The Bayrob malware gang's rise and fall

The story of how a talented computer science student and his friends created and ran a multi-million dollar botnet.
Written by Catalin Cimpanu, Contributor

Three Romanians ran an extremely complex online fraud operation along with a massive malware botnet for nine years, made tens of millions of US dollars, but their crime spree is now over, and all three will be heading to prison by the end of August this year.

The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities.

Those errors came in 2015, when of the group's proxy servers began leaking details about the group's traffic, eventually leading investigators on the right path, and later that year one of the hackers made an unfortunate trip to Miami, where the FBI secretly searched his phone at the border.

A year later, Romanian police were busting apartment doors in Bucharest, Romania's capital, and taking the group's members into custody.

This week, two of this gang's members were found guilty by a federal jury, while a third had already pleaded guilty last November. The three now stand to face long prison sentences on nearly two-dozen charges, each.

Who is the Bayrob gang?

The three hackers are Bogdan Nicolescu ("Masterfraud" or "mf"), Radu Miclaus ("Minolta" or "min"), and Tiberiu Danet (aka "Amightysa" or "amy").

Bayrob gang memers
Image: Symantec

Collectively, they are now known as the Bayrob gang, after the name Symantec gave to malware the group first developed back in 2007.

That's when the group started on their path of cybercrime. Just like all "entrepreneurs," they first started small.

They chose fraud because, at the time, that's what most Romanian hackers were into. In the mid-2000s, Romania was one of the most prodigious countries in the world of cybercrime.

Some of these hackers came from the benches of the country's many computer science universities, some self-educated on the dozens of hacking and cyber-security forums that littered the Romanian internet at the time.

The crime-du-jour at the time, and what Romanians hackers eventually became famous for, was online fraud, and especially eBay scams. This is how the Bayrob gang got their start, following tutorials and tricks they read online about auction frauds.

How the Bayrob gang got started

In the beginning, the Bayrob hackers focused on eBay and smaller classified ads sites. Their typical modus operandi was to post an ad or an auction, usually for an expensive product, and wait for bids.

Interested buyers would usually reach out, the gang would gauge their interest, but they'd always reply that another user outbid for the product -- usually an expensive and highly sought after car, although not high-end luxury models.

But days after, the Bayrob members would reach out again, telling the interested buyer that the original bidder had backed down, and the car is available again.

Bayrob eBay scam email
Image: Symantec/Norton

They'd offer to put the car up for auction again, and even sent new pictures of the car, packaged in slideshows. What the users didn't know was that the slideshow contained the Bayrob malware, which would infect their PCs.

Bayrob slideshow
Image: Symantec

The Bayrob team would then send another email to buyers, which lured potential victims on new auction pages. It's at this stage that the Bayrob malware would get into the act.

It would intercept the link and redirect victims to a fake eBay page.

Symantec, which helped investigate the group's operations, said that in this first phase of the group's evolution, the gang would usually craft versions of the Bayrob malware customized for each victim, along with fake eBay pages, containing everything from fake seller reviews, fake vehicle history reports, and fake pages from escrow and delivery services.

Bayrob fake eBay pages

Fake eBay pages that the Bayrob malware would show victims

Image: Symantec/Norton

The group's fraud operation was a notch above everything else, with great attention to detail, and with emails written in perfect English, so as not to alert buyers of a potential scam.

Moving up to the next level

But as the group sold more non-existent cars and made more money, this also helped them expand operations beyond what most eBay scammers were doing at the time.

A Romanian threat intelligence analyst who spoke with ZDNet in a telephone interview but did not want his name shared because he was not authorized to speak for the company or to give out information told us the Bayrob gang began frequenting Russian-based hacking forums at this time, learning from the more advanced Russian fraud scene, and even starting cooperating with other criminal groups.

And the group learned a lot. The Bayrob gang started putting together fake websites to create a larger ecosystem of fake companies around their scams.

For example, they created multiple fake trucking companies, which they used as a front to supposedly transport purchased vehicles to buyers.

The Bayrob gang would often use the excuse that these fake trucking companies were running late in delivering the bought cars, giving the trio extra time to transfer funds from North America -- their primary hunting ground -- to Romania.

By the time the victim caught on to the scam, most of the money sent to the group's US or Western EU bank accounts would have been withdrawn and relayed back to the group's members.

Bayrob's fake trucking company
Image: Symantec

While nowadays most cybercrime groups use money mule services advertised on hacking forums, back then, it wasn't that simple. The Bayrob gang had to recruit their own money mules.

They used fake job ads placed on popular classified ads portals and created websites for fake companies. At one point, the group got so brazen that they ran a fake Yahoo subsidiary called Yahoo Transfers, where victims were being told they were helping route products bought on the Yahoo sites.

Bayrob's fake Yahoo Transfers website
Image: Symantec

Symantec says money mules went through a grueling recruitment process that involved Google-based background searches, instant messaging interviews, and VoIP calls.

The Bayrob gang would usually advertise "work at home" jobs for which unsuspecting applicants would be required to withdraw money from the group's US bank accounts and re-wire it through their own accounts to other accounts.

Money mules would also be asked to convert stolen funds into digital currencies and send the digital currencies to Bayrob gang accounts.

Another tactic, our source tells us, involved the Bayrob gang buying expensive products, which they shipped to money mules' home addresses, where they would be sent overseas -- where other money mules would re-sell the products, effectively converting any scam/stolen funds into untraceable cash.

But despite the trouble this group would put money mules through, Symantec said that some of these unsuspecting individuals got conned and sometimes made no money at all from helping Bayrob launder their money.

"Mules in the US were given two options for payment," Symantec said in 2016 report. "They could keep six percent of the funds they transferred or they could send the entire amount and later receive a check for 10 percent of the total. The latter option was a scam and nobody who opted for it received any payment from the gang."

From eBay scams to operating an infostealer+keylogger

Our source tells us that around 2011, the group changed its operation in a major way. It was at this time that the group's forays into the Russian underground world began to influence the group's mode of thinking.

The three were seeing the huge success and the vasts amounts of money the operators of the Zeus (Zbot) banking trojan were making.

That's when the group started implementing more features in the Bayrob malware code, and slowly started shifting from per-person eBay scams to an indiscriminate malware distribution operation.

All of a sudden, instead of a tiny piece of code that would redirect eBay buyers to fake pages, the Bayrob malware started evolving and getting more intrusive features.

The group didn't have the manpower and desire to go the full banking trojan route, and instead, they choose to add a keystroke logging feature that recorded victims' keyboard input.

The malware would log everything the user typed and send the data back to the malware gang's server, where it would be analyzed for e-banking logins, credentials for social media platforms and online payment services, and credit card number patterns.

This was before banks had modern fraud detection features and multi-factor authentication, so the group would simply log into users' bank accounts and transfer all the money they wanted to their money mules, for "processing" (money laundering).

They got greedy, and it showed, as their malware got more complex. This, in turn, led to the big names in the cybersecurity industry turning their gaze on the group's operation.

It was in 2011 that Symantec and many other cybersecurity firms started following the group more closely. 

It was in this phase that the group began using Bayrob to automate operations on victim's computers, where it would register new AOL accounts, which it would use to spam the victim's contacts with spam messages in the hope of finding new victims. By converting each hacked victim into a spam-spewing machine, the group's botnet grew to a massive size.

Symantec said that while back in 2007 Bayrob was seen as a small-time operation with around 1,000 infected bots part of its botnet, by 2014, the group's botnet reached 50,000, a very respectable size for any malware operation.

The crypto-mining period

However, the group wasn't done expanding operations. Around that time, Bitcoin had also exploded on the tech scene, and it was still profitable to mine using plain ol' computers.

The Bayrob gang jumped on the bandwagon by adding Bitcoin mining capabilities to the Bayrob malware, and profits started coming in right away. Their newfound alternative source of easy-to-make money fascinated the group. Online posts from that period showed their interest in the topic.

The Bayrob malware's distribution activity also spiked, with the trojan making it on more and more PCs. Symantec has the botnet's peak number at 300,000, while the US Department of Justice (DOJ) put a 400,000 figure on the Bayrob botnet in court documents.

In a pre-IoT botnet era, this number was considered massive. Coupled with the group's penchant for stealing money from people's bank accounts, this put the group right near the top of the FBI's most wanted hackers list.

The hunt for Bayrob

Both the FBI and Symantec began to stake out the group's massive operation. The Bayrob gang also got wind that something was up. All of a sudden, cybersecurity firms were publishing in-depth reports about their malware: ESET, Comodo, Fortinet, just to name a few. Bayrob is also referred to as Nivdort in some reports.

After operating for half a decade in complete silence and out of the spotlight, the group began to feel the heat. However, these weren't your regular "script kiddies" that pieced random code together as a weekend side project.

The group's members knew their stuff, especially on the IT side (more on that later). The malware was often updated, sometimes with some cheeky messages to some security firms, and the code was top-notch, often improved with features to prevent reverse-engineering, easy analysis, or riddled with junk code to steer analysts on the wrong path.

Bayrob message to Symantec
Image: Symantec

Furthermore, the group also had some of the best operational security (OpSec) that security researchers have seen up until that point on the malware scene.

Bayrob's internal communications were always encrypted, keeping investigators blind to what the gang was doing, making the seizure of any third-party email or XMPP server useless.

Symantec, which played a crucial role in the investigation, said the Bayrob gang encrypted all emails using PGP, and encrypted all instant messaging chats with an Off-The-Record (OTR) protocol.

The Bayrob malware servers were also shielded by not one, but two proxy layers, which allowed the group's members to connect to it from their homes without giving away their exact location.

A first proxy network was created using servers in Romania, while a second proxy network ran on top of US-based servers.

"One of our most significant breakthroughs came when we discovered a weak point in their use of these proxies," said Symantec in 2016, after the trio's extradition to the US.

"Due to this weakness, the gang's malicious activities were exposed, allowing us to passively observe its activities on computers Symantec was protecting.

"Our investigation required time and patience. In one case, we observed the gang's malicious activities for a year and a half before it made an error that exposed one of its suspected members," the company added.

An AOL login snafu and a visit to Miami doomed the group

That mistake exposed Miclaus' identity. At Miclaus and Niculescu's recently concluded trial, the prosecution revealed how they used this info.

According to a Cleveland.com report, back in 2013, Miclaus, while behind his network of proxies, accidentally logged into his personal AOL account instead of one of the AOL accounts the group was using to send out spam emails.

This allowed investigators to link Miclaus' real-life persona to the group's operations, and as a possible gang member. Later info provided by Symantec helped investigators track down other possible members, although they were never sure of their involvement due to a lack of evidence.

That evidence landed in the FBI's lap by accident, when one of the group's members traveled to visit friends in the US.

At Miclaus and Niculescu's trial, the prosecution revealed that while Danet was at the Miami airport, the FBI enacted a search warrant to secretly search Danet's phone, from which they extracted messages exchanged between the three Bayrob members, talking about their operation.

US investigators continued to gather data on the group's operations until July 2016 when they felt confident they had a case and issued international arrest warrants in the names of the three Bayrob members, on which Romanian police acted and arrested the three in Bucharest.

They were arraigned in a US court in December 2016, with Danet pleading guilty last November in the face of an insurmountable case based on the data obtained from his phone. His sentencing hearing is scheduled for May 2.

Bayrob wanted posters
Image: capture from Kanal D video

Danet went from top programmer to malware coder

Of the three, Danet also has the wildest backstory. In the group, Danet was the tech guy; the one who wrote the malware code and managed the botnet and its servers. Without him, the group would have never reached the heights they reached, and would have most likely remained a low-tier eBay scam group.

A graduate of one of Bucharest's top mathematics and computer sciences college, Danet won several international computer science contests, even ranking third in an ACM (Association for Computing Machinery) edition, and ranking high in many others.

According to Romanian TV station Kanal D, in 2008, Danet was elected the coach of Romania's National Computer Science Team, even though he was still a university student.

"He could have worked anywhere he wanted for the same money he made as a hacker," our source said over the phone when describing Danet's programming skills. "I still can't believe it after all these years."

Bayrob member Tiberiu Danet

Bayrob member Tiberiu Danet

Image: UNIBUC, via Kanal D

Danet's IT training explains why cybersecurity firms and US authorities had such a hard time breaking through Bayrob's outer shell.

In fact, the trio's indictment looks just as much as a malware report as it does to a legal document, containing a huge trove of technically-rich details that many previous hacking/hacker-related court files don't usually do, once again showing Bayrob's advanced technical makeup.

One Bayrob hacker claims he's been wrongly accused

As for his co-conspirators, Miclaus and Nicolaescu, they were in charge of Bayrob's fraud and money laundering operations, respectively, and had just as much to do with the operation's success as Danet had.

Despite all the court-presented evidence, during the trial, Nicolaescu denied any involvement with the Bayrob scheme, claiming he only lived with Miclaus and had been wrongly associated with the group, albeit admitting that he knew of its existence.

The two will hear their sentences on August 14, alter this year.

The DOJ said that during the group's nearly decade-long operation, the trio made roughly $4 million (Symantec placed the number at around $35 million), ran over 1,000 eBay scams, and registered over 100,000 AOL accounts to send over 11 million spam emails.

UPDATE, December 6, 2019: After a delay in their sentencing hearing, Miclaus and Nicolaescu were sentenced today to 18 and 20 years in prison, respectively.

Data leaks: The most common sources

Related malware and cybercrime coverage:

Editorial standards