Vyacheslav Penchukov, known as "Tank," a Ukrainian individual identified as a leader in cybercrime, provided an interview from a Colorado prison regarding his activities. Penchukov, 39, was on the FBI's Most Wanted list for nearly a decade and led or participated in two distinct cybercrime groups over different periods. This interview, his first, detailed the operations of these groups and offered information on individuals still at large, including the alleged leader of the sanctioned Russian group, Evil Corp.
Arrest and Early Operations
Penchukov was arrested in Switzerland in 2022 after more than 15 years. He described the arrest, stating, "There were snipers on the roof and the police put me on the ground and handcuffed me and put a bag on my head on the street in front of my kids. They were scared."
He and groups he was associated with were responsible for the theft of tens of millions of pounds from victims globally. In the late 2000s, Penchukov and the Jabber Zeus group utilized advanced cybercrime techniques to fraudulently transfer funds directly from the bank accounts of small businesses, local authorities, and charities. In the United Kingdom, over 600 victims reportedly lost more than £4 million ($5.2 million) in three months. Between 2018 and 2022, Penchukov engaged in ransomware activities, targeting international corporations and a hospital.
Life and Evasion
Penchukov is currently held at Englewood Correctional Facility, a low-security prison. He reported engaging in sports and learning French and English. He entered the field of hacking through online game cheat forums in Donetsk, Ukraine. He subsequently became a leader of the Jabber Zeus group, which was known for its use of Zeus malware and the Jabber communication platform. Penchukov collaborated with a small group of hackers, including Maksim Yakubets, who was later sanctioned by the US government and accused of leading the cyber-group Evil Corp.
During the late 2000s, the Jabber Zeus group operated from an office in Donetsk, engaging in financial theft from overseas victims for six to seven hours daily. Penchukov also performed as a DJ under the name DJ Slava Rich. He characterized cybercrime during this period as "easy money," noting that banks and police in the US, Ukraine, and the UK had difficulty countering it.
Police obtained a breakthrough by intercepting the group's communications on Jabber, identifying Penchukov using details he had shared about his daughter's birth. An FBI-led operation, Trident Beach, resulted in arrests in Ukraine and the UK. Penchukov, however, evaded arrest, attributing it to a tip-off and his car. He stated, "I had an Audi S8 with a 500-horsepower Lamborghini engine so when I saw the cops flashing lights in my rear view mirror, I jumped the red light and lost them easily." He claimed he remained discreet and ceased cybercrime activities, starting a coal trading company.
Despite his claims, the FBI continued its investigation, and Penchukov was placed on their Most Wanted list while on holiday in Crimea. His lawyer at the time advised him against traveling outside Ukraine or Russia.
Return to Cybercrime and Ransomware
Penchukov alleges that after being identified as a wealthy individual sought by Western authorities, Ukrainian officials frequently demanded money from him. His coal business was impacted by Russia's 2014 invasion of Crimea, during which Russian soldiers in unmarked uniforms affected his business and missiles damaged his apartment in Donetsk. Penchukov stated that financial difficulties and demands from Ukrainian officials led him to resume cybercrime activities.
He described ransomware as more challenging but profitable. He claimed, "Cyber-security had improved a lot, but we were able to make about $200,000 a month. Much higher profits." He recounted rumors of a group receiving $20 million (£15.3 million) from a hospital affected by ransomware, which he said motivated other hackers in criminal forums to target US medical institutions for similar financial gain. He characterized these communities as having a "herd mentality," stating, "People don't care about the medical side of things - all they see is 20 millions being paid."
Penchukov became a prominent affiliate for ransomware services, including Maze, Egregor, and Conti. When questioned about alleged cooperation between these criminal groups and Russian security services, Penchukov responded, "Of course," and stated that some members discussed "their handlers" in Russian security services like the FSB. The BBC contacted the Russian Embassy in London regarding these allegations but received no response.
He later became a leader of IcedID, a group that infected over 150,000 computers with malicious software, leading to various cyberattacks, including ransomware. Penchukov led a team responsible for identifying profitable opportunities from infected systems. In 2020, the University of Vermont Medical Center in the US was affected by ransomware associated with IcedID. According to US prosecutors, this resulted in losses exceeding $30 million (£23 million) and disrupted critical patient services for over two weeks. Prosecutors stated that the attack, which disabled 5,000 hospital computers, created a risk of death or serious injury to patients. Penchukov denies direct involvement, claiming his admission was made to reduce his sentence.
Penchukov, who changed his surname to Andreev, is serving two concurrent nine-year sentences and has been ordered to pay $54 million (£41.4 million) in restitution. He perceives his sentences as excessive and hopes for an earlier release.
Victim Impact and Penchukov's Perspective
Penchukov's view as a young hacker was that Western companies and individuals could afford financial losses, and that these losses were covered by insurance. However, an early victim from the Jabber Zeus era, Lieber's Luggage, a family-run business in Albuquerque, New Mexico, reported a loss of $12,000 (£9,200). Owner Leslee described the experience: "It was just disbelief and horror when the bank called because we had no idea what had happened, and the bank clearly didn't have any idea." This amount was significant for the business, impacting its ability to cover rent, merchandise purchases, and staff payments, and they had no savings to rely on. Leslee's mother, who managed the accounts, experienced self-blame prior to the discovery of the theft. Leslee stated, "We had all of those feelings, the anger, the frustration, the fear." Leslee and her husband Frank expressed the belief that attempting to change the perspectives of the responsible individuals would be futile.
Penchukov stated he did not consider the victims. He expressed regret regarding a ransomware attack on a disabled children's charity. His perceived primary regret was becoming too trusting of other hackers, which he believes led to his own and other arrests. He remarked, "You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," adding, "Paranoia is a constant friend of hackers." He also suggested that prolonged involvement in cybercrime leads to errors: "If you do cyber-crime long enough you lose your edge."