrainian president Viktor Yanukovych and local authorities in his hometown of Donetsk, managed to get the charges against himself dropped.
[33] Bogachev was identified in 2014, after a source pointed investigators working for Fox-IT, a security research company, to one of his email addresses.