After the largest cybercrime bust of all time, experts say that Spain’s laws may end up setting the three men responsible free. Worse so, while the three ringleaders of the scam are in custody, the mastermind of the software in question still remains unknown.
The three (so far not officially named publicly as they haven’t yet been charged for a crime) were responsible for building the “Mariposa Botnet,” a network of over 12 million compromised PC’s around the world, used for identity theft and spamming. The trio stole from private bank accounts, especially from Canadian and American users, but the worst damage was from the theft of sensitive data. With an unprecedented 800,000 plus victims, from among home users, corporations, government agencies and universities, from 190 nations, the Mariposa Botnet is the most notorious identity theft in the history of the Internet, dwarfing the 4000 to 6000 botnets currently operating on the Internet.
Spain is a signatory to the Council of Europe’s cybercrime treaty, but has not yet ratified new legislation to bring the nation inline with the treaty’s goals.
Deputy head of the technology crime division of the Spanish Civil Guard Captain Cesar Lorenzana, told krebsonsecurity.com, “It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases. In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”
Juan Salon of the Spanish Civil Guard's cybercrime unit told the Associated Press that the three arrested men were administrators of the botnet, but did not create the software. He added that the investigation is now focusing on a fourth suspect from Venezuela.
"We have not arrested the creator of the botnet,” he explained. We have arrested the administrators of the botnet, the ones who spread it and were administering and controlling it.”
Panda Security CEO Juan Santana said that a conviction of any kind is unlikely.
“I don’t think these guys will go to jail, especially if it is the first time they have committed a crime,” Santana told krebsonsecurity.com. “The government needs to pass laws that are enforceable and enforced afterward. In the vast majority of countries, malicious hackers do not fear that if they do get caught that they will go to jail, because the benefit for them is far higher than the risk right now.”
