bbc.com
Joe Tidy
Cyber correspondent, BBC World Service
One of the world's most prominent cyber-criminals speaks to the BBC in an exclusive interview.
After years of reading about "Tank" and months of planning a visit to him in a Colorado prison, I hear the door click open before I see him walk into the room.
I stand up ready to give this former cyber-crime kingpin a professional hello. But, like a cheeky cartoon character, he pokes his head around a pillar with a giant grin on his face and winks.
Tank, whose real name is Vyacheslav Penchukov, climbed to the top of the cyber-underworld not so much with technical wizardry, but with criminal charm.
"I am a friendly guy, I make friends easily," the 39-year-old Ukrainian says, with a broad smile.
Having friends in high places is said to be one of the reasons Penchukov managed to evade police for so long. He spent nearly 10 years on the FBI's Most Wanted list and was a leader of two separate gangs in two distinct periods of cyber-crime history.
It is rare to speak to such a high-level cyber-criminal who has left so many victims behind him; Penchukov spoke to us for six hours over two days as part of the ongoing podcast series Cyber Hack: Evil Corp.
The exclusive interview - Penchukov's first ever - reveals the inner workings of these prolific cyber-gangs, the mindset of some of the individuals behind them and never-before-known details about hackers still at large - including the alleged leader of the sanctioned Russian group, Evil Corp.
It took more than 15 years for authorities to finally arrest Penchukov in a dramatic operation in Switzerland in 2022.
"There were snipers on the roof and the police put me on the ground and handcuffed me and put a bag on my head on the street in front of my kids. They were scared," he recalls with annoyance.
He is still bitter about how he was arrested, arguing that it was over the top. His thousands of victims around the world would strongly disagree with him: Penchukov and the gangs he either led or was a part of stole tens of millions of pounds from them.
In the late 2000s, he and the infamous Jabber Zeus crew used revolutionary cyber-crime tech to steal directly from the bank accounts of small businesses, local authorities and even charities. Victims saw their savings wiped out and balance sheets upended. In the UK alone, there were more than 600 victims, who lost more than £4m ($5.2m) in just three months.
Between 2018 and 2022, Penchukov set his sights higher, joining the thriving ransomware ecosystem with gangs that targeted international corporations and even a hospital.
Englewood Correctional Facility, where Penchukov is being held, would not let us take any recording equipment inside the prison, so a producer and I make notes during the interview as we are watched over by a guard nearby.
The first thing that stands out about Penchukov is that, although he is eager to be released, he seems in high spirits and is clearly making the most of his time in prison. He tells me he plays a lot of sport, is learning French and English - a well-thumbed Russian-English dictionary stays by his side throughout our interview - and is racking up high-school diplomas. He must be smart, I suggest. "Not smart enough - I'm in prison," he jokes.
Englewood is a low-security prison with good facilities. The low-rise but sprawling building sits in the foothills of the Rocky Mountains in Colorado. The dusty grass verges surrounding the prison are teeming with noisy prairie dogs scurrying into their burrows whenever disturbed by prison vehicles coming and going.
It is a long way from Donetsk, Ukraine, where he ran his first cyber-crime gang after falling into hacking through games cheat forums, where he would look for cheats for his favourite video games like Fifa 99 and Counterstrike.
He became the leader of the prolific Jabber Zeus crew - so named because of their use of the revolutionary Zeus malware and their favourite communication platform, Jabber.
Penchukov worked with a small group of hackers that included Maksim Yakubets - a Russian who would go on to be sanctioned by the US government, accused of leading the infamous cyber-group Evil Corp.
Penchukov says that throughout the late 2000s, the Jabber Zeus crew would work out of an office in the centre of Donetsk, putting in six to seven-hour days stealing money from victims overseas. Penchukov would often end his day with a DJ set in the city, playing under the name DJ Slava Rich.
Cyber-crime in those days was "easy money", he says. The banks had no idea how to stop it and police in the US, Ukraine and the UK could not keep up.
In his early 20s, he was making so much money he bought himself "new cars like they were new clothes". He had six in total - "all expensive German ones".
But police got a breakthrough when they managed to eavesdrop on the criminals' text chats in Jabber and discovered the true identity of Tank using details he had given away about the birth of his daughter.
The net closed in on the Jabber Zeus crew, and an FBI-led operation called Trident Breach saw arrests in Ukraine and the UK. But Penchukov slipped through the net thanks to a tip-off from someone he will not name. And thanks to one of his fast cars.
"I had an Audi S8 with a 500-horsepower Lamborghini engine so when I saw the cops flashing lights in my rear view mirror, I jumped the red light and lost them easily. It gave me a chance to test the full power of my car," he says.
He laid low with a friend for a while, but when the FBI left Ukraine, the local authorities seemed to lose interest in him.
So Penchukov kept under the radar and, he says, went straight. He started a company buying and selling coal, but the FBI was still on the trail.
"I was on holiday in Crimea when I got a message from a friend who saw that I had been put on the FBI Most Wanted list. I thought I had got away with it all - then I realised I have a new problem," he says, an obvious understatement.
His lawyer at the time was calm, though, and advised him not to worry: as long as he did not travel outside of Ukraine or Russia, US police could not do much.
The Ukrainian authorities did eventually come knocking - but not to arrest him.
Penchukov had been outed as a wealthy hacker wanted by the West and he alleges that almost every day, officials would come and shake him down for money.
His coal-selling business was going well until Russia's invasion of Crimea in 2014. President Putin's so-called "Little Green Men" - Russian soldiers in unmarked uniforms - ruined his business and missiles struck his apartment in Donetsk, damaging his daughter's bedroom.
Penchukov says that it was business troubles and the constant payouts to Ukrainian officials that led him to once again fire up his laptop and get back into the cyber-crime life.
"I just decided it was the fastest way to make money to pay them," he says.
His journey charts the evolution of modern cyber-crime - from quick and easy bank account theft to ransomware, today's most pernicious and damaging type of cyber-attack used in high-profile hacks this year, including on UK High Street stalwart Marks & Spencer.
He says ransomware was harder work but the money was good. "Cyber-security had improved a lot, but we were able to make about $200,000 a month. Much higher profits."
In a revealing anecdote, he remembers rumours that started about a crew being paid $20m (£15.3m) from a hospital that had been crippled by ransomware.
Penchukov says the news fired up the hundreds of hackers in the criminal forums who all then went after US medical institutions to repeat the pay day. These hacker communities have a "herd mentality", he says: "People don't care about the medical side of things - all they see is 20 millions being paid."
Penchukov rebuilt his connections and skills to become one of the top affiliates of ransomware services, including Maze, Egregor and the prolific group Conti.
When asked if these criminal groups worked with Russian security services - a regular accusation from the West - Penchukov shrugs and says: "Of course." He says that some ransomware gang members sometimes talked about speaking to "their handlers" in the Russian security services, like the FSB.
The BBC wrote to the Russian Embassy in London, asking if the Russian government or its intelligence agencies engaged with cyber criminals to aid cyber espionage, but received no reply.
Penchukov soon rose to the top again and became a leader of IcedID - a gang that infected more than 150,000 computers with malicious software and led to various types of cyber-attack, including ransomware. Penchukov was in charge of a team of hackers who would sift through the infected computers to work out how best to make money from them.
One victim they infected with ransomware in 2020 was the University of Vermont Medical Center in the US. According to US prosecutors, this led to the loss of more than $30m (£23m) and left the medical centre unable to provide many critical patient services for more than two weeks.
Although no-one died, prosecutors say the attack, which disabled 5,000 hospital computers, created a risk of death or serious injury to patients. Penchukov denies he actually did it, claiming he only admitted to it in order to reduce his sentence.
Overall, Penchukov, who has since changed his surname to Andreev, feels the two nine-year sentences he is serving concurrently are too much for what he did (he is hoping to get out much sooner). He has also been ordered to pay $54m (£41.4m) in restitution to victims.
His view as a young hacker who started in cyber-crime as a teenager is that Western companies and people could afford to lose money and that everything was covered by insurance anyway.
But when I speak to one of his early victims from the Jabber Zeus days, it is clear his attacks did have a harmful impact on innocent people.
Lieber's Luggage, a family-run business in Albuquerque, New Mexico, had $12,000 (£9,200) stolen in one swipe by the gang. Owner Leslee still recalls the shock years later.
"It was just disbelief and horror when the bank called because we had no idea what had happened, and the bank clearly didn't have any idea," she says.
While a modest sum, it was devastating for the business, as the money was used for paying rent, buying merchandise and paying staff.
They did not have any savings to fall back on and, to make matters worse, Leslee's elderly mother was in charge of the company accounts and she blamed herself until the theft was uncovered.
"We had all of those feelings, the anger, the frustration, the fear," she says.
When I ask them what they would like to say to the hackers responsible, they think it is futile to try to change the minds of these callous criminals.
"There's nothing that we could say that would affect him," Leslee says.
"I wouldn't give him the time of day," her husband Frank adds.
Penchukov says he did not think about the victims, and he does not seem to do so much now, either. The only sign of remorse in our conversation was when he talked about a ransomware attack on a disabled children's charity.
His only real regret seems to be that he became too trusting with his fellow hackers, which ultimately led to him and many other criminals being caught.
"You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," he says.
"Paranoia is a constant friend of hackers," he says. But success leads to mistakes.
"If you do cyber-crime long enough you lose your edge," he says, wistfully.
As if to highlight the disloyal nature of the cyber underworld, Penchukov says he deliberately avoided any further contact with his one-time Jabber Zeus collaborator and friend Maksim Yakubets after the Russian was outed and sanctioned in 2019 by Western authorities.
Penchukov says that he noticed a distinct change in the hacker community as people shunned working with Yakubets and many of his alleged Evil Corp associates.
Previously Penchukov and "Aqua", as Yakubets was known, had hung out in Moscow drinking and eating in luxury restaurants. "He had bodyguards, which I thought was strange - almost like he wanted to show off his wealth or something," he says.
Being ostracised from the cyber crime world did not deter Evil Corp though and last year, the UK's National Crime Agency accused other members of the Yakubets family of being involved in the decade-long crime spree, sanctioning 16 members of the organisation in total.
But unlike Penchukov, the chances of police collaring him or others in the gang seem low. With a $5m bounty out for information leading to his arrest, Yakubets and his alleged co-conspirators are unlikely to repeat Penchukov's mistake of leaving their country.
INTERPOL-coordinated operation leads to 1,209 arrests
interpol.int - LYON, France 22.08.2025 – In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims.
The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation.
Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC). These were all identified as prominent threats in the recent INTERPOL Africa Cyberthreat Assessment Report.
The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively.
This intelligence was shared with participating countries ahead of the operation, providing critical information on specific threats as well as suspicious IP addresses, domains and C2 servers.
Operational highlights: From crypto mining to inheritance scams
Authorities in Angola dismantled 25 cryptocurrency mining centres, where 60 Chinese nationals were illegally validating blockchain transactions to generate cryptocurrency. The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than USD 37 million, now earmarked by the government to support power distribution in vulnerable areas.
Zambian authorities dismantled a large-scale online investment fraud scheme, identifying 65,000 victims who lost an estimated USD 300 million. The scammers lured victims into investing in cryptocurrency through extensive advertising campaigns promising high-yield returns. Victims were then instructed to download multiple apps to participate. Authorities arrested 15 individuals and seized key evidence including domains, mobile numbers and bank accounts. Investigations are ongoing with efforts focused on tracking down overseas collaborators.
Also in Zambia, authorities identified a scam centre and, in joint operations with the Immigration Department in Lusaka, disrupted a suspected human trafficking network. They confiscated 372 forged passports from seven countries.
Despite being one of the oldest-running internet frauds, inheritance scams continue to generate significant funds for criminal organizations. Officers in Côte d'Ivoire dismantled a transnational inheritance scam originating in Germany, arresting the primary suspect and seizing assets including electronics, jewellery, cash, vehicles and documents. With victims tricked into paying fees to claim fake inheritances, the scam caused an estimated USD 1.6 million in losses.
Valdecy Urquiza, Secretary General of INTERPOL, said:
"Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries. With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims."
Prior to the operation, investigators participated in a series of hands-on workshops covering open-source intelligence tools and techniques, cryptocurrency investigations and ransomware analysis. This focused training strengthened their skills and expertise, directly contributing to the effectiveness of the investigations and operational successes.
The operation also focused on prevention through a partnership with the International Cyber Offender Prevention Network (InterCOP), a consortium of law enforcement agencies from 36 countries dedicated to identifying and mitigating potential cybercriminal activity before it occurs. The InterCOP project is led by the Netherlands and aims to promote a proactive approach to tackling cybercrime.
Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.
Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.
Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.
Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.
Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.
In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.
This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.
Des escrocs inondent Facebook de promotions sur des sacs à dos Decathlon notamment. Voici leur technique et leurs objectifs.
Les faux concours sur Facebook nous divertissent depuis plus de dix ans, et l’arnaque reste efficace: depuis quelques mois, les posts rémunérés se multiplient, promettant notamment un sac à dos Decathlon à deux francs.
Ainsi, une certaine Nadine Keller ou encore une Sophie Delacroix – bref, une jeune femme sympathique avec un petit chien trop mignon – nous raconte que sa mère a été licenciée de manière totalement injustifiée par son employeur (pour Sophie Delacroix, c'est son mec), mais passons. L'employeur? Decathlon.
Elle révèle donc quelque chose que seuls les employés du fabricant sons censés savoir: en remplissant un petit sondage en ligne, on recevra un sac à dos The North Face. Pour se venger de Decathlon, elle partage le lien vers l'enquête afin d'en faire profiter le plus de personnes possible.
Des publications de ce genre sont envoyées en masse par de faux profils créés tous les jours. Et ce, avec à chaque fois un libellé légèrement modifié et de nouvelles «photos de preuve» de sacs à dos soi-disant achetés pour deux francs. L'arnaque dure depuis des mois notamment en France et en Belgique, aujourd'hui, elle est chez nous.
Des dizaines de comptes proposent des arnaques avec Decathlon. En français, on trouve pas mal d'offres en euro.
Image: facebook/watson
Les criminels ont par ailleurs un bon argument pour justifier un prix si bas: avec les droits de douane de Trump sur les produits de l'UE, les stocks sont pleins. Il faut donc désormais brader les marchandises.
La Digital Crimes Unit (DCU) de Microsoft, en collaboration avec des partenaires internationaux, s’attaque à l’un des principaux outils utilisés pour dérober massivement des données sensibles, qu’elles soient personnelles ou professionnelles, à des fines cybercriminelles. Le mardi 13 mai, la DCU de Microsoft a engagé une action en justice contre Lumma Stealer (« Lumma »), un malware spécialisé dans le vol d’informations, largement utilisé par des centaines d’acteurs de la menace cyber. Lumma vole des mots de passe, des cartes de crédit, des comptes bancaires et des portefeuilles de cryptomonnaies. Cet outil a permis à des criminels de bloquer des établissements scolaires afin de récupérer une rançon, de vider des comptes bancaires et de perturber des services essentiels.
Grâce à une décision de justice rendue par le tribunal fédéral du district nord de la Géorgie, la Digital Crimes Unit (DCU) de Microsoft a procédé à la saisie et à la mise hors ligne d’environ 2 300 domaines malveillants, qui constituaient l’infrastructure centrale de Lumma. Parallèlement, le département de la Justice américain (DOJ) a démantelé la structure de commande principale du malware et perturbé les places de marché où l’outil était vendu à d’autres cybercriminels. Europol, via son Centre européen de lutte contre la cybercriminalité (EC3), ainsi que le Centre de lutte contre la cybercriminalité du Japon (JC3), ont contribué à la suspension de l’infrastructure locale de Lumma.
We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration.
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
Google Threat Intelligence Group discusses the current state of cybercrime, and why it must be considered a national security threat.
A key Russian cybercrime syndicate responsible for aiding merciless ransomware attacks around the world has been targeted by new UK sanctions.
La caisse de compensation de Swissmem a subi un piratage, avec vol de 10 % des données. L'origine des attaquants semble provenir de Russie.
In 2024, authorities took aim at ransomware gangs, malware developers, cybercriminal infrastructure and cryptocurrency thieves. Here's a look at the…
Telegram reveals that the communications platform has fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement.
U.K. investigators tell the story of how examining a cybercrime group's extortion funds helped to unravel a money-laundering network reaching from the illegal drug trade to Moscow's elite.
Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities.
Italian probe reveals “gigantic and alarming market of confidential data,” prosecutors say.
Ukrainian national Mark Sokolovsky has pleaded guilty to his involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation.
The United States today unveiled sanctions and indictments against the alleged proprietor of Joker's Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The…
Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.
The investigation into Telegram boss Pavel Durov that has fired a warning shot to global tech titans was started by a small cybercrime unit within the Paris prosecutor's office, led by 38-year-old Johanna Brousse.
The arrest of Durov, 39, last Saturday marks a significant shift in how some global authorities may seek to deal with tech chiefs reluctant to police illegal content on their platforms.
The arrest signalled the mettle of the J3 cybercrime unit, but the true test of its ambitions will be whether Brousse can secure a conviction based on a largely untested legal argument, lawyers said.
The deployment of ransomware remains the greatest serious and organised cybercrime threat, the largest cybersecurity threat, and also poses a risk to the UK’s national security. Ransomware attacks can have a significant impact on victims due to financial, data, and service losses, which can lead to business closure, inaccessible public services, and compromised customer data. Threat actors are typically based in overseas jurisdictions where limited cooperation makes it challenging for UK law enforcement to disrupt their activities.
