Ukrainian Yuriy Rybtsov, aka MrICQ, a suspected Jabber Zeus developer, was extradited from Italy to the US to face cybercrime charges.
Ukrainian national Yuriy Igorevich Rybtsov (41), aka MrICQ, an alleged Jabber Zeus developer, was arrested in Italy, lost his extradition appeal, and has been sent to the US to face cybercrime charges.
After a decade-long global manhunt, “MrICQ,” is now in a Nebraska prison awaiting trial. The 2012 DOJ indictment named him “John Doe #3.”
“The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims. The Department of Justice (DOJ) said MrICQ also helped the group launder the proceeds of their heists through electronic currency exchange services.” reported Brian Krebs. “Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear. A summary of recent decisions (PDF) published by the Italian Supreme Court states that in April 2025, Rybtsov lost a final appeal to avoid extradition to the United States.”
Jabber Zeus, a variant of Zeus banking Trojan, acted as a full cybercrime ecosystem. Its standout feature, called Leprechaun, was a real-time Jabber alert system; whenever a victim entered a one-time password (OTP) on a fake banking page, operators were instantly notified.
The Jabber Zeus group targeted small to mid-sized businesses using the Zeus banking trojan to steal credentials. The crew used the malware to capture account numbers, passwords, PINs, and other sensitive data. They then used social engineering and the stolen info to make fraudulent transfers to U.S. bank accounts controlled by money mules.
The Jabber Zeus gang stole millions from victims’ accounts, using money mules to withdraw or transfer funds overseas, defrauding banks including Bank of America, KeyBank, and others.
Rybtsov arrived in Nebraska on October 9 under an FBI warrant. He shared a Donetsk building with Jabber Zeus leader Vyacheslav “Tank” Penchukov, who was arrested in 2022 and sentenced to 18 years plus $73M restitution.
Other Jabber Zeus members, including Maksim Yakubets, who later founded the cybercrime group Evil Corp, which shifted from using the Dridex trojan to launching ransomware attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Jabber Zeus)
