Russian Hacker “Kolypto”
Pleads Guilty in Citadel Malware Case
March 21, 2017
Mark Vartanyan, also
known as “Kolypto,” a Russian national who allegedly developed, improved
and maintained the pernicious “Citadel” malware toolkit, was arraigned
in federal court following his extradition from Norway in December 2016.
Vartanyan was charged with one count of computer fraud.
“This successful extradition is yet another example of how cooperation
among international law enforcement partners can be used to disrupt and
dismantle global cyber syndicates,” said U. S. Attorney John Horn. “This
defendant’s alleged role in developing and improving “Citadel” for its
use by cybercriminals caused a vast amount of financial harm to
individuals and institutions around the world. His appearance in federal
court today shows that cybercriminals cannot hide in the shadows of the
Internet. We will identify them and bring them to justice wherever they
“We must continue to impose real costs on criminals who believe they are
protected by geographic boundaries and can prey on the American people
and institutions with impunity. Vartanyan's arrest removes a significant
player who was engaged in the development, improvement, maintenance and
distribution of malware from the resources available to the cyber
criminal underground, thereby deteriorating the capabilities of cyber
criminal groups. Today's plea is the culmination of a multi-national
effort led by the FBI, highlighting the benefits of global cooperation
among the United States and international law enforcement. It further
demonstrates the FBI’s long-term commitment to identifying and pursuing
cyber criminals world-wide, and serves as a strong deterrent to others
targeting America’s financial institutions and citizens through the use
of malicious software,” said David J. LeValley, Special Agent in Charge,
FBI Atlanta Office.
According to U.S. Attorney Horn, the charges, and other information
presented in court: “Citadel” is a malware toolkit designed to infect
computer systems and steal financial account credentials and personally
identifiable information from victim computer networks. Beginning in or
about 2011, Citadel was offered for sale on invite-only,
Russian-language internet forums frequented by cybercriminals. Users of
Citadel targeted and exploited the computer networks of major financial
and government institutions around the world, including several
financial institutions in the United States. According to industry
estimates, Citadel infected approximately 11 million computers worldwide
and is responsible for over $500 million in losses.
Between on or about August 21, 2012 and January 9, 2013, while residing
in Ukraine, and again between on or about April 9, 2014 and June 2,
2014, while residing in Norway, Vartanyan allegedly engaged in the
development, improvement, maintenance and distribution of Citadel.
During these periods, Vartanyan allegedly uploaded numerous electronic
files that consisted of Citadel malware, components, updates and
patches, as well as customer information, all with the intent of
improving Citadel’s illicit functionality.
Vartanyan was extradited to the United States in December 2016 from
Norway. He was charged in a one-count Information with computer fraud,
and was arraigned before U.S. Magistrate Judge Russell G. Vineyard.
Vartanyan is the second defendant charged in connection with an ongoing
investigation of the Citadel malware. On September 29, 2015, Dimitry
Belorossov, a/k/a Rainerfox, 22, of St. Petersburg, Russia, was
sentenced to four years, six months in prison following his guilty plea
for conspiring to commit computer fraud for distributing and installing
Citadel onto victim computers using a variety of infection methods.
Belorossov downloaded a version of Citadel, which he then used to
operate a Citadel botnet primarily from Russia. Belorossov remotely
controlled over 7,000 victim bots, including at least one infected
computer system with an IP address resolving to the Northern District of
Georgia. Belorossov’s Citadel botnet contained personal information from
the infected victim computers, including online banking credentials for
U.S.-based financial institutions with federally insured deposits,
credit card information, and other personally identifying information.
addition to operating a Citadel botnet, Belorossov also provided online
assistance with the goal of developing suggested improvements to
Citadel, including posting comments on criminal forums on the Internet
and electronically communicating with other cybercriminals via email and
Belorossov was convicted on July 18, 2014, after he pleaded guilty.
DOJ’s investigation into the creator of the Citadel malware is
Members of the public are reminded that the information only contains
charges. The defendant is presumed innocent of the charges and it will
be the government’s burden to prove the defendant’s guilt beyond a
reasonable doubt at trial.