A Ukrainian man pleaded guilty in federal court for his leadership role in two cyberattack schemes that caused tens of millions of dollars in losses and temporarily crippled a Vermont hospital in 2020, said the Justice Department. Prosecutors said that Vyacheslav Igorevich Penchukov, 37, was a leader for an organization that in May 2009 began to infect thousands of computers at corporations with malicious software, and that he helped lead a separate malware scheme that began around November 2018. Mr. Penchukov, of Donetsk, pleaded guilty in the U.S. District Court in Nebraska to one count of conspiracy to commit an offense that violated the Racketeer Influenced and Corrupt Organizations Act and one count of conspiracy to commit wire fraud, and was arrested in Switzerland in 2022 and was extradited to the United States in 2023. The Justice Department accused Mr. Penchukov of leading “a wide-ranging racketeering enterprise and conspiracy” that installed malicious software called Zeus onto thousands of business computers, ultimately causing millions of dollars in losses. Mr. Penchukov and other members of the enterprise then portrayed themselves as employees of the corporations who were authorized to transfer money from the accounts they targeted. The money was deposited into the accounts of residents of the United States and other countries who were known as “money mules,” and those people then sent it to overseas accounts that were run by Mr. Penchukov and other members of the enterprise, according to the Justice Department. Mr. Penchukov was also charged for these offenses in 2012 while he was still at large, according to an indictment that was unsealed in 2014. Furthermore, Mr. Penchukov pleaded guilty to his leadership role in the separate malware scheme that ran from at least November 2018 to February 2021, which involved installing malware on computers to collect personal information from victims, including bank account credentials, and the data was used to steal from them. The targets of these ransomware attacks included the University of Vermont Medical Center, which lost over $30 million, and whose services were impacted for over two weeks. In September 2023, the medical center’s president, Dr. Stephen Leffler, testified in the House of Representatives, and said that the hospital did not have access to electronic medical records for 28 days because of the attack. Mr. Penchukov faces up to 20 years in prison for each count, and his sentencing is scheduled for May 9.
