10 out of 11 defendants in five countries are accused of using the malware to steal money from more than 41,000 victims, mostly businesses and financial institutions. Five defendants were arrested in Moldova, Bulgaria, Ukraine and Russia. The leader of the criminal network and his technical assistant are being prosecuted in Georgia.The remaining five defendants, all Russian nationals, remain on the run and are wanted by the FBI,all were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network. The group behind this attack are highly specialized in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.
What was committed by the GozNym group?
- Using the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts;
- Infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
- Stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.
What is GozNym malware?
The GozNym is a powerful banking malware that spread across the U.S., Canada, Germany and Poland. It was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.
The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.
Nymaim, a two-stage malware dropper that infects computers through exploit kits from malicious links or emails; and
Gozi, a web injection module used to hook into the web browser, allowing the attacker to steal login credentials and passwords.
Over the course of the international operation, pursuits were conducted in Bulgaria, Georgia, Moldova and Ukraine. Criminal prosecutions have been inducted in Georgia, Moldova, Ukraine and the United States. This operation showcases how an international effort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries.