‘Supermarket for cybercrime services’ taken down
A cybercrime network that used the GozNym malware in attempts to steal an estimated $100 million from more than 41,000 victims has been dismantled.
Ten members of the GozNym criminal network have been with conspiracy to commit fraud and computer hacking offences following an international law enforcement operation that led to raids and arrests in Bulgaria, Georgia, Moldova, and Ukraine. Criminal prosecutions have been initiated in Georgia, Moldova, Ukraine, and the US.
Alexander Konovolov (aka “NoNe” and “none_1”) age 35, of Tbilisi, Georgia, was the “primary organizer and leader of the GozNym network”, US prosecutors allege.
Konovolov allegedly trawled underground, Russian-speaking online criminal forums to recruits crooks and affiliates with specialisms including bulletproof hosting providers, money mules, spammers, and coders.
The defendant, along with a suspect accused of being his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.
They face charges of spreading other malware strains including Nymaim (a problem in Germany, in particular) as well as GozNym.
A coder who allegedly encrypted GozNym malware to enable it to avoid detection by anti-virus tools is being prosecuted in Moldova.
Another suspect from Bulgaria has already been extradited to the United States in December 2016 and faces charges involving hacking into victims’ online bank accounts to extract funds.
Five Russian nationals charged in the indictment remain on the run, including Vladimir Gorin (AKA “Voland”, “mrv”, and “riddler”) of Orenburg, Russia.
He is suspected of developing the GozNym malware and leasing to other cybercriminals,.
Konstantin Volchkov (AKI elvi) age 28, of Moscow, Russia, allegedly provided spamming services to cybercriminals, distributing the GozNym malware through phishing emails.
A co-ordinated effort
The GozNym takedown operation showed how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries, according to European policing organization Europol.
During a press conference, Stevie Wilson, the head of the European Cybercrime Centre (EC3) at Europol, described the network as a “supermarket for cybercrime services”.
Cybercriminals are operating transnational across borders – police agencies need to take the same approach in order to have any hope of curtailing cybercrime, multiple speakers from various law enforcement agencies said during the presser.
GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.
Victims ranged from law firms and small businesses to a non-profit that provided services to disabled children and international corporations.
A 2016 write-up of the GozNym banking trojan by IBM X-Force provides technical background as well as a potted history of its creation.
Bulletproof hosting services were given to the GozNym criminal network by an administrator of the ‘Avalanche’ network.
The Avalanche network provided services to more than 200 cybercriminals and hosted more than 20 different malware campaigns including GozNym, prior to an earlier takedown operation.
The alleged Avalanche administrator’s apartment in Poltava, Ukraine, was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure.
Evidence recovered facilitated a follow-up investigation against the GozNym gang, as well as allowing local police to bring charges against the 36-year-old Ukrainian suspect, Gennady Kapkanov.