OMAHA, Neb. (AP) — Two Ukrainian men suspected of involvement in a major cybercrime operation that used computer malware to steal millions of dollars pleaded not guilty Friday in federal court in Nebraska.
Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36, were among nine people charged by a federal grand jury in August 2012, according to the U.S. Department of Justice. The indictments unsealed Friday in U.S. District Court in Lincoln reveal an alleged international scheme that captured victims' passwords and bank account numbers, then used the information to help transfer money from the accounts. The victims included banks in Nebraska, and companies in Kentucky, Iowa and Chicago.
The two men are charged with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft and multiple counts of bank fraud. They each could face up to 40 years in prison if convicted of the racketeering and computer fraud counts alone. The other seven people named in the indictment remain at large.
Konovalenko and Kulibaba, who were recently extradited from the United Kingdom, stood mostly silent during their court appearance in Lincoln. Konovalenko answered the judge's yes-or-no questions through a Russian interpreter, while Kulibaba answered questions in English. Both men pleaded not guilty, and another hearing was set for June 2.
The "Zeus" malware captured passwords, account numbers and other information necessary to log into online banking accounts and steal millions of dollars, according to the indictments.
Once that information was obtained, members of the ring posed as employees of the victims to make fund transfers from the victims' bank accounts. The operation also used "money mules" — people who received funds transferred from victims' bank accounts into their own bank accounts — who would then withdraw the money and wire some of it overseas to the ring's operators, the indictments say.
"In this case, the victims included a Nebraska bank and a Nebraska company," U.S. Attorney for Nebraska Deborah Gilg said in a written statement. "This demonstrates the global reach of cybercrime and the significant threat to our financial infrastructure."
The unsealed indictments reveal that Nebraska victims included First National Bank of Omaha, First Federal Savings Bank, Union Bank and Trust and Plainview ethanol plant Husker AG, as well as Nebraska branches of Bank of America. Other victims included Bullitt County Fiscal Court in Kentucky, Iowa beer distributor Doll Distributing, Franciscan Sisters of Chicago and the town of Egremont, Mass.
The case was investigated by the FBI's Omaha Cyber Task Force, in cooperation from police in Britain, the Netherlands and Ukraine.
The others indicted were revealed as Ukraine residents Vyacheslav Igorevich Penchukov, 32; Ivan Viktorvich Klepikov, 30; and Alexey Dmitrievich Bron, 26; and Alexey Tikonov, of Russia, whose age was not available. The three remaining are listed in court records only as John Does 1, 2 and 3.
The Justice Department said all seven remain at large, and Justice Department spokesman Peter Carr declined to say whether U.S. authorities know where the seven men may be now.
Associated Press writer Christine Scalora in Lincoln contributed to this report.