Bogdan Nicolescu, 34, Tiberiu Danet, 31, and Radu Miclaus, 34, allegedly infected victims with malware, stealing their credentials and credit card info to commit various acts of fraud and theft.
Bogdan Nicolescu, 34, Tiberiu Danet, 31, and Radu Miclaus, 34, allegedly infected victims with malware, stealing their credentials and credit card info to commit various acts of fraud and theft.

What happened? A U.S. district court on Friday unsealed a federal indictment that charges three Romanian nationals with 21 counts of conspiracy, fraud and identity theft for their alleged roles in a cybercriminal operation known as Bayrob.

According to a Department of Justice press release, the group has allegedly infected more than 60,000 computers, sent out over 11 million fraudulent emails and stolen at least $4 million. However, in its own blog post, Symantec Corporation claims the Bayrob group may have stolen as much as $35 million and infected as many as 160,000 machines.

The three defendants, who were arrested earlier this year and extradited to the U.S. just last week, are each charged with general conspiracy, conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, conspiracy to commit money laundering, five counts of aggravated identity theft and 12 counts of wire fraud.

Their arrests were the result of a law enforcement investigation, assisted by Symantec, that lasted at least eight years. Kevin Haley, director of product management at Symantec Security Response, told SC Media that a big break in the case came around 2011. "They made some mistakes and we were able to see into their network to get a larger picture as to what was going on," said Haley. "These guys went to great lengths to protect themselves, but... you only need to make a mistake once to allow good guys to get information on you."

Jurisdiction: The indictment was filed by the U.S. Attorney's Office in the Northern District of Ohio. Assistant U.S. Attorneys Duncan T. Brown and Om Kakani are prosecuting case alongside Brian Levine, senior counsel with the Justice Department's Computer Crime and Intellectual Property Section. The FBI led the investigation into the Bayrob operation, with assistance from the Romanian National Police.

Background: Per the DOJ and Symantec: Bogdan Nicolescu, 34 (aka Masterfraud), Tiberiu Danet, 31 (aka Amightysa), and Radu Miclaus, 34 (aka Minolta), allegedly ran a cybercrime operation in Bucharest, Romania – nicknamed Bayrob – whose illegal activity was first detected in 2007. The defendants are accused of launching phishing campaigns that infected somewhere between 60,000 and 160,000 machines with proprietary malware, allowing them to commit fraud and steal personal data including credit card information, user names and passwords.

Once in possession of the stolen email credentials, the defendants allegedly accessed their victims' accounts to obtain their email contact lists. The accused conspirators also registered new AOL email accounts to infected machines, according to the DOJ, allowing them to spam their victims' email contacts with over 11 million malicious messages.

Moreover, when owners of an infected machine visited certain websites like Facebook and Paypal, the malware would intercept these requests and reroute the computer to a malicious website that looked nearly identical. Using this technique, the Bayrob conspirators allegedly stole website credentials as well as credit card information, which was used to fund their criminal enterprise.

The defendants also used this man-in-the-middle-style attack on eBay and other auction websites to display more than 1,000 fraudulent listings for high-priced merchandise. Victims that clicked on photos of these items were infected with malware that redirected them to fictional webpages, where they were prompted to pay for the non-existent goods via escrow agents. These agents were essentially money mules hired by Bayrob to wire the funds to the alleged conspirators. The fictional merchandise, of course, would never arrive.

Symantec noted that the alleged culprits went as far as creating a fake trucking company that would provide updates on the delivery of these fake products, stalling just long enough to receive payments from the victims before they realized they were duped. "They [were] spinning an incredible web of lies in order to victimize people," added Haley, noting their "attention to detail."

More recently, the defendants used the processing power of over 300,000 compromised computers to create a botnet capable of cryptocurrency mining, the DOJ and Symantec reported.

Quotes: “This case illustrates the sophistication and determination with which cyber criminals seek to harm Americans and American businesses from abroad,” said Assistant Attorney General Leslie Caldwell.  “But our response demonstrates that, with effective international cooperation, we can track these criminals down and make sure they face justice, no matter where or how they try to hide.”

“These defendants stole millions of dollars from people in the United States through a sophisticated fraud conspiracy they operated in Eastern Europe,” said U.S. Attorney Carole S. Rendon. “Cybercrime is an ever-growing threat. We will continue to work with both our partners in law enforcement and in the private sector to evolve with the threat and protect our networks and national security.”

“This indictment and subsequent arrests reveal the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud unsuspecting victims,” said FBI Special Agent in Charge Stephen D. Anthony. “Despite the complexity and global character of these investigations, these arrests demonstrate the commitment by the FBI and our partners to aggressively pursue these individuals and bring justice to the victims.”

"Our investigation required time and patience," Symantec stated in its blog post. "In one case, we observed the gang's malicious activities for a year and a half before it made an error that exposed one of its suspected members. Over time we came to understand the group's infrastructure which helped us to get see more of the gang's operations."