FBI and Europol Disrupt GozNym Malware Attack Network6 Suspects Arrested on Money Laundering, Malware-Writing or Fraud Charges
Law enforcement agencies in the U.S. and Europe on Thursday announced that they had disrupted a malware attack platform called GozNym. As part of the coordinated investigation, authorities in four countries arrested six suspects who face charges including money laundering, malware-writing and phishing. Five Russian suspects, however, remain at large.
GozNym has been tied to the theft of an estimated $100 million from over 41,000 victims around the world. The malware appears to have infected tens of thousands of PCs worldwide, primarily in the United States and Europe.
The suspects have been accused of using GozNym malware to infect victims' PCs and steal their online banking login credentials, accessing their accounts, then "stealing money from victims' bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants," according to Europol, the EU's law enforcement intelligence agency.
"We found that GozNym was a highly structured, specialized organized crime network, and each defendant represented in the indictment had a specialized role to play and brought a specialized skill set to the conspiracy," Scott W. Brady, U.S. attorney for the Western District of Pennsylvania, said in a Thursday press conference in Brussels.
On Thursday, his office unsealed an April 17 federal grand jury indictment accusing 10 individuals with being part of the GozNym criminal network. The suspects face computer fraud, wire fraud, bank fraud and money laundering charges. An eleventh suspect was previously charged in a different indictment.
Authorities say this investigation was the result of cooperation between the U.S. and Bulgaria, Germany, Georgia, Moldova and Ukraine. An unusual aspect of the investigation is that charges were brought against suspects in the countries where they reside based, in part, on evidence gathered by the FBI and German authorities.
"The prosecutions are based on shared evidence acquired through coordinated searches for evidence in Georgia, Ukraine, Moldova and Bulgaria, as well as from evidence shared by the United States and Germany from their respective investigations," the U.S. Justice Department says.
Authorities say five suspects remain at large. All are believed to be in Russia, which did not cooperate with the investigation.
The GozNym takedown involved close cooperation between the U.S. Department of Justice and counterparts abroad, supported by coordination from Europol, backed by Eurojust, the EU's agency for handling judicial cooperation on criminal matters among EU member states' agencies.
"This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime," says FBI Pittsburgh Special Agent in Charge Robert Jones. "Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams, and this case is a fantastic example of what we can accomplish collectively."
In April 2016, IBM X-Force researchers Limor Kessem and Lior Keshet announced the discovery of malware that appeared to be a hybrid of Nymaim and Gozi ISFB malware, leading IBM to name it GozNym (see: New Hybrid Banking Trojan 'GozNym' Steals Millions).
"It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far," they wrote at the time.
"The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan," they wrote. "From the Nymaim malware, it leverages the dropper's stealth and persistence; the Gozi ISFB parts add the banking Trojan's capabilities to facilitate fraud via infected internet browsers. The end result is a new banking Trojan in the wild."
GozNym was spread at least in part via a cybercrime-as-a-service malware attack network called Avalanche.
Arrests Follow Avalanche Takedown
Authorities say the GozNym takedown was a direct result of law enforcement disrupting Avalanche in December 2016. Avalanche hosted dozens of the world's largest malware campaigns, including GozNym.
Avalanche had victims in more than 180 countries and controlled as many as 500,000 malware-infected PCs worldwide at any given time, authorities said.
The Avalanche investigation resulted in the FBI and Europol, working with law enforcement partners in 40 countries, arresting five individuals, physically seizing more than three dozen servers tied to Avalanche as well as their taking technical steps to prevent repeat attacks - in part by sinkholing numerous domains. Europol estimated that the infrastructure used to run Avalanche, which had been in operation since 2009, every week lobbed more than 1 million emails carrying malicious links or attachments at potential victims.
"What was GozNym, what were Avalanche? Cybercrime as a service, as we call it, but for me, for the public, it's a supermarket of cybercrime services," said Steven Wilson, head of Europol's European Cybercrime Center, during the Thursday press conference in Brussels.
"Looking at coders, malware developers, bulletproof hosters, a whole range of the cybercrime service under one roof - only through that international cooperation can we hope to tackle this," he said.
GozNym Conspiracy: 11 Suspects Named
According to the indictment, six suspects have been arrested and charged:
- Krasimir Nikolov (aka "pablopicasso," "salvadordali," "karlo,") of Varna, Bulgaria, was arrested by Bulgarian authorities and extradited to the United States in December 2016. Nikolov has been accused of being the "casher" or "account takeover specialist" who "used victims' stolen online banking credentials captured by GozNym malware to access victims' online bank accounts and attempt to steal victims' money through electronic funds transfers into bank accounts controlled by fellow conspirators," the Justice Department says. On April 10, he entered a guilty plea tied to participating in the GozNym conspiracy, and he's scheduled to be sentenced on Aug. 30.
- Alexander Konovolov (aka "NoNe," "none_1,"), 35, of Tbilisi, Georgia, allegedly organized and served as the leader of the GozNym network, allegedly recruiting other members via cybercrime forums. He's being prosecuted in Georgia.
- Marat Kazandjian (aka "phant0m"), 31, of Kazakhstan and Tbilisi, Georgia, allegedly served as Konovolov's primary assistant and IT administrator. He's being prosecuted in Georgia.
- Gennady Kapkanov (aka "Hennadiy Kapkanov," "flux," "ffhost," "firestarter," "User 41"), 36, of Poltava, Ukraine, allegedly administered the bulletproof hosting service called Avalanche "This network provided services to more than 200 cybercriminals, including Konovolov and Kazandjian, and it hosted more than 20 different malware campaigns, including GozNym," the Justice Department says. As part of a German-led operation, Ukrainian police searched Kapkanov's apartment in November 2016. "Kapkanov was arrested for shooting an assault rifle through the door of his apartment at Ukrainian law enforcement officers conducting the search," the Justice Department says.
- Alexander Van Hoof (aka "al666") 45, of Nikolaev, Ukraine, allegedly served as a "cashout" or "drop master" who organized bank accounts to receive electronic fund transfers from victims of the GozNym malware.
- Eduard Malanici (aka "JekaProf," "procryptgroup"), 32, of Balti, Moldova, allegedly provided crypting services that the GozNym team used to make their malware more difficult to detect by anti-virus tools. Malanici is being prosecuted in Moldova along with two alleged associates.
GozNym Conspiracy: 5 Suspects at Large
Five suspects named in the indictment remain at large and authorities believe they reside in Russia.
- Vladimir Gorin (aka "Voland," "mrv" "riddler") of Orenburg, Russia, allegedly created, updated and leased the GozNym malware to Konovolov.
- Konstantin Volchkov (aka "elvi"), 28, of Moscow, allegedly provided spamming services that allowed the GozNym team - and others - to mass-distribute phishing emails designed to infect victims' PCs with malware, incluing GozNym.
- Ruslan Katirkin (aka "stratos," "xen"), 31, of Kazan, Russia, who was residing in Ukraine during the time frame of the alleged conspiracy, is accused of serving - like Nikolov - as a "casher" or "account takeover specialist."
- Viktor Vladimirovich Eremenko (aka "nfcorpi") 30, of Stavropol, Russia, has been charged with serving as a "cashout" or "drop master" on behalf of the GozNym criminal network.
- Farkhad Rauf Ogly Manokhin (aka "frusa"), of Volgograd, Russia, has also been charged with serving as a "cashout" or "drop master" on behalf of the GozNym criminal network. He was arrested while visiting Sri Lanka in February 2017 at U.S. request, although released on bail and required to remain in the country, pending the results of his U.S. extradition hearing. "In December 2017, Manokhin unlawfully absconded from Sri Lanka and successfully fled back to Russia prior to the conclusion of the extradition proceedings," the U.S. Justice Department says.