The photograph that accompanies this article could have been taken anywhere. It shows a DJ of questionable fashion sense engrossed in spinning on Pioneer turntables in what appears to be a small or decently sized club. It could be any club anywhere in the world where local DJs are playing records and people are having a good time.
But if Interpol is correct you are looking at one of the most wanted men in the world.
His name is Vyacheslav Penchukov, and he is a DJ with a side hustle in hacking from the eastern part of Ukraine. For most of the last decade, he was known for a flashy, extravagant lifestyle centered in a smallish, industrial city called Donetsk. His careers (both of them) are wound up in the violent history of the city; Donetsk is capital of one of the two self-declared “republics” that broke away from Ukraine under Russian auspices in 2014. Both also recently voted to join Russia in a plebiscite unrecognized by every sane country in the world.
Many DJs play for the love. Penchukov also kept it very pure: he never quit his day job.
Investigators have trailed Penchukov through Donetsk over the years, following him as he raced from club to club, rave to rave. Sometimes he was there to party, but much of the time it was to play as a DJ who called himself “Slava Rich.”
Many DJs play for the love. Penchukov also kept it very pure: he never quit his day job. Penchukov had another alias he used in his second line of work. Online they called him “Tank.” To be fair, “Tank” would have made a better DJ name than “Slava Rich.” But this one he reserved for activities associated with robbing a small businessman in Seattle, stealing from a Catholic diocese in Chicago and even raiding the bank account belonging to a group of nuns. “Slava Rich” was a big fish in a small pond, a cultural backwater dominated by arms traffickers and Kremlin button men. Online, however, “Tank” was a pretty big deal.
As you might expect in the world of dark networks and cybercrime, little is known about how Vyacheslav Penchukov became “Tank” (or, indeed, “Slava Rich.”) In Goodfellas, Henry Hill says the only documentation that he ever lived was his birth certificate and his rap sheet. Penchukov has an arrest warrant, a few exposés written by troublesome investigators and the ambitious DJ’s constant companion: an online EPK.
To hear the investigators tell it, Tank was at the hub of one of the most pernicious online hacking operations in the world. Their primary form of lockpicking was malware, in particular an infamous malware kit that security experts dubbed “Zeus.” Avast estimates that millions of Windows computers have been infected by Zeus since it was first detected in 2007. The trojan is known for a wide variety of attacks, including keystroke logging and password theft via “man-in-the-middle” attacks. It can also add the infected PC to its controller’s botnet, in which the infected PC is used, zombie-like, to attack others.
Penchukov didn’t write Zeus, but he ultimately became best known for exploiting the malware by assembling a hacking crew that would blend together what MIT Technology Review, in an overview of a botched raid to capture its CEO/Godfather, described as the “nimble smarts of tech startups and the callousness of organized crime.”
Penchukov’s strain of Zeus was used to drain targets’ bank accounts and then siphon the money to Ukraine using “money mules” — typically people with bank accounts located in the victim’s country of origin, who would deduct a fee and then pass on the rest of the loot to their boss in Russia or Ukraine. Penchukov’s malware also integrated a tool that utilized an instant messaging protocol called Jabber to immediately alert Tank’s crew that a new fish had been hooked. Combining the names of the two technologies, the FBI would dub Penchukov’s group “JabberZeus.”
Penchukov “would always be the first person to receive alerts” from systems infected by their malware payload, according to Jason Passwaters, a former FBI contractor. “Somebody would get popped, and it would be a particularly juicy one. He’d be the first to go into the bank account, say ‘We’ve got a good one,’ and then he’d pass it along to others to do the more manual work.”
Penchukov’s crew was said to have stolen tens of millions of dollars from small to mid-sized businesses across the United States and Europe, according to Brian Krebs. Krebs first began tracking Penchukov and JabberZeus fourteen years ago when he was writing for the Washington Post. He gained access to the group’s private chats (using Jabber, of course) while mapping the cybercrime crew’s exploits. “Each day for several years my morning routine went as follows,” Krebs wrote. “Make a pot of coffee; shuffle over to the computer and view the messages Tank and his co-conspirators had sent to their money mules over the previous 12-24 hours; look up the victim company names in Google; pick up the phone to warn each that they were in the process of being robbed by the Russian Cyber Mob.”
Being “DJ Slava Rich” was a major security risk. DJs, by their nature, are easy to find. You always know where a DJ is going to be. You just have to look for their name on a flyer.
In 2010, the FBI announced “Operation Trident Breach” which targeted a “large-scale, international organized cybercrime operation.” The operation partnered with law enforcement from the Netherlands, Ukraine and the United Kingdom.
What wasn’t known at the time was that Operation Trident Breach had three top targets in Ukraine. Tank was one of them. It turns out that he’s been on the FBI’s radar for a long time.
US agents traveled to Donetsk itself to provide aid in rolling up on Penchukov and his associates. His night crawling, they thought, would make him an easy target. Penchukov stuck out like a sore thumb in the drabness of pre-war Donetsk. He would race from club to club, pursuing what Technology Review dubbed his “very public side hustle” as DJ Slava Rich.
One of the officers spearheading the raids on Tank defected to the Russian side and became a prominent leader in the Donetsk People’s Republic. “It came down to D-Day,” one of the American agents in Donetsk later said, “and we got ghosted.”
Penchukov may have left his criminal persona behind when he left his day job but being “Slava Rich” was a major security risk. DJs, by their nature, are easy to find. You always know where a DJ is going to be. You just have to look for their name on a flyer.
Security experts who eavesdrop on chatter claim that despite their bravado, cybercriminals’ often fear US agents because of America’s harsh sentencing guidelines for computer-related crimes. Penchukov was supposedly afraid of them too. But Slava Rich had his gigs. Ukrainian agents put their American visitors on ice as they trailed Penchukov from his apartment to the nightclubs to his gigs at “sweaty midnight raves drenched in neon lights.”
After days trailing Penchukov, the Ukrainian agents told their American counterparts that they lost their prey. The latter suspected corruption — that the DJ/cybercrime don was being protected by Ukrainian officials connected to ex-president Viktor Yanukovych and, ultimately, to Putin’s regime in Moscow. Five associates of Penchukov’s who had fallen into the dragnet were also later released. After Russia’s invasion of Eastern Ukraine four years later, one of the officers spearheading the raids on Tank defected to the Russian side and became a prominent leader in the Donetsk People’s Republic.
“It came down to D-Day,” one of the American agents in Donetsk later said, “and we got ghosted.”
In the end, the FBI trumpeted the rather minor figures and money mules who had been arrested, and later unsealed the secret indictments against Penchukov and his cohorts in Donetsk. And that’s where it stood until last month. Brian Krebs posted his first update on the case in years with the news, leaked by confidential sources who claimed that Tank was in custody. Penchukov, Krebs alleged, was arrested in Switzerland. Alexander Martin, UK Editor for The Record, received confirmation from the Swiss Federal Office of Justice that Penchukov was arrested in Geneva in late October and the Office of Justice had granted a US request for extradition, pending a Penchukov appeal.
Agents, investigators and reporters have implied that Penchukov’s DJ career was a “side hustle.” If they had been DJs, they’d know that it’s likely the other way around. After shaking through my correspondents, just before going to press I heard back from a friend-of-a-reader based in Ukraine who had experience up close with one Slava Rich. Translated by our go-between, the Donetsk-based clubber (who asked for anonymity to talk freely about the gangsters that rule his neighborhood) said that he had known Penchukov “before he was someone that people were looking for. He lived a life of excess, before anyone was looking for him. He and his club friends once sent a writer to Donetsk to write a scene profile. He believed, really believed, he would be a well-known DJ.” He heard later that Penchukov would later try to do the same sort of publicity-by-proxy in Kyiv.
This makes sense. Not for the first time will I quote Harold Heath’s memoir Long Relationships. He describes the mental gymnastics probably most DJs with a day job go through. They consider the gig that pays their bills a “lark” that merely enables them to trudge off to the low-paying DJ gigs that constitute their “real” career.
“DJs can manage for years without a decent gig and still describe themselves or think of themselves as DJs,” Heath observes. “It’s something else, like a scar on your memories, a fold in your recollections that will always be there. Deep down, a DJ never truly retires.”
Others see a criminal with an interesting hobby. I don’t see it that way. I see in Penchukov a DJ who had to find a dayjob to support his “real career.” And it turned out that he had a gift for it. Like many DJs, he was very, very good at being very, very awful.
Lead Photo: Vyacheslav Penchukov, aka DJ Slava Rich checks the levels. From V Kontakte.
There’s more inside 5 Mag’s member’s section — get first access to each issue for a few bucks a month.