Yuriy Igorevich Rybtsov, known online as “MrICQ,” a key developer for the notorious Jabber Zeus cybercrime group, is now in U.S. custody following his extradition from Italy. Indicted in 2012, Rybtsov is accused of conspiring to steal tens of millions of dollars from American businesses through sophisticated cyberattacks.

Inside Jabber Zeus Operations

The Jabber Zeus group pioneered “man-in-the-browser” attacks, deploying a highly customized Zeus banking trojan. This malware was designed to steal banking login credentials and alert the hackers via Jabber instant message each time a victim entered a one-time passcode. Primarily targeting small to mid-sized businesses, the group would manipulate company payrolls to add “money mules” – individuals recruited through deceptive work-at-home schemes – who then forwarded stolen funds, minus their commission, to other mules in Ukraine and the United Kingdom. MrICQ’s specific responsibilities included managing incoming notifications of newly compromised victims and assisting in laundering the illicit proceeds through various electronic currency exchange services.

Advanced Tactics and Key Connections

Rybtsov’s apprehension follows that of Vyacheslav “Tank” Penchukov, the group’s Ukrainian leader, who received an 18-year prison sentence and a $73 million restitution order last year. Investigations linked Rybtsov to an address in Donetsk shared by Penchukov. Lawrence Baldwin of myNetWatchman provided crucial intelligence, having secretly gained access to the Jabber chat server used by the hackers, enabling law enforcement to monitor their daily communications. The Jabber Zeus trojan showcased remarkable technical sophistication, including a “Leprechaun” component that rewrote HTML to intercept multi-factor authentication passcodes, and a custom “backconnect” feature. This allowed hackers to execute bank account takeovers from the victim’s own infected PC and IP address, effectively bypassing then state-of-the-art online banking security. Maksim “Aqua” Yakubets, alleged leader of the notorious “Evil Corp” cybercrime ring, also interacted daily with MrICQ and Tank, facilitating the group’s money mule and cashout operations remotely from Russia.

The successful extradition and custody of MrICQ mark another significant victory in the ongoing global effort to dismantle sophisticated cybercrime networks responsible for widespread financial devastation.

Source: https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-custody/