The European Union Agency for Law Enforcement Cooperation (Europol) has dismantled a complex, malware-using, global cybercrime operation. In the process, 10 individuals have been charged and more are facing prosecution.

Law enforcement cooperation between Bulgaria, Georgia, Germany, Moldova, Ukraine, and the United States, with the support of Europol and Eurojust, identified and dismantled a cybercriminal network that relied on the GozNym malware in an attempt to steal millions of dollars from unwitting victims. The scammers had planned to steal an estimated $100 million from over 41,000 businesses and financial institutions.

The criminal operation was a complex and organized setup. The leader of the network is from Georgia, and leased access to the GozNym malware from a developer in Russia. Work was then carried out with the help of other cybercriminals recruited via Russian-speaking criminal forums to "crypt the malware," which allowed it to bypass detection by security software.

A number of email spammers were then recruited to distribute phishing emails to potential victims in an attempt to place the GozNym malware on their computers. The emails took the form of legitimate-looking business emails that the targeted institutions would regularly expect to receive. Clicking a link in these emails redirected the victim's computer to a site where the malware was downloaded and subsequently installed.

Clearly the operation was a success; it infected over 41,000 computer systems. Once infected, the aim was to collect online banking login credentials so as to access those accounts and siphon out the money they contained. Those funds would then be laundered using both US and foreign banks controlled by the network's members.

Through cooperation and multiple searches carried out across Bulgaria, Georgia, Moldova, and Ukraine, law enforcement officials arrested 10 members of the network. All 10 have been charged by a federal grand jury in Pittsburgh with conspiracy—more specifically, to infect victims' computers with malware in order to steal banking details, then to steal the money they contained, and finally to launder it.

The leader of the network and his technical assistant are both being prosecuted in Georgia. As for the hosting required to make the malware available, that was provided by the so-called "Avalanche network," which is known to have serviced more than 200 cybercriminals and provided 20 different types of malware for download. The administrator of this network is now facing prosecution in Ukraine, with a specific focus on his support for the GozNym-using cybercrime operation.

Europol points out that this operation is the perfect example of "cybercrime as a service" because it brought together all the different parts of the full service required to infect and steal the cash. More specifically, it involved the use of "bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support."

Further Reading

Security Reviews