Russian Programmer Armed ‘Potato’ Malware Used On Target

Rinat Shabayev says he modified Kaptoxa malware to earn some money

A 23 year old programmer from Saratov, Russia, has claimed responsibility for arming the Kaptoxa (“Potato”) malware used to steal personal details of about 110 million customers of the US retail chain Target.

In an interview with the Russian website, Rinat Shabayev admitted that he modified Kaptoxa (also known as BlackPOS), a tool that can be used to test computer systems for vulnerabilities, and as a defense against cyber attacks. Later, he sold the malware on an open market, in the knowledge that it could be used for criminal purposes.

Shabayev says he never used Kaptoxa to steal data himself. He is currently looking for a well-paid job, and has received one offer already, in the comments on the site. The story seems to align with earlier reports that part of the Kaptoxa code was written in Russian.

Russian hacker fired potato gun

According to Shabayev, Kaptoxa (Russian for potato, written in ‘volapuk’ code) was created for sale through underground hacker communities. The rules of the malware market are well established, with independent developers offering support, patches and modifications for their products.

potato gun kaptox malwareWhile working on a modification, the programmer known online as ‘ree4’ collaborated with an anonymous partner who he met online. The two didn’t stay in touch, and Shabayev doesn’t even know where in the world his contact lives.

“If the software is used with bad intentions, you can earn decent money, but that’s illegal. I didn’t want to do this kind of work, simply wrote it for sale, so I didn’t have to use it myself. Other people can use it, and it will be on their conscience,” Shabayev told

The programmer said he used to earn a bit of money as a hacker, but is now looking for legitimate work. In the future, he would like to open his own business.

Between 27 November and 15 December, 40 million card details and 70 million personal records including names, mailing addresses and phone numbers of Target customers were compromised. The attack was aimed at Point-Of-Sale (POS) payment systems, including those used to enter debit card PIN.

To apologise, the retailer offered one year of free credit monitoring and identity theft protection to all guests who shopped in its US stores. Despite this gesture, multiple lawsuits have been filed across the United States by Target customers in regards to the information theft.

On 16 January, security firm Seculert had found an Internet server that the attackers had used as a communications hub to retrieve information from a drop site within Target’s own network.

The company says that on 2 December, the malware began transmitting the cache of stolen data from the network to the collection point. Using a virtual private server in Russia, the attackers then downloaded the information. The total amount of stolen data was around 11GB.

How well do you know network security? Try our quiz and find out!