Australian police charge man with developing spyware used by more than 14,500 people

An Australian man faces up to 20 years in prison for allegedly creating and distributing spyware that became the subject of a global law enforcement operation.

The 24-year-old man, who has not been named by authorities, was arrested by Australian Federal Police (AFP) and appeared in a Brisbane court Friday where he was charged with six counts related to computer offenses. He is accused of creating the Imminent Monitor remote access Trojan (RAT) when he was 15, which authorities say was sold to more than 14,500 individuals across 128 countries.

According to the AFP, Imminent Monitor was a cheap but powerful spyware tool that could be used to log keystrokes and take over a victim’s PC.

“Once the RAT was installed on a victim’s computer, users could control a victim’s computer; steal their personal information or spy on them by turning on webcams and microphones on devices – all without their knowledge,” the AFP said.

The tool was sold for about $25 and was advertised on hacking forums. It’s estimated that the creator made between $300,000 and $400,000 from selling the malware between 2013 and 2019, when it was taken down as part of a coordinated law enforcement campaign.

“Operation Cepheus”

According to the AFP, Imminent Monitor “sparked a global law enforcement operation” called Operation Cepheus that included more than a dozen European law enforcement agencies and the FBI.

Law enforcement authorities carried out 85 search warrants globally, seizing 434 devices and arresting 13 people who used the RAT for criminal means.

Australian police said they were made aware of Imminent Monitor in 2017 by the FBI and researchers at Palo Alto Networks, which noticed “a definite preference for Australian hosting” while examining the RAT.

The AFP said it subsequently identified more than 200 individuals in Australia who bought the spyware, 14% of whom were issued court orders related to domestic violence. They have also identified 44 victims in the country.

Imminent Monitor could be installed on a victim’s device in a number of ways, including phishing.

“We most often observe RATs employed illicitly by financially-motivated actors, or for data theft… It’s unlikely a coincidence that such a tool might be employed against Intimate Partner Violence victims,” Palo Alto researchers said in a write-up following the arrest.

Although the AFP didn’t identify the arrested individual, it said authorities conducted two search warrants in 2019 at the man’s home, which at the time was in Brisbane. 

“Investigators seized a number of devices including a custom-built computer containing code consistent with the development and use of the RAT,” the AFP said.

“These types of malware are so nefarious because [they] can provide an offender virtual access to a victim’s bedroom or home without their knowledge,’’ said Chris Goldsmid, the head of AFP’s cybercrime operations. “Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes.”