A coordinated international law enforcement operation in the U.S. and Europe has dismantled the GozNym cybercriminal network responsible for infecting roughly 41,000 computers with banking malware and stealing approximately $100 million from victims.
A U.S. federal indictment unsealed today charges 10 individuals with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. Five of these individuals were arrested in European countries that are diplomatically friendly with the U.S. The remaining five remaining fugitives are believed to be hiding out in Russia, where cybercriminals who target Americans are often granted safe haven.
The takedown was a joint effort conducted by the U.S. Attorney’s Office for the Western District of Pennsylvania, the FBI’s Pittsburgh Field Office, Europol, Eurojust, and law enforcement agencies in Bulgaria, Georgia, Germany, Moldova and Ukraine. The U.S. Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, the Shadowserver Foundation and the Department of Justice’s Office of International Affairs also contributed.
The GozNym group had its heyday in 2015 and 2016 shortly after a group of cybercriminal specialists – recruited from dark web forums – created and propagated a malware program that mixed source code from Nymaim ransomware and the Gozi e-banking Trojan. GozNym was designed to capture and exfiltrate online banking login credentials, which the attackers would then use to log into victims’ accounts and steal their funds before laundering the money through a network of financial accounts.
Many of the victims were businesses and their financial institutions. Affected businesses ranged from a furniture business in Chula Vista, California to a casino in Gulfport, Mississippi to a stud farm in Midway Kentucky, according to a DOJ press release.
GozNym’s activities came to a crashing halt, however, following the 2016 takedown of the Avalanche network, which provided bulletproof hosting services to GozNym and other cybercriminal groups. That investigation led to an earlier, separate indictment filed in 2016 against GozNym co-conspirator Krasimir Nikolov of Bulgaria, who awaits sentencing this August after pleading guilty in a Pittsburgh, Pennsylvania federal court last April. Nikolov (aka pablopicasso, salvadordali and karlo) admitted to acting as the “casher” or “account takeover specialist” who accessed victims’ accounts via their credentials.
Like Nikolov, the 10 men charged on April 17 each took on specialized roles, often times based on skills that they brought with them upon forming the GozNym group. These roles included spamming, coding, handling financials, and more, Europol reported in its own agency press release.
According to the indictment, it was Alexander Konovolov (aka NoNe and none_1), 35, of Tbilisi, Georgia, who allegedly served as the network’s leader and recruited the other members. He is currently being prosecuted in Georgia alongside his alleged main assistant and technical administrator Marat Kazandjian (aka phant0m), 31, of Kazakhstan and Tbilisi, Georgia.
Gennady Kapkanov (aka Hennadiy Kapkanov, flux, ffhost, firestarter, and User 41), 36, of Poltava, Ukraine, is also accused of being a member of the defunct Avalanche network that provided GozNym was bulletproof hosting services. The DOJ says that Kapkanov was arrested back in November 2016 after allegedly firing an assault rifle through his Ukrainian apartment door as authorities attempted a search. He now faces new charges in the U.S. and is being prosecuted in Ukraine.
Another Ukrainian, Alexander Van Hoof (aka al666), 45, from the city of Nikolaev, allegedly was a “cash-out” or “drop master” who provided his co-conspirators with access to bank accounts that he set up and controlled to receive funds that were illegally transferred from victims’ online bank accounts.
And Eduard Malanici (aka JekaProf and procryptgroup), 32, of Balti, Moldova, is accused of encrypting the GozNym malware to help it avoid detection by security software. Malanici and two associates are being prosecuted in his home country.
The five Russians named in the indictment are identified as :
- Vladimir Gorin (aka Voland, mrv, and riddler) of Orenburg. Gorin allegedly created and developed the GozNym malware.
- Konstantin Volchkov (aka elvi), 28, of Moscow. Volchkov allegedly conducted spamming services that served up phishing emails on behalf of the GozNym group.
- Ruslan Katirkin (aka stratos and xen), 31, of Kazan, Russia. Katirkin was allegedly another account takeover specialist.
- Viktor Vladimirovich Eremenko (aka nfcorpi), 30, of Stavropol. Eremenko is an accused drop master.
- Farkhad Rauf Ogly Manokhin (aka frusa) of Volgograd. Manokhin is an accused drop master who in February 2017 was arrested in Sri Lanka on behalf of the U.S., but fled back to Russia after being released on bail.
“The impact of this development in the GozNym story is huge,” said Limor Kessem, global executive security advisor of IBM Security’s X-Force team, one of the researchers who first discovered GozNym. “If there’s anything that discourages crime, it is seeing that it doesn’t pay.”
“Let’s take for example the initial GozNym-related arrest of Krasimir Nikolov. It was almost immediately after the arrest that GozNym faded out and disappeared, never to return again,” Kessem continued in an email interview with SC Media. “Also, seeing the persistence of law enforcement here to track down the alleged perpetrators over three years is really a win for all victims of cybercrime, especially organizations that can lose millions to such fraud attacks.”