Alex Yucel, 24, pleaded guilty to one count of distributing malicious software. He could face a maximum of 10 years in prison, the U.S. Attorney's Office for the Southern District of New York said. He is expected to be sentenced on May 22.
BlackShades, a remote access trojan, was marketed by its developers as a program for legitimate computer monitoring but was mostly used for stealing payment card data, recording a computer's keystrokes and secretly controlling webcams. It was sold for between US$40 to $100.
Several thousand people bought Blackshades, and investigators said it may have infected more than 500,000 computers worldwide.
In exchange for the guilty plea, prosecutors agreed to drop other charges that accused Yucel of conspiracy to commit computer hacking, conspiracy to commit access device fraud, access device fraud and aggravated identity theft.
Yucel was arrested in Moldova in November 2013 and is the first person to be extradited to the U.S. from there. He is suspected of creating Blackshades around 2010 and advertising it on underground hacker forums.
It was very versatile malware, capable of grabbing information entered into forms and conducting distributed denial-of-service attacks.
Those using Blackshades were targeted in a massive law enforcement effort in May 2014 involving 16 countries. Ninety-seven people suspected of either creating or buying were arrested after the raids.
Michael Hogue, who was accused of being a co-creator of Blackshades, pleaded guilty in January 2013 and is awaiting sentencing, prosecutors said.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk