Dark Customer First--Citadel and the Rise of Criminal Customer Management Systems (2012)

Dark Customer First--Citadel and the Rise of Criminal Customer Management Systems (2012)

In 2012, security researcher Brian Krebs reported that Citadel, a derivative of the ZeuS Trojan, was an unprecedented innovation in the field of cybercrime. It was not just an evolution of malware, but a transformation of the criminal business model itself, with the introduction of Customer Relationship Management, a customer management system designed for criminals.

Through a web-based portal called the "Citadel CRM Store," Citadel offered users (i.e., criminals) the following capabilities:

- Report software defects and request fixes
- Suggest new features and vote on others' suggestions
- Share development progress
- Trouble-ticket support with developers

This is exactly the kind of customer management system used by legitimate companies, and it is distinct from conventional malware in that product improvements are based on user feedback.

The basic package was priced at $2,399, plus a $125 monthly fee, and the following optional features were also available for a fee:

- Automatic update feature to avoid antivirus detection ($395)
- Ability to record and transmit the infected user's screen
- Ability to extract login information from Google Chrome

Notably, a mechanism was provided to automatically stop the operation if the keyboard setting of the infected target was Russian or Ukrainian. This is believed to be a "discovery design" by the developers to avoid intervention by law enforcement agencies in their own country.

While this emphasis on customer interaction with criminal customer management systems dramatically increased the quality and scalability of the malware, it also backfired. The visibility of records such as user activity and proposal history made it easier for investigators to track, resulting in the arrest of one of the primary developers, Mark Vartanian (aka "Kolypto"), by the FBI in 2017.

The case proved that customer management systems, both formal and informal, are powerful business facilitating tools, but at the same time, it also brought home the sobering reality that they can be applied to crime as well. Citadel was not just malware, but a "dark SaaS (software as a service)" used by many criminals.

And customer management for crime - it was also a symbol of the evolution of modern cybercrime beyond mere subversive activities to a business model with an organized and economically rational structure.