A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world ended up dismantled, Department of Justice (DoJ) officials said Thursday.
GozNym infected tens of thousands of computers worldwide, primarily in the United States and Europe, DoJ officials said. The operation was highlighted by the initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust.
According to the indictment, the defendants conspired to:
• Infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials
• Use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts
• Steal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants
The defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria. The operation was an international effort to share evidence and initiate criminal prosecutions against members of the same criminal network in multiple countries.
At the request of the United States, Krasimir Nikolov, aka “pablopicasso,” “salvadordali,” and “karlo,” of Varna, Bulgaria, was searched and arrested by Bulgarian authorities and extradited to the United States in December 2016 to face prosecution in the Western District of Pennsylvania. Nikolov’s primary role in the conspiracy was that of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts controlled by fellow conspirators.
Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019. He is scheduled to be sentenced on Aug. 30.
Five of the named defendants reside in Russia and remain fugitives. However, to overcome the inability to extradite the remaining defendants to the United States for prosecution, an effort was undertaken to share evidence and build prosecutions against defendants in the remaining countries where they reside, including Georgia, Ukraine and Moldova. The prosecutions are based on shared evidence acquired through coordinated searches for evidence in Georgia, Ukraine, Moldova and Bulgaria, as well as from evidence shared by the United States and Germany from their respective investigations.
The GozNym network exemplified the concept of “cybercrime as a service.” According to the Indictment, the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The GozNym network was formed when these individuals were recruited from the online forums and came together to use their specialized technical skills and services in furtherance of the conspiracy.
Alexander Konovolov, aka “NoNe,” and “none_1,” 35, of Tbilisi, Georgia, was the primary organizer and leader of the GozNym network who controlled more than 41,000 victim computers infected with GozNym malware, according to the indictment. Konovolov assembled the team of cybercriminals charged in the Indictment, in part by recruiting them through the underground online criminal forums. Marat Kazandjian, aka “phant0m,” age 31, of Kazakhstan and Tbilisi, Georgia, was allegedly Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian are being prosecuted in Georgia for their respective roles in the GozNym criminal network.
Gennady Kapkanov, aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41,” age 36, of Poltava, Ukraine, was an administrator of a bulletproof hosting service known by law enforcement and computer security researchers as the “Avalanche” network. This network provided services to more than 200 cybercriminals, including Konovolov and Kazandjian, and it hosted more than 20 different malware campaigns, including GozNym. Kapkanov’s apartment in Poltava, Ukraine was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure. Kapkanov was arrested for shooting an assault rifle through the door of his apartment at Ukrainian law enforcement officers conducting the search. Through the coordinated efforts being announced today, Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.
Alexander Van Hoof, aka “al666,” age 45, of Nikolaev, Ukraine, was a “cash-out” or “drop master” who provided fellow members of the conspiracy with access to bank accounts he controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts.
Eduard Malanici, aka “JekaProf,” and “procryptgroup, age 32, of Balti, Moldova, provided crypting services to cybercriminals. Malanici crypted GozNym malware in furtherance of the conspiracy to enable the malware to avoid detection by anti-virus tools and protective software on victims’ computers. Malanici, along with two associates, is being prosecuted in Moldova.
Victims of the GozNym malware attacks include:
• An asphalt and paving business located in New Castle, Pennsylvania
• A law firm located in Washington, DC
• A church located in Southlake, Texas
• An association dedicated to providing recreation programs and other services to persons with disabilities located in Downers Grove, Illinois
• A distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, Florida
• A furniture business located in Chula Vista, California
• A provider of electrical safety devices located in Cumberland, Rhode Island
• A contracting business located in Warren, Michigan
• A casino located in Gulfport, Mississippi
• A stud farm located in Midway, Kentucky
• A law office located in Wellesley, Massachusetts
Five Russian nationals charged in the Indictment who remain fugitives from justice include: Vladimir Gorin, aka “Voland,” “mrv,” and “riddler,” of Orenburg, Russia; Konstantin Volchkov, aka “elvi,” age 28, of Moscow, Russia,; Ruslan Katirkin, aka “stratos,” and “xen,” age 31, of Kazan, Russia; Viktor Vladimirovich Eremenko, aka “nfcorpi,” age 30, of Stavropol, Russia, and Farkhad Rauf Ogly Manokhin, aka “frusa,” of Volgograd, Russia.