An international cybercrime network that tried to steal an estimated $100 million has been taken down in a coordinated multinational effort.
Prosecutors and law enforcement officials from the United States and Europe, speaking at a news conference on Thursday in The Hague, say that criminals used malware to infect tens of thousands of computers worldwide, capturing online banking credentials from unknowing victims in a bid to extract their money.
The scheme took place between October 2015 and December 2016. A virtual assembly line of skills and services by cybercrime specialists made the fraudulent work possible, prosecutors contend.
First, the leader of the group leased access to malware from a developer. Then the developer used coders to create GozNym, a hybrid of two malware strains called Gozi and Nymaim.
Suspects advertised their skills online in an underground Russian-language forum, where they were allegedly recruited by Alexander Konovolov, a 35-year-old Georgian who ultimately controlled more than 41,000 computers.
To ward off detection, distribute the malware, take over bank accounts and cash out, there were “bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support,” said Europol, the European Union’s law enforcement agency.
William Carter, deputy director of the Technology Policy Program at the Center for Strategic and International Studies, tells NPR that cybercrime as a service industry is becoming more common — that people can pay for phishing, botnets and other services.
“Really at this point it doesn’t take a lot of audacity,” he says. “The chances that [law enforcement] will track down all the little service providers are pretty small. And the payoff can be pretty large.”
Carter says there are enough people and businesses in the world not following basic cybersecurity practices that a criminal can use unsophisticated tools to make money by hitting many targets quickly.
With GozNym, victims received phishing emails that looked legitimate but contained a malicious link or attachment that led the malware to be downloaded on their computers.
The victims included a church in Texas, a casino in Mississippi and an association that provides services to people with disabilities in Illinois. A number of U.S. businesses and their financial institutions fell victim to GozNym, especially in Western Pennsylvania, where federal investigators and prosecutors later conducted an operation.
In an indictment unsealed Thursday, 10 alleged members of the criminal network were accused of using GozNym to capture online banking credentials from victims, before using that information to pilfer money from bank accounts and launder the funds with U.S. and foreign bank accounts.
The network members were charged with conspiracies to commit computer fraud, wire and bank fraud as well as money laundering. An 11th member was charged in a previous indictment.
Five Russians accused of being involved in the scheme reside in Russia as “fugitives from justice,” according to the Department of Justice. The FBI asked the public to help locate them Thursday. The U.S. District Court for the Western District of Pennsylvania issued a federal arrest warrant for them in April.
Other members of the criminal network live in Georgia, Ukraine, Moldova and Bulgaria, according to prosecutors. That led to an “unprecedented” push for cooperation — sharing of evidence, arrests and extraditions — between the United States, those countries and Germany.
Criminal prosecutions are underway in Georgia and Moldova. In Ukraine, law enforcement arrested Gennady Kapkanov, 36, for allegedly shooting an assault rifle through his apartment door during a police raid that targeted network servers. He is being prosecuted for his alleged involvement in the GozNym network.
U.S. Attorney Scott Brady said that the only way to stem transnational criminal networks is through partnership. “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime,” Brady said.