Citadel’s Steward Banned from Underground Venues

By Limor Kessem

Those following deep-web cybercrime communities know, and have borne witness to, the fate of black hat developers who take on the creation of commercial banking Trojans.

Starting with Zeus’ creator “Slavik” and SpyEye’s “Gribodeamon,” developers work overtime to get on the fast track to 6-figure salaries and underground fame. On the way there, they realize they are the glue that keeps the operation together – listening to customers, ensuring product quality, marketing, sales, tech support and keeping appearances in cybercrime forums, where their target audience awaits.  It can be a daunting job for even the most ambitious developer and if history is any indicator, there comes a time for each of these so-called “stars” to burn out and clear the stage for the next big thing. Now, the biggest player ever seen in the Trojan development arena – Citadel’s “Aquabox,” seems to be arriving at the same fate.

A quick retrospect into Citadel’s early fade-out signs leads to July 2012, at which time RSA blogged about the team’s intention to suspend sales of the Citadel Trojan kit to anyone that was outside their existing circle (and only sell to those vouched-for by existing customers).

Over the past several weeks, RSA has been noticing more signs of the gradual withdrawal of the Citadel Trojan kit from the forums it has been sold on thus far. One example is a recent incident between Aquabox and one of his buyers – who accused Aquabox of becoming corrupt by all the money Citadel has been earning him. The case was publicly exposed on the board and ended in the banning of Aquabox from one of the largest online crime communities Citadel was ever part of. Aquabox did not even care to retort.

The recent accusations against Aquabox are only one of many hints that confirm the very imminent withdrawal of the Citadel Trojan, as its developers change their business model from offering it as commercially-available crimeware to a much more selective and privatized operation.

Why would the Citadel developers wish to go private? There could be a few very logical reasons behind the decision:

  • The more readily available Citadel is, the more likely it is that law enforcement will focus attention on their team.
  • With so many customers, technical support has been weighing heavy on the team’s staff.
  • The team, who started out as cybercriminals, may wish to go back to focusing on their crime endeavors, relying on fraud, CRM users’ monthly payments and referrals.

What will this mean to banks and Trojan-enabled fraud? Citadel being taken deeper underground will likely mean a smaller, less “public” deployment of this Trojan, which could in turn result in the proliferation of Citadel variants becoming stabilized. It may also mean that in the long run detection rates (by AV engines) will gradually drop due to more limited sampling opportunities.

Although the Citadel developers are not as interested in new buyers today, the team may still return to cybercrime forums or devise another business model in an effort to return with more news in the future.


Limor Kessem is one of the top Cyber Intelligence experts in RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.

No Comments