An international law enforcement operation has dismantled a complex transnational organized cybercrime network that attempted to steal an estimated $100 million from victims in the United States and around the world.
The crime syndicate used malware called GozNym to try and infect tens of thousands of computers worldwide, primarily in the United States and Europe. The criminals were thwarted through international cooperation between law enforcement personnel in the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol, and Eurojust.
“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” United States Attorney Scott Brady of the Western District of Pennsylvania, who led the investigation, said. “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime. Cybercrime victimizes people all over the world. This prosecution represents an international cooperative effort to bring cybercriminals to justice.”
The victims were primarily U.S. businesses and their financial institutions. More than 41,000 victim computers were infected with GozNym malware.
The U.S. Attorney’s Office for the Western District of Pennsylvania charged 10 members of the GozNym criminal network with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh member of the conspiracy was previously charged in a related Indictment while five of the named defendants reside in Russia and remain fugitives from justice. The others are from Georgia, Ukraine, Moldova, and Bulgaria. The defendants conspired to infect victims’ computers with GozNym malware, which is designed to capture victims’ online banking login credentials. Then they would use the captured login credentials to steal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.
“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” FBI Pittsburgh Special Agent in Charge Robert Jones said. “Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively.”
Alexander Konovolov, aka “NoNe,” and “none_1,” age 35, of Tbilisi, Georgia, was the primary organizer and leader of the GozNym network. Konovolov assembled the team of cybercriminals charged in the Indictment, in part by recruiting them through the underground online criminal forums. Marat Kazandjian, aka “phant0m,” age 31, of Kazakhstan and Tbilisi, Georgia, was allegedly Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian are being prosecuted in Georgia. Gennady Kapkanov, aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41,” age 36, of Poltava, Ukraine, was an administrator of a bulletproof hosting service known as the “Avalanche” network. Kapkanov is now facing prosecution in Ukraine.
Alexander Van Hoof, aka “al666,” age 45, of Nikolaev, Ukraine, was a “cash-out” or “drop master” who provided fellow members of the conspiracy with access to bank accounts he controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts. Eduard Malanici, aka “JekaProf,” and “procryptgroup, age 32, of Balti, Moldova, provided crypting services to cybercriminals to enable the malware to avoid detection by anti-virus tools. Malanici, along with two associates, is being prosecuted in Moldova.
The five Russian nationals charged in the indictment who remain fugitives from justice include: Vladimir Gorin, aka “Voland,” “mrv,” and “riddler,” of Orenburg, Russia, who oversaw the creation, development, management, and leasing of GozNym malware; Konstantin Volchkov, aka “elvi,” age 28, of Moscow, Russia, who provided spamming services to cybercriminals; Ruslan Katirkin, aka “stratos,” and “xen,” age 31, of Kazan, Russia, who was a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money; and Viktor Vladimirovich Eremenko, aka “nfcorpi,” age 30, of Stavropol, Russia, and Farkhad Rauf Ogly Manokhin, aka “frusa,” of Volgograd, Russia, who were “cash-outs” or “drop masters” for the GozNym criminal network.
The victims of the GozNym malware attacks include an asphalt and paving business located in New Castle, Pa.; a law firm in Washington, DC; a church lin Southlake, Texas; an association dedicated to providing recreation programs and other services to persons with disabilities in Downers Grove, Ill.; a distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany; a furniture business in Chula Vista, Calif.; a provider of electrical safety devices in Cumberland, R.I.; a contracting business in Warren, Mich.; a casino in Gulfport, Miss.; a stud farm in Midway, Ky.; and a law office in Wellesley, Mass.