IntelCrawler said it analyzed content at members-only websites where criminals buy and sell stolen data, and market and sell new malicious programs designed for hacking, PCWorld reported Saturday.
The security company said the teenager, who goes by the nickname "ree4" sold the malware he created, called BlackPOS, to about 40 customers for $2,000 per sale, or for a share of profits.
The malware compromised not only Target accounts, but the accounts of six other U.S. retailers, IntelCrawler said.
IntelCrawler said it is "90 percent" confident in its conclusions, PCWorld reported.
IntelCrawler said the program was originally called Kaptoxa, a Russian term for potato. However, the teenager changed its name to BlackPOS for marketing reasons, IntelCrawler said.