Algerian hacker convicted of using popular computer virus to steal millions of dollars from hundreds of bank accounts.
Depending on who you ask, Hamza Bendelladj is either a Robin Hood-esque hero or a cyber-age hoodlum.
The 27-year-old Algerian computer science graduate will be sentenced on Tuesday in a US court for using a computer virus to steal money from more than 200 American banks and financial institutions. He then reportedly gave millions of dollars to Palestinian charities.
Bendelladj, who is alleged to be the co-creator of a banking trojan horse called SpyEye, was indicted in absentia by US authorities in 2011. The program – a malware toolkit that saw its popularity peak between 2009 and 2011 – is believed to have infected more than 1.4 million computers in the US and elsewhere, according to Wired, a San Francisco-based technology magazine. The software enabled users to steal login information for online financial accounts, which they then pillaged.
On Tuesday, Bendelladj, who hails from Tizi Ouzou in Algeria, will be sentenced in court in the US state of Georgia. He has already pleaded guilty and faces a prison sentence of more than 65 years and up to $14m in fines, according to the US Department of Justice.
It took two years for Bendelladj, known in the online world as Bx1, to be apprehended. Authorities in Thailand arrested him on their soil and extradited him to the US in 2013. He was dubbed the “happy hacker” because he was photographed smiling as he was taken into custody at Bangkok’s Suvarnabhumi Airport.
American law enforcement officers identified Bendelladj when he allegedly sold a copy of the SpyEye virus to an undercover officer for $8,500.
“Bendelladj‘s alleged criminal reach extended across international borders, directly into victims’ homes,” said US attorney Sally Quillian Yates, on May 3, 2013, on the same day Bendelladj‘s 23-count indictment was revealed. It included charges related to wire, bank, and computer fraud.
In a cyber-netherworld, he allegedly commercialised the wholesale theft of financial and personal information through this virus, which he sold to other cyber-criminals.
“In a cyber-netherworld, he allegedly commercialised the wholesale theft of financial and personal information through this virus, which he sold to other cyber-criminals,” Yates said.
According to court documents, between 2009 and 2011, Bendelladj and others developed, marketed and sold various versions of the SpyEye virus to cyber-criminals, which allowed them to obtain passwords, usernames and credit card information. US authorities say he mostly advertised SpyEye on a computer hacking forum known as Darkode.
US authorities say Bendelladj and other SpyEye users were responsible for building a huge network, or “botnet”, of infected computers that they regularly hijacked for financial and personal information. Bendelladj is also accused of using the information gathered to steal money from banks.
While the court documents make no references as to how the cash was spent, several reports online claimed that Bendelladj used the money to fund various Palestinian charities – information that made him a hero in the eyes of many.
Death sentence rumors
Following his extradition, rumours began to circulate online that Bendelladj was facing the death penalty for his crimes, and his supporters began a campaign asking for his life to be spared. In August, a user writing under the Twitter handle @Hassan_JBr wrote: “Algerian hero is 1/10 most dangerous hackers. Hacked 217 banks, sent $280,000,000 to Palestine. His sentence? death.” His message garnered more than 4,500 re-tweets.
US authorities refuted the widely publicised claims; even the US ambassador to Algeria, Joan Polaschik, tweeted in French that “computer crimes are not capital [ones] and are not punishable by the death penalty”.
Since Bendellaj’s incarceration, US law enforcement officers said they have dismantled Darkode and have filed criminal charges against a dozen individuals associated with the forum.
“This is a milestone in our efforts to shut down criminals’ ability to buy, sell, and trade malware, botnets, and personally identifiable information used to steal from US citizens and individuals around the world,” said FBI Deputy Director Mark Giuliano.
Despite his admission of guilt, Bendellaj’s supporters continue to hack various websites across the world, including, of late, Air France and a Virginia-based university, calling for his release using the hashtags #FreeHamzaBendellaj and #FreePalestine.
According to Martin Libicki, the author of Cyberdeterrence and Cyberwar, the fight against online hackers such as Bendelladj will be a long one.
“Cybercrime is still an attractive proposition for someone who is clever and has a tolerance for [ignoring] risk,” he told Al Jazeera. “In the long run, bringing the losses to cybercrime down to tolerable levels will have to depend on provisions that are made in the architecture of computing and the architecture of banking [and other money-handling industries].”