Cybercrime group that used malware to steal $100 million from online banking accounts shut down

International law enforcement operation takes down cybercrime network that tried to steal $100 million by capturing online banking details.
Written by Danny Palmer, Senior Writer

A global cybercrime network responsible for stealing an estimated $100 million from banks and businesses around the world has been taken down in a joint law enforcement operation by several European nations and the US.

A criminal indictment from a federal grand jury in Pittsburgh, USA charges ten individuals from Russia, Eastern Europe and former Soviet states with infecting victim's computers with GozNym malware to steal online banking login credentials, using those stolen credentials to gain access to accounts and stealing money from victims before laundering the funds into bank accounts controlled by the criminals. More than 41,000 computers were infected with the malware.

"Today marks a new milestone in the ongoing fight against transnational organised crime and we're pleased to announce what we believe is an unprecedented international effort which has dismantled the GozNym criminal malware network," said United States Attorney Scott W. Brady for the Western District of Pennsylvania.

SEE: 10 tips for new cybersecurity pros (free PDF)

Described by law enforcement agencies as a "highly specialised international criminal network", GozNym recruited members to its cause on Russian-speaking underground forums in a campaign that resulted in the attackers controlling thousands of malware-infected computers.

Like many other hacking campaigns, the malware was delivered in spear-phishing emails which looked legitimate, but contained malicious links and attachments which downloaded GozNym onto victims' computers.

GozNym malware was helped along by one member of the gang who encrypted it to help it avoid detection by anti-virus software on the infected machines.

Following compromise, the stolen online banking information was sent to a central access panel where account-takeover specialists were employed to gain access to accounts and transfer stolen funds to money launderers in Russia and Ukraine. Once the money had been laundered, all involved in the scheme received their illicit payments.

The attackers covered their tracks by hosting malicious domains and GozNym downloads on the servers of the Avalanche Network – a bulletproof hosting service aimed at cybercriminals. The mastermind behind Avalanche was arrested last year.

Now an international law enforcement operation involving European Union members Bulgaria and Germany, as well as Georgia, Ukraine and the United States, has tracked down and charged several members of the GozNym criminal network – with the support of Europol, Eurojust and the FBI.

"In a world where the internet plays a vital role for our economy and social life, the kind of international cooperation we've had sets a new standard for international cross-border judiciary work," said Gabriele Launhardt, deputy national member for Germany at Eurojust.

"Criminals cooperate across borders and we will do the same so nobody escapes justice," she added.

Over the course of the investigation, searches of suspects homes and bases were conducted in Bulgaria, Georgia, Moldova and Ukraine and these have resulted in several criminal prosecutions taking place in Georgia, Moldova and the US.

They include the leader of the GozNym network along with his "technical assistant" who are being prosecuted in Georgia by the Prosecutor's Office of Georgia and the Ministry of Internal Affairs of Georgia.

Other members of the group who have been arrested include the individual responsible for encrypting GozNym malware who is being prosecuted in Moldova, as well as a previously arrested member of the group from Bulgaria. He was extradited to the US in December 2016 to face prosecution in Pittsburgh and is accused of taking over accounts as part of the campaign.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

Of those charged in connection with GozNym, five Russian nationals remain on the run – including the developer of the malware itself. The FBI has named the suspects as Viktor Vladimirovich Eremenko, Vladimir Gorin, Ruslan Vladimirovich Katirkin, Farkhad Rauf Ogly Manokhin and Konstantin Volchkov.

However, operation and the arrests which have taken place are viewed as victory in the fight against cybercrime and a big step towards further cooperation across borders.

"Today shows a clear capability change of law enforcement prosecutors working on a global basis to tackle international criminality," said Steven Wilson, head of Europol's European Cybercrime Centre (EC3).

"For too long, cybercriminals have exploited an international divergence in policy and legislation. I think we're now starting to see people coming together and understanding how to pool investigations together," he continued. "Ultimately, I believe these operations have been a catalyst for the better investigation of crime."


Editorial standards