Over a year after the arrest of eight of its members in Russia, the alleged leader of the original Carberp botnet ring that stole millions from bank accounts worldwide has been arrested, along with about 20 other members of the ring who served as its malware development team. The arrests, reported by the news site Kommersant Ukraine, were a collaboration between Russian and Ukrainian security forces. The alleged ringleader, an unnamed 28-year-old Russian citizen, and the others were living throughout Ukraine.

Initially launched in 2010, Carberp primarily targeted the customers of Russian and Ukrainian banks and was novel in the way it doctored Java code used in banking apps to commit its fraud. Spread by the ring through malware planted on popular Russian websites, the Carberp trojan was used to distribute targeted malware that modifies the bytecode in BIFIT's iBank 2 e-banking application, a popular online banking tool used by over 800 Russian banks, according to Aleksandr Matrosov, senior malware researcher at ESET. The botnet that spread the malware, which was a variant of the Zeus botnet framework, also was used to launch distributed denial of service attacks.

In February of 2011 the group put its malware on the market, selling it to would-be cybercriminals for $10,000 per kit—but it pulled the kit a few months later.

The activity of the ring appeared to die down after the first eight arrests last year, with Carberp malware detection dropping through last spring. But the developers kept coding and brought the botnet and related malware back to market last December—including a brand new and improved "bootkit" version of the trojan for the asking price of $40,000, according to RSA security researchers. Carberp malware was used as part of the "Eurograbber" botnet system uncovered late last year that went after both PCs and smartphones in its financial fraud campaign, netting more than $47 million for its operators.