The real break came when the creators tried to refine Conficker’s already extraordinary cryptography. Months after Mr. Rivest submitted the MD6 proposal to N.I.S.T., a flaw was discovered, corrected and resubmitted. As with the original version, this correction was known only to a very small circle of elite cryptographers. The earliest versions of Conficker had employed the original, flawed version. When Conficker C appeared, it used the corrected one.
This significantly narrowed the window during which Conficker’s creators had revisited either the M.I.T. or N.I.S.T. websites. Combing through the relatively few experts who used the websites just before Conficker C appeared, investigators found the IP address of smartsystem.com.ua — the address of a Ukrainian company that was the recipient of millions swindled by TrafficConverter.biz. It was a gotcha moment.
On July 21, 2011, an F.B.I. agent, Norm Sanders, and Francis Franze-Nakamura, an assistant United States attorney, along with Ukrainian national police arrested three Ukrainians: Sergey Kamratov, Dmytro Volokitin and Yevgen Fatyeyev. They were insouciant men in their 30s who drove multimillion-dollar black Porsches and lived in penthouse apartments. They had met in school and were partners in smartsystems.com. Their company had more than 100 employees. Each claimed to earn the equivalent of only $30,000 annually — Mr. Kamratov said he was a schoolteacher.
[If you’re online — and, well, you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]
“There was more cash than that spread out on their kitchen counters,” said Mr. Sanders.
Computers at their residences revealed direct links to smartsystem.com.ua, to TrafficConverter.biz and to the coding work and planning behind Conficker. The three were charged in Ukraine for failure to pay taxes on their illegal income, which was estimated in the tens of millions of dollars. I could not determine if they were prosecuted there, as my requests for information from Ukrainian authorities went unanswered. My suspicion is that they all were soon released and have gone back to work either for themselves or for the state. (The Swede, Mikael Sallnert, was arrested in Denmark and extradited to the United States, where he pleaded guilty in 2012 and was sentenced to 48 months in prison. The fifth man, Victor Mauze, was named in the indictment but has not been prosecuted.)
Malware in Ukraine is big business. Some e-crime companies have their own buildings in office parks, with salaried employees who show up for work every day wearing ID badges, collect health benefits and enjoy company picnics. The takedown of smartsystem.com.ua caused a significant but only temporary cessation of scareware; the criminals have moved on.
Ransomware is the new plague, and it funnels money from victims by using Bitcoin and other anonymous payment methods. Because fewer victims know how to use such payment methods, the criminals try to make up the gap by raising the ransom fees tenfold from the old credit card days.