Suspected members of the GozNym cybercrime network have been charged in relation to the organised and automated theft of tens of thousands of people’s sensitive personal and financial information.

The sophisticated conspiracy saw victims’ computers infected with the GozNym malware in order to steal online banking passwords, and funds stolen from compromised accounts and laundered to bank accounts around the world.

A US federal grand jury has charged ten men, and according to Europol other prosecutions have begun in Georgia, Moldova, and Ukraine.

The ten men charged by the United States district court in Pittsburgh are:

  • Alexander Konovolov (also known as “NoNe”, “none_1”)
  • Marat Kazandjian (also known as “phant0r11”)
  • Vladimir Gorin (also known as “Voland”, “mtv”, “fiddler”)
  • Gennady Kapkanov (also known as “Hennadiy Kapkanov”, “flux”, “ffhost”, “firestarter’”, “User41”)
  • Eduard Malanici (also known as “JekaProf”, “procryptgroup”)
  • Konstantin Volchkov (also known as “elvi”)
  • Ruslan Vladimirovich Katirkin (also known as “Stratos”, “Xen”)
  • Viktor Vladimirovich Eremenko (also known as “nfcorpi”)
  • Farkhad Rauf Ogly Manokhin (also known as “frusa”)
  • Alexander Van Hoof (also known as “a1666”)

The group were allegedly part of the cybercrime gang from October 2015 to around December 2016, working with other conspirators to steal money primarily from businesses and their financial institutions through the GozNym malware.

GozNym itself was a hybrid of two previously-discovered strains of malware: Gozi and Nymaim.

The leader of the conspiracy, Alexander Konovolov from Georgia, is said to have admitted controlling a 41,000-strong botnet of compromised computers infected with the GozNym malware. He then recruited other cybercriminals from underground, Russian-speaking online criminal forums.

This effort demanded specialist skills from a network of co-conspirators which included malware developers, crypters (who encrypted malware in an attempt to avoid detection from anti-virus software), spammers (to distribute the malware through email attachments or malicious links, posing as legitimate business emails), bulletproof hosters (who provided the infrastructure to keep servers online and out of the sight of law enforcement and security researchers), cashers (who moved funds out of victims’ bank accounts), and others who provided access to bank accounts into which stolen money could be dropped.

At a live-streamed news conference at Europol’s headquarters in The Hague, representatives from the United States, Germany, Ukraine, Georgia, Moldova, and Bulgaria described in detail how the malware operation had attempted their $100 million hack.

“It was truly the scope of this organization that made this campaign so dangerous,” Scott W. Brady, US attorney for the Western District of Pennsylvania, told the press conference. “We identified over 41,000 victims, unsuspecting citizens of European and North American countries who thought they were clicking on a simple invoice as part of their business. Instead, they were giving hackers access to their most personal and sensitive information.”

Clearly the gang were not keen to send an end of their criminal endeavours.

Prosecutor Dmytro Storozhuk described how during a house search in Ukraine, one suspect resisted arrest and actually shot at law enforcement officers. Fortunately, nobody was hurt.

The arrests of the gang are a direct consequence of December 2016’s takedown of Avalanche, a network of infrastructure used as a delivery platform to launch and manage global malware attacks and money mule recruiting campaigns.