A California man is facing a maximum of 60 years in prison and a $1.75 million fine after agreeing to plead guilty to using botnets to steal PC users' personal and financial information.

John Schiefer, 26, of Los Angeles has agreed to plead guilty to one felony count each of accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud.

Schiefer is the first guilty plea for a violation of federal wiretapping statutes in relation to botnet use, Thom Mrozek, a spokesman for the U.S. Attorney's Office for the Central District of California, told SCMagazineUS.com today.

Schiefer used his army of bot computers to defraud a Dutch advertising company not identified by the U.S. Department of Justice (DOJ).

Schiefer also mined usernames and passwords of PayPal users whose PCs had been infected with malware. He and associates then accessed bank accounts to make fraudulent purchases, Schiefer acknowledged in a criminal information and plea agreement filed Friday in U.S. District Court in Los Angeles.

Mrozek said the total number of bot PCs controlled by Schiefer was unknown, but “well north of 250,000.”

Schiefer is scheduled to be arraigned Dec. 3. The statutory maximum sentence for this case is 60 years in prison and a fine of $1.75 million.

Jose Nazario, senior security engineer at Arbor Networks, told SCMagazineUS.com today that while Schiefer's botnet-building techniques are familiar, his wire fraud and bank fraud guilty pleas are the reason for the large maximum sentence he faces.

“Basically everything he's been doing as a botnet-runner is pretty stock, and he's using a common code base as well,” he said. “Banks have a century of law behind them and they take these things seriously.”

Last month, Jason Michael Downey, 24, of Dry Ridge, Ky., was sentenced to a year in prison, three years of supervised release and more than $21,000 in restitution for running a botnet of up to 6,000 infected PCs. He was arrested as part of the DOJ's “Operation Bot Roast.”

Jeanson James Ancheta was sentenced to 57 months in prison in 2006 for creating a zombie network of hundreds of thousands of PCs that he rented out to hackers to send spam campaigns and launch DoS attacks. 

Andre DiMino, co-founder and director of the Shadowserver Foundation, a cybercrime-tracking non-profit, told SCMagazineUS.com today that the guilty plea is “great news for the security community because the best deterrent to this problem are arrests, prosecutions and convictions.”

But DiMino said he didn't think the possible hefty sentence would keep other botmasters relegated to mass-spamming, and away from information mining.

“We're seeing [botnet use] trend towards electronic wiretapping and PII (personally identifiable information) theft; that seems to be the major use of botnets these days,” he said.

Don Montgomery, vice president of marketing at Akonix, enterprise instant messaging (IM) security vendor, told SCMagazineUS.com that Schiefer was also the first botmaster arrested for using IM to built a bot army.

“What stands out for us is that this is the first one with a direct link between the use of IM to spread malicious code and the criminal behavior and the actual crime,” he said. “[The malware used] is the type that spreads out over an AOL Instant Messenger with a poison URL and uses buddy lists to spread quickly.”