A Latvian “non-citizen,” meaning a citizen of the former USSR who resided in Riga, Latvia, was sentenced to 168 months in prison Friday for offenses related to his operation of “Scan4you,” an online counter antivirus service that helped computer hackers determine whether the computer viruses and other malicious software they created would be detected by antivirus software.
Ruslans Bondars, 38, was convicted on May 16, following a five-day jury trial, of one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.
“Ruslans Bondars helped malware developers attack American businesses,” said Assistant Attorney General Brian Benczkowski. “The Department of Justice and its law enforcement partners make no distinction between service providers like Scan4You and the hackers they assist: we will hold them accountable for all of the significant harm they cause and work tirelessly to bring them to justice, wherever they may be located.”
According to testimony at trial and court documents, from at least 2009 until 2016, Bondars operated Scan4you, which for a fee provided computer hackers with information they used to determine whether their malware would be detected by antivirus software, including and especially by antivirus software used to protect major U.S. retailers, financial institutions and government agencies from computer intrusions.
A Scan4you customer, for example, used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.
Another Scan4you customer used the service to assist the development of “Citadel,” a widely used malware strain that was used to infect over 11 million computers worldwide, including in the United States, and resulted in over $500 million in fraud-related losses. The Citadel developer took advantage of a special feature of Scan4you that allowed its integration directly into the Citadel malware toolkit through an Application Programming Interface, or API. The API tool allowed Scan4you users the flexibility to scan malware without the need to directly submit the malware to Scan4you’s website.
At its height, Scan4you was one of the largest services of its kind and had at least thousands of users. Malware developed with the assistance of Scan4you included some of the most prolific malware known to the FBI and was used in major computer intrusions committed against American businesses.
Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.
In issuing the sentence, the court found a loss amount of $20.5 billion. In addition to the term of imprisonment, U.S. District Judge Liam O’Grady ordered Bondars to serve three years of supervised release. A decision regarding forfeiture and payment of restitution to victims of the offenses is forthcoming.