ATLANTA - Mark Vartanyan, also known as “Kolypto,” a Russian national who allegedly developed, improved and maintained the pernicious “Citadel” malware toolkit, was arraigned in federal court following his extradition from Norway in December 2016. Vartanyan was charged with one count of computer fraud.

“This successful extradition is yet another example of how cooperation among international law enforcement partners can be used to disrupt and dismantle global cyber syndicates,” said U. S. Attorney John Horn. “This defendant’s alleged role in developing and improving “Citadel” for its use by cybercriminals caused a vast amount of financial harm to individuals and institutions around the world. His appearance in federal court today shows that cybercriminals cannot hide in the shadows of the Internet. We will identify them and bring them to justice wherever they operate.”

“We must continue to impose real costs on criminals who believe they are protected by geographic boundaries and can prey on the American people and institutions with impunity. Vartanyan's arrest removes a significant player who was engaged in the development, improvement, maintenance and distribution of malware from the resources available to the cyber criminal underground, thereby deteriorating the capabilities of cyber criminal groups. Today's plea is the culmination of a multi-national effort led by the FBI, highlighting the benefits of global cooperation among the United States and international law enforcement. It further demonstrates the FBI’s long-term commitment to identifying and pursuing cyber criminals world-wide, and serves as a strong deterrent to others targeting America’s financial institutions and citizens through the use of malicious software,” said David J. LeValley, Special Agent in Charge, FBI Atlanta Office.

According to U.S. Attorney Horn, the charges, and other information presented in court: “Citadel” is a malware toolkit designed to infect computer systems and steal financial account credentials and personally identifiable information from victim computer networks. Beginning in or about 2011, Citadel was offered for sale on invite-only, Russian-language internet forums frequented by cybercriminals. Users of Citadel targeted and exploited the computer networks of major financial and government institutions around the world, including several financial institutions in the United States. According to industry estimates, Citadel infected approximately 11 million computers worldwide and is responsible for over $500 million in losses.

Between on or about August 21, 2012 and January 9, 2013, while residing in Ukraine, and again between on or about April 9, 2014 and June 2, 2014, while residing in Norway, Vartanyan allegedly engaged in the development, improvement, maintenance and distribution of Citadel. During these periods, Vartanyan allegedly uploaded numerous electronic files that consisted of Citadel malware, components, updates and patches, as well as customer information, all with the intent of improving Citadel’s illicit functionality.

Vartanyan was extradited to the United States in December 2016 from Norway. He was charged in a one-count Information with computer fraud, and was arraigned before U.S. Magistrate Judge Russell G. Vineyard.

Vartanyan is the second defendant charged in connection with an ongoing investigation of the Citadel malware. On September 29, 2015, Dimitry Belorossov, a/k/a Rainerfox, 22, of St. Petersburg, Russia, was sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud for distributing and installing Citadel onto victim computers using a variety of infection methods.

Belorossov downloaded a version of Citadel, which he then used to operate a Citadel botnet primarily from Russia. Belorossov remotely controlled over 7,000 victim bots, including at least one infected computer system with an IP address resolving to the Northern District of Georgia. Belorossov’s Citadel botnet contained personal information from the infected victim computers, including online banking credentials for U.S.-based financial institutions with federally insured deposits, credit card information, and other personally identifying information.

In addition to operating a Citadel botnet, Belorossov also provided online assistance with the goal of developing suggested improvements to Citadel, including posting comments on criminal forums on the Internet and electronically communicating with other cybercriminals via email and instant messaging.

Belorossov was convicted on July 18, 2014, after he pleaded guilty.

DOJ’s investigation into the creator of the Citadel malware is continuing.

Members of the public are reminded that the information only contains charges. The defendant is presumed innocent of the charges and it will be the government’s burden to prove the defendant’s guilt beyond a reasonable doubt at trial.

This case is being investigated by the Federal Bureau of Investigation.

Assistant United States Attorney Steven D. Grimberg is prosecuting the case. The Justice Department’s Office of International Affairs also provided assistance with this case.

For further information please contact the U.S. Attorney’s Public Affairs Office at USAGAN.PressEmails@usdoj.gov or (404) 581-6016. The Internet address for the U.S. Attorney’s Office for the Northern District of Georgia is http://www.justice.gov/usao-ndga.