In early 2017, computer security experts noticed a particularly malicious and nearly undetectable strain of malware infecting computers across America, specifically Macs. Dubbed "Fruitfly," the malware collected keystrokes and spied on users' screens, webcams and microphones.
"The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," Thomas Reed, a MalwareBytes researcher, wrote in January.
A more advanced version, dubbed "Fruitfly 2.0" hit the news by summer.
Patrick Wardle, a researcher at Synack, a cybersecurity firm, found 400 computers infected with the malware but said there were likely far more victims than that. And while it was only recently discovered, it had been in existence for awhile — at least before 2014, part of its code indicated it had been modified for the Mac Yosemite operating system, which was released that year. Experts called it unlike anything they'd ever seen, and it was universally described as creepy.
"This didn’t look like cybercrime type behavior, there were no ads, no keyloggers, or ransomware," Wardle told Forbes. "Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events."
Because of the limited, targeted attacks, (largely, he said at the time, home users and biomedical research institutions) as well as some aspects of the code, Wardle hypothesized that the malware wasn't some state-sponsored cyber attack nor a means to financial profit.
"I don't know if it's just some bored person or someone with perverse goals," he told Ars Technica. "If some bored teenager is spying on me, that would still be very emotionally traumatic. If it's turning on the webcam, that's for perverse reasons."
Today, a 28-year-old North Royalton man named Phillip R. Durachinsky was federally indicted on 16 counts for creating malware — specifically Fruitfly — which he used to infect computers, steal identities, log keystrokes, turn on webcams and microphones to spy on users, and produce child pornography, among other things, all over the course of 13 years.
According to court filings, he was arrested in January 2017 after a hack of the Case Western Reserve University's computer system. He's been in custody since.
More from the news release from the U.S. District Attorney's office:
According to the indictment, Durachinsky is alleged from 2003 through Jan. 20, 2017, to have orchestrated a scheme to access thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy. He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.
As alleged in the indictment, Durachinsky used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, Internet searches, and potentially embarrassing communications. According to the indictment, Durachinsky used stolen logon credentials to access and download information from third-party websites.
Durachinsky is further alleged to have watched and listened to victims without their knowledge or permission and intercepted oral communications taking place in the room where the infected computer was located. In some cases, the malware alerted Durachinsky if a user typed words associated with pornography. According to the indictment, Durachinsky saved millions of images and often kept detailed notes of what he saw.
“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” said Acting Assistant Attorney General Cronan. “This case is an example of the Justice Department’s continued efforts to hold accountable cybercriminals who invade the privacy of others and exploit technology for their own ends.”
“This defendant is alleged to have spent more than a decade spying on people across the country and accessing their personal information,” said First Assistant U.S. Attorney Sierleja.
“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said Special Agent in Charge Anthony. “The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities. It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.”