Craig’s first major break in the case came in September 2009. With the help of some industry experts, he identified a New York–based server that seemed to play some sort of role in the Zeus network. He obtained a search warrant, and an FBI forensics team copied the server’s data onto a hard drive, then overnighted it to Nebraska. When an engineer in Omaha examined the results, he sat in awe for a moment. The hard drive contained tens of thousands of lines of instant message chat logs in Russian and Ukrainian. Looking over at Craig, the engineer said: “You have their Jabber server.”
This was the gang’s whole digital operation—a road map to the entire case. The cybersecurity firm Mandiant dispatched an engineer to Omaha for months just to help untangle the Jabber Zeus code, while the FBI began cycling in agents from other regions on 30- or 90-day assignments. Linguists across the country pitched in to decipher the logs. “The slang was a challenge,” Craig says.
One woman explained that she’d become a money mule after a job at a grocery store fell through, telling an agent: “I could strip, or I could do this.”
The messages contained references to hundreds of victims, their stolen credentials scattered in English throughout the files. Craig and other agents started cold-calling institutions, telling them they had been hit by cyberfraud. He found that several businesses had terminated employees they suspected of the thefts—not realizing that the individuals’ computers had been infected by malware and their logins stolen.
The case also expanded beyond the virtual world. In New York one day in 2009, three young women from Kazakhstan walked into the FBI field office there with a strange story. The women had come to the States to look for work and found themselves participating in a curious scheme: A man would drive them to a local bank and tell them to go inside and open a new account. They were to explain to the teller that they were students visiting for the summer. A few days later, the man had them return to the bank and withdraw all of the money in the account; they kept a small cut and passed the rest on to him. Agents pieced together that the women were “money mules”: Their job was to cash out the funds that Slavik and his comrades had siphoned from legitimate accounts.
By the summer of 2010, New York investigators had put banks across the region on alert for suspicious cash-outs and told them to summon FBI agents as they occurred. The alert turned up dozens of mules withdrawing tens of thousands of dollars. Most were students or newly arrived immigrants in Brighton Beach. One woman explained that she’d become a mule after a job at a grocery store fell through, telling an agent: “I could strip, or I could do this.” Another man explained that he’d be picked up at 9 am, do cash-out runs until 3 pm, and then spend the rest of the day at the beach. Most cash-outs ran around $9,000, just enough to stay under federal reporting limits. The mule would receive 5 to 10 percent of the total, with another cut going to the recruiter. The rest of the money would be sent overseas.
“The amount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed any Fortune 100 company,” the FBI’s James Craig says.
The United States, moreover, was just one market in what investigators soon realized was a multinational reign of fraud. Officials traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia. All told, investigators could attribute around $70 million to $80 million in thefts to the group—but they suspected the total was far more than that.
Banks howled at the FBI to shut the fraud down and stanch the losses. Over the summer, New York agents began to close in on high-ranking recruiters and the scheme’s masterminds in the US. Two Moldovans were arrested at a Milwaukee hotel at 11 pm following a tip; one suspect in Boston tried to flee a raid on his girlfriend’s apartment and had to be rescued from the fire escape.
Meanwhile, Craig’s case in Omaha advanced against the broader Jabber Zeus gang. The FBI and the Justice Department had zeroed in on an area in eastern Ukraine around the city of Donetsk, where several of the Jabber Zeus leaders seemed to live. Alexey Bron, known online as “thehead,” specialized in moving the gang’s money around the world. Ivan Viktorvich Klepikov, who went by the moniker “petr0vich,” ran the group’s IT management, web hosting, and domain names. And Vyacheslav Igorevich Penchukov, a well-known local DJ who went by the nickname “tank,” managed the whole scheme, putting him second in command to Slavik. “The amount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed any Fortune 100 company,” Craig says. The gang poured their huge profits into expensive cars (Penchukov had a penchant for high-end BMWs and Porsches, while Klepikov preferred Subaru WRX sports sedans), and the chat logs were filled with discussions of fancy vacations across Turkey, Crimea, and the United Arab Emirates.
By the fall of 2010, the FBI was ready to take down the network. As officials in Washington called a high-profile press conference, Craig found himself on a rickety 12-hour train ride across Ukraine to Donetsk, where he met up with agents from the country’s security service to raid tank’s and petr0vich’s homes. Standing in petr0vich’s living room, a Ukrainian agent told Craig to flash his FBI badge. “Show him it’s not just us,” he urged. Craig was stunned by the scene: The hacker, wearing a purple velvet smoking jacket, seemed unperturbed as agents searched his messy apartment in a Soviet-style concrete building; his wife held their baby in the kitchen, laughing with investigators. “This is the gang I’ve been chasing?” Craig thought. The raids lasted well into the night, and Craig didn’t return to his hotel until 3 am. He took nearly 20 terabytes of seized data back to Omaha.
With 39 arrests around the world—stretching across four nations—investigators managed to disrupt the network. But crucial players slipped away. One top mule recruiter in the US fled west, staying a step ahead of investigators in Las Vegas and Los Angeles before finally escaping the country inside a shipping container. More important, Slavik, the mastermind himself, remained almost a complete cipher. Investigators assumed he was based in Russia. And once, in an online chat, they saw him reference that he was married. Other than that, they had nothing. The formal indictment referred to the creator of the Zeus malware using his online pseudonym. Craig didn’t even know what his prime suspect looked like. “We have thousands of photos from tank, petr0vich—not once did we see Slavik’s mug,” Craig says. Soon even the criminal’s online traces vanished. Slavik, whoever he was, went dark. And after seven years of chasing Jabber Zeus, James Craig moved on to other cases.