Ten cyber criminals behind GozNym malware operations indicted in the US
16 May 2019
A US court has indicted ten members of a cyber crime gang, including five Russian nationals, that deployed a credential-stealing malware known as GozNym to steal banking logins and gain access to online bank accounts of more than 41,000 victims that included businesses and their financial institutions.
The federal indictment noted that the cyber crime group used the GozNym malware to first steal online banking credentials from victims’ computers, used the stolen credentials to log in to online banking accounts, stole money from such accounts, and then laundered the funds using U.S. and foreign beneficiary bank accounts.
Cyber crime group behind GozNym malware featured many capabilities
It all began when the leader of the cyber crime group started recruiting hackers from Russian-speaking online criminal forums after gaining access to computers of 41,000 victims across the US and Europe. Once they were recruited, the group morphed into a “cybercrime as a service,” with various capabilities that included running money mule networks, and carrying out spamming, coding, technical support, and running bulletproof hosters.
Before deploying GozNym malware, the cyber crime group encrypted the malware to enable it to avoid detection by anti-virus tools and other malware-detecting software. Once the malware stole online banking credentials from host devices, a member of the group whose role was as an “account takeover specialist” used the stolen credentials to access victims’ online bank accounts and attempt to steal victims’ money.
Other members of the group acted as “cash-outs” or “drop masters” to provide fellow members with access to bank accounts that were designated to receive stolen funds from GozNym victims’ online bank accounts. Some other members also used vast volumes of phishing emails to deploy the malware onto devices owned by businesses and financial institutions.
During the course of its operations, the cyber crime group behind GozNym malware received bulletproof hosting services from an administrator of the “Avalanche” network who also hosted more than twenty different malware campaigns run by more than 200 cyber criminals. The administrator is presently being prosecuted in Ukraine by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.
While one member of the cyber crime group is presently being prosecuted in Moldova, another was extradited by Bulgarian authorities to the US in December 2016, and five other members who are Russian nationals and have been named in the indictment are presently on the run.
“This operational success is a result of the international law enforcement cooperation between participating EU Member States (Bulgaria and Germany) as well as Georgia, Moldova, Ukraine and the United States (in alphabetical order),” said Europol in a press release.
“Europol, the European Agency for Law Enforcement Cooperation as well as Eurojust, the European Union’s Judicial Cooperation Unit supported the case. This operation showcases how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries,” it added.
A string of successes for Europol against Dark Web hackers
The success of law enforcement authorities in nabbing cyber criminals behind the distribution of GozNym malware comes not long after law enforcement authorities in France and Israel succeeded in arresting two administrators of a website known as DeepDotWeb who earned millions in kickbacks by referring buyers of fentanyl, heroin and other illegal goods to popular Dark Web marketplaces.
Using the website, the cyber criminals facilitated the sale of illegal drugs, firearms, malicious software, hacking tools, stolen financial information, payment cards and other illegal counterfeit goods on a number of Dark Web marketplaces. The criminals reportedly serviced hundreds of thousands of customers who were looking to purchase such goods discreetly.
According to Europol, the duo received more than 8,150 bitcoins in kickback payments that amounted to approximately €7.5 million (£6.5 million) when adjusted for the trading value of bitcoin at the time of each transaction. Only a few days earlier, Europol had also taken down two major Dark Web marketplaces Wall Street Market and Valhalla that were frequented by cyber criminals and buyers from across the globe.