The three individuals, whose names have not been disclosed, were arrested two weeks ago on suspicion of commandeering more than 100,000 PCs. They allegedly gained control over the systems with a Trojan horse called Toxbot and used the network of zombie PCs to steal credit card numbers and other personal data, and to blackmail online businesses.
But the number of PCs hijacked is much larger than initially thought, Dutch prosecutors said Thursday. Additional data gathered by the Dutch Computer Emergency Response Team and Internet service providers indicates that more than 1.5 million PCs were involved, 30,000 of which were in the Netherlands.
"This will certainly play a role when determining the penalty," Wim de Bruin, a spokesman for the Dutch National Prosecutor's Office, said Friday. "It does make a difference if you break a window in a single house or the entire street." Under various computer crime laws, the three could face up to six years in prison, de Bruin said.
A court in Breda, Netherlands, on Thursday extended custody of the 19-year-old main suspect and a 27-year-old accomplice by a month. The third suspect, a 22-year-old, was released because of confidential "personal reasons," de Bruin said. Under Dutch law, suspects can be held for up to three months before a first public court appearance.
Networks of hijacked computers, known as botnets, are considered one of the most serious security threats on the Internet. While the dismantled botnet is one of the largest ever seen, the takedown is merely a drop in the bucket, experts have said.
Botnets are often rented out by their owners, called bot herders, to relay spam and launch phishing scams to steal sensitive personal data for fraud. Botnets have also been used in blackmail schemes, where the criminals threaten online businesses with a denial-of-service attack to extort money. A denial-of-service attack would disable a targeted Web site.
In the Dutch case, investigators suspect the individuals of hacking into computers, destroying computer networks and installing adware and spyware. The suspects are also thought to have sold their services to others, including writing viruses that were designed to steal login data for online banking, prosecutors said.
The investigation also suggests that the suspects hacked into accounts at payment service PayPal and online auction giant eBay and extorted unidentified U.S. businesses.
The Dutch investigation is ongoing and more arrests are expected in the Netherlands, de Bruin said. A court date has yet to be set for the current suspects.
