The Swedish mastermind behind malicious software that was used to steal payment card data and passwords from thousands of computers pleaded guilty in a U.S. federal court on Wednesday (Feb. 18), Bloomberg News reported.
Alex Yucel, who co-created and sold the malware known as Blackshades, told U.S. District Court Judge P. Kevin Castel that he “aided and abetted others by knowingly transmitting a program, Blackshades, which caused damage to a computer over the Internet without authorization.” He faces up to 10 years in prison when he is sentenced in May.
While 24-year-old Yucel pleaded guilty to a single count of hacking as part of a plea agreement, the Blackshades program was actually used to infect more than 500,000 computers. Prosecutors said Yucel ran a sales organization that included a marketing director and customer service reps, generating sales of more than $350,000 by April 2014. The following month, a sweep by U.S. and European authorities shut down the Blackshades operation and arrested about 90 people.
The $40 program included a keylogger that, once a computer was infected, allowed a hacker to capture payment card information as it was entered at e-commerce websites. The Blackshades remote-access tool also let a cyberthief look through files on an infected machine, spy on users through the computer’s webcam, encrypt victims’ computer files and then demand ransom to unlock them, and infect other computers through instant messages or social website links.
The ability of would-be cyberthieves to watch e-commerce customers type in payment card information is part of the reason for the current push by Visa and MasterCard to convert e-commerce sites to tokenization. While Apple Pay already is designed to use tokens for all transactions, the two biggest U.S. card brands have also said they want to dramatically expand use of tokens beyond Apple’s mobile payments system.
Visa announced last week that it will push for tokenization beginning with several large e-commerce retailers this spring. MasterCard said last August that it would be charging a new set of fees for token use, but that may not last long in the face of increased political pressure to secure payment-card transactions.