Jabber Zeus 'MrICQ' - Alleged Coder in U.S. Custody

Yuriy Igorevich Rybtsov—known online as 'MrICQ'—is now in U.S. custody after extradition from Italy, KrebsOnSecurity reports. Rybtsov is linked to the Jabber Zeus crew, a pioneering banking trojan gang that stole tens of millions from U.S. businesses through man-in-the-browser attacks and payroll-diversion schemes. What's fascinating: the gang worked directly with Evgeniy Bogachev, the original Zeus author (still on FBI's Most Wanted with a $3M reward), to build a custom version that sent Jabber instant messages every time a victim entered a one-time passcode. Their innovation—codenamed 'Leprechaun'—isolated high-value commercial accounts with two-factor authentication, knowing those targets had far more money. The crew would modify victim company payrolls to add dozens of money mules recruited through work-at-home scams, who'd forward stolen deposits to Ukraine and the UK. What's clever: Jabber Zeus included a 'backconnect' component that let attackers relay bank pilfering through the victim's own infected PC—connecting to accounts from the victim's IP address and fully emulating their device. Lawrence Baldwin's myNetWatchman secretly gained access to the gang's Jabber chat server and eavesdropped on daily conversations, providing the basis for dozens of stories about small businesses fighting their banks over six- and seven-figure losses. The government says the real Jabber Zeus leader was Maksim Yakubets ('Aqua'), who later emerged as head of Evil Corp and developed the Dridex trojan that siphoned $100M+ from victim companies. Rybtsov worked in the same Donetsk building as crew leader Vyacheslav 'Tank' Penchukov, who was sentenced to 18 years in 2024. This arrest demonstrates sustained law enforcement pressure on financial malware operators, even a decade+ after their campaigns.