A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned.<\/p>\n
Sources close to the investigation say Yuriy Igorevich Rybtsov<\/strong>, a 41-year-old from the Russia-controlled city of Donetsk, Ukraine, was previously referenced in U.S. federal charging documents only by his online handle \u201cMrICQ<\/strong>.\u201d According to a 13-year-old indictment<\/a> (PDF) filed by prosecutors in Nebraska, MrICQ was a developer for a cybercrime group known as \u201cJabber Zeus<\/strong>.\u201d<\/p>\n Image: lockedup dot wtf.<\/p>\n<\/div>\n The Jabber Zeus name is derived from the malware they used \u2014 a custom version of the ZeuS banking trojan<\/a> \u2014 that stole banking login credentials and would send the group a Jabber instant message each time a new victim entered a one-time passcode at a financial institution website. The gang targeted mostly small to mid-sized businesses, and they were an early pioneer of so-called \u201cman-in-the-browser\u201d attacks, malware that can silently intercept any data that victims submit in a web-based form.<\/p>\n Once inside a victim company\u2019s accounts, the Jabber Zeus crew would modify the firm\u2019s payroll to add dozens of \u201cmoney mules,\u201d people recruited through elaborate work-at-home schemes to handle bank transfers. The mules in turn would forward any stolen payroll deposits \u2014 minus their commissions \u2014 via wire transfers to other mules in Ukraine and the United Kingdom.<\/p>\n The 2012 indictment\u00a0targeting the Jabber Zeus crew named MrICQ as \u201cJohn Doe #3<\/strong>,\u201d and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.<\/p>\n Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions<\/a> (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.<\/p>\n According to the mugshot website lockedup[.]wtf<\/strong>, Rybtsov arrived in Nebraska on October 9, and was being held under an arrest warrant from the U.S. Federal Bureau of Investigation<\/strong> (FBI).<\/p>\n The data breach tracking service Constella Intelligence<\/a> found breached records from the business profiling site bvdinfo[.]com showing that a 41-year-old Yuriy Igorevich Rybtsov worked in a building at 59 Barnaulska St. in Donetsk. Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav \u201cTank\u201d Penchukov<\/strong>, the leader of the Jabber Zeus crew in Ukraine.<\/p>\n Vyacheslav \u201cTank\u201d Penchukov, seen here performing as \u201cDJ Slava Rich\u201d in Ukraine, in an undated photo from social media.<\/p>\n<\/div>\n Penchukov was arrested in 2022<\/a> while traveling to meet his wife in Switzerland. Last year, a federal court in Nebraska sentenced Penchukov to 18 years in prison<\/a> and ordered him to pay more than $73 million in restitution.<\/span><\/p>\n Lawrence Baldwin<\/strong> is founder of myNetWatchman<\/a>, a threat intelligence company based in Georgia that began tracking and disrupting the Jabber Zeus gang in 2009. myNetWatchman had secretly gained access to the Jabber chat server used by the Ukrainian hackers, allowing Baldwin to eavesdrop on the daily conversations between MrICQ and other Jabber Zeus members.<\/p>\n Baldwin shared those real-time chat records with multiple state and federal law enforcement agencies, and with this reporter. Between 2010 and 2013, I spent several hours each day alerting small businesses across the country that their payroll accounts were about to be drained by these cybercriminals.<\/p>\n Those notifications, and Baldwin\u2019s tireless efforts, saved countless would-be victims a great deal of money. In most cases, however, we were already too late. Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks<\/a> in court over six- and seven-figure financial losses.<\/p>\n Baldwin said the Jabber Zeus crew was far ahead of its peers in several respects. For starters, their intercepted chats showed they worked to create a highly customized botnet directly with the author of the original Zeus Trojan \u2014 Evgeniy Mikhailovich Bogachev<\/strong>, a Russian man who has long been on the FBI\u2019s \u201cMost Wanted\u201d list. The feds have a standing $3 million reward<\/a> for information leading to Bogachev\u2019s arrest.<\/p>\n Evgeniy M. Bogachev, in undated photos.<\/p>\n<\/div>\n The core innovation of Jabber Zeus was an alert that MrICQ would receive each time a new victim entered a one-time password code into a phishing page mimicking their financial institution. The gang\u2019s internal name for this component was \u201cLeprechaun<\/strong>,\u201d (the video below<\/a> from myNetWatchman shows it in action). Jabber Zeus would actually re-write the HTML code as displayed in the victim\u2019s browser, allowing them to intercept any passcodes sent by the victim\u2019s bank for multi-factor authentication.<\/p>\n \u201cThese guys had compromised such a large number of victims that they were getting buried in a tsunami of stolen banking credentials,\u201d Baldwin told KrebsOnSecurity. \u201cBut the whole point of Leprechaun was to isolate the highest-value credentials \u2014 the commercial bank accounts with two-factor authentication turned on. They knew these were far juicier targets because they clearly had a lot more money to protect.\u201d<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/rybtsov-lockedup.png?resize=749%2C678&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2022\/11\/tank-dj.png?resize=743%2C587&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2019\/12\/bogachev.png?resize=743%2C456&ssl=1\")
<\/p>\n