ATLANTA — An Algerian man pleaded not guilty Friday to helping develop and market a computer program that drained millions of dollars from bank accounts around the world. A 23-count federal indictment charges Hamza Bendelladj, 24, with wire fraud, bank fraud, computer fraud and conspiracy. He was extradited from Thailand. It was unclear if he has a lawyer. Bendelladj is accused of being involved in a conspiracy to develop and sell SpyEye. The program is a banking Trojan, which was implanted onto computers to harvest financial information and drain bank accounts. Authorities said the malware impacted 253 financial institutions and is responsible for untold amounts of financial theft. “We're talking millions,” US Attorney Sally Yates said. “We don't have the precise number quantified at this point.” Investigators say SpyEye is still active, and authorities are trying to track down computer hackers who are still using the virus. Although authorities say he never set foot on US soil, Bendelladj is accused of leasing a virtual server from an unidentified Internet company in Atlanta to control computers that were impacted by SpyEye. The company was unaware the man was allegedly using the server for illegal purposes, Yates said. A second person is named in the indictment but hasn't been identified. Investigators could not disclose whether the person was in the US or abroad. Trojans such as SpyEye can be profitable for cybercriminals. A small group of hackers in Eastern Europe arrested in 2010 was able to steal about $70 million from companies, municipalities and churches in Europe and the US SpyEye was designed to automatically steal sensitive information — such as bank account credentials, credit card information, passwords and PIN numbers — after being implanted in victims' computers. After the program took control of a computer, it allowed hackers to use a number of covert techniques to trick victims into giving up their personal information — including data grabbing and presenting victims with a fake bank account page. The information was then relayed to a command and control server, which was used to access bank accounts. Bendelladj was indicted in December 2011 and was on a trip from Malaysia to Egypt when he was arrested during a layover at an airport in Bangkok on Jan. 5. Police seized two laptops, a tablet computer, a satellite phone and external hard drives. “The federal indictment and extradition of Bendelladj should send a very clear message to those international cybercriminals who feel safe behind their computers in foreign lands that they are, in fact, within reach,” Mark F. Giuliano of the FBI's Atlanta field office said in a news release. If convicted, Bendelladj faces up to 30 years in prison for conspiracy to commit wire and bank fraud, and up to five years for conspiracy to commit computer fraud. The 21 counts of wire and computer fraud carry maximum sentences of between five and 20 years each. He may also be fined up to $14 million. Bendelladj and others allegedly developed and sold various versions of SpyEye and its components on the Internet between 2009 and 2011. Cybercriminals were able to customize their purchases to choose specific methods of gathering personal information from victims. — AP
