The list of victims runs the gamut. A small-town Texas church. A Washington, D.C., law firm. A nonprofit organization in Illinois that works with disabled children.
They are among the tens of thousands of businesses and other organizations in North America and Europe that were targeted by an Eastern European cybercrime syndicate in recent years.
The 11 cybercriminals behind the scheme, U.S. and European law enforcement officials announced Thursday, infected more than 41,000 computers with a malware program known as GozNym in an attempt to steal more than $100 million from their bank accounts.
Prosecutors described the network as a “highly structured” online organized crime network, with each member assigned a special role.
The cybercriminals
Alexander Konovolov oversaw the operation. The 35-year-old Georgian national assembled his team of cybercriminals through underground Russian language criminal forums.
Russian computer programmer Vladimir Gorin was the brains behind GozNym. Four other Russians served in other roles.
A Bulgarian “casher” was tasked with using login credentials captured by GozNym to illegally transfer funds from the victims’ bank accounts into accounts controlled by the network.
And Ukrainian Gennady Kapkanov, 36, was an administrator of the Avalanche network, a platform that hosted more than 20 malware campaigns, including GozNym, before it was taken down in late 2016.
Phishing attack
To gain control of their victims’ computers, the conspirators turned to what is still the most common form of a cyber intrusion: sending “phishing” emails to unsuspecting employees.
In a phishing attack, a legitimate-looking business email is sent to a company employee with instructions to open a link. Once opened, the link deploys malware such as GozNym, giving the perpetrator access to the information stored on the victim’s computer.
In many GozNym cases, the emails sent to the victims appeared to contain bills or invoices.
In the case of the Washington, D.C., law firm, on Feb. 16, 2016, the conspirators allegedly sent an email to an employee from “Quicken Billpay-center.” The employee clicked on the link included in the email, allowing GozNym to be installed on the firm’s computer network.
With GozNym capturing the firm’s banking credentials, things were set in motion.
On Feb. 25, Konovolov, the Georgian ringleader, and Krasimir Nikolov, the Bulgarian “casher” exchanged details of a Massachusetts-registered bank account where they intended to transfer the stolen funds.
That same day, Nikolov, using the law firm’s stolen banking credentials, attempted to transfer $97,520 from the firm’s Bank of America account into the account the network controlled in Massachusetts. The transaction resulted in a loss of more than $76,000, prosecutors said.
Pennsylvania indictments
The 11 conspirators were named in a criminal indictment unsealed by prosecutors in the Western District of Pennsylvania, where some of the victims are located. The FBI’s Pittsburgh Field Office, which leads many of the bureau’s high profile cybercrime investigations, began looking into GozNym two years ago.
The five Russians named in the indictment remain at large. But the six others are in custody in the U.S., Georgia, Moldova and Ukraine.
Nikolov, the Bulgarian “account takeover specialist,” was arrested by Bulgarian authorities and extradited to the United States in 2016.
Five others are from Georgia, Kazakhstan, Moldova and Ukraine, countries with which the United States doesn’t have extradition treaties. To ensure they’re prosecuted in their home countries, U.S. officials said they shared evidence with prosecutors in Georgia, Ukraine and Moldova.
New era of fighting cybercrime
This was something the U.S. had never done before, said Scott W. Brady, U.S. Attorney for the Western District of Pennsylvania.
“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” Brady said at a press conference at The Hague. “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”
The development marks the latest takedown of an organized crime network operating on the internet.
“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge Robert Jones.
