Notorious hospital cybervillain acknowledges guilt, heads to prison

An international cybercrime mastermind who compiled a long resumé of remote break-ins—including a hit that cost a major U.S. medical center $30 million—has pled guilty to two counts of conspiracy.

Vyacheslav Igorevich Penchukov, a Ukrainian national who went by the handle “Tank” online, was indicted on the twin counts in Nebraska Feb. 15, according to the U.S. Department of Justice.

Penchukov, who also used an alias surname, Andreev, seems to have hit his stride around 2009. That year, he led a racketeering enterprise that unleashed the infamous malware known as “Zeus.” With this, Penchukov and co-conspirators snaked their way into victims’ online bank accounts, pocketing millions.

Even after being placed on the FBI’s Cyber Most Wanted list, Penchukov continued to lead wide-ranging cybercrime activities for years.

One of the most damaging of these came in 2020, when Penchukov and fellow criminals targeted and breached internal networks at the 620-bed University of Vermont Medical Center. The attack, a ransomware ambush, forced the hospital’s EMR offline for 28 days and hindered numerous service lines during the height of the COVID pandemic.

The attack ended up costing the institution between $30 million and $65 million. (News accounts vary between those two amounts.)

The law caught up with Penchukov in 2022, when he was arrested in Switzerland. Officials there extradited him to the U.S. in 2023.

DOJ says the counts to which he pleaded guilty last week were:

  • conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense for his leadership role in the “Zeus” enterprise, and
  • conspiracy to commit wire fraud for his leadership role in a group whose main malware product was a sophisticated cyberweapon called IcedID.

Penchukov faces a maximum of 20 years in prison for each of these counts.

“The Justice Department and FBI Cyber Squad won’t quit coming for the world’s most wanted cybercriminals, no matter where they are in the world,” says U.S. Attorney Michael Easley of the Eastern District of North Carolina, which had a hand in the prosecution and plea negotiation.

Easley adds:

“This operation removed a key player from one of the world’s most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge.”

DOJ says Penchukov is scheduled to be sentenced May 9.

Dave Pearson

Dave P. has worked in journalism, marketing and public relations for more than 30 years, frequently concentrating on hospitals, healthcare technology and Catholic communications. He has also specialized in fundraising communications, ghostwriting for CEOs of local, national and global charities, nonprofits and foundations.

Around the web

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue. 

The scam took place over a period of seven years, resulting in Medicare being billed for more than $70 million in fraudulent claims for unnecessary scans. 

Compensation for heart specialists continues to climb. What does this say about cardiology as a whole? Could private equity's rising influence bring about change? We spoke to MedAxiom CEO Jerry Blackwell, MD, MBA, a veteran cardiologist himself, to learn more.