In a joint effort by several law enforcement agencies from 6 different countries, officials have dismantled a major global organized cybercrime network behind GozNym banking malware.
GozNym banking malware is responsible for stealing nearly $100 million from over 41,000 victims across the globe, primarily in the United States and Europe, for years.
GozNym was created by combining two known powerful Trojans—Gozi ISFB malware, a banking Trojan that first appeared in 2012 and Nymaim, a Trojan downloader that can also function as ransomware.
In a press conference held on Thursday, Europol said the operation was successfully conducted with the cooperation between Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States.
The United States has charged ten members of the GozNym criminal network, 5 of which were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine.
However, rest of the five defendants reside in Russia and are on the run, including one who developed the GozNym malware and leased it to other cybercriminals by advertising it on underground, Russian-language, online criminal forums.
According to the indictment unsealed earlier today in the U.S. Court, the defendants have been charged with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering.
A member of the group who encrypted the GozNym malware to avoid detection by anti-virus tools was also arrested and is being prosecuted in the Republic of Moldova.
The members of the group infected victims’ computers with the GozNym malware and captured their online banking login credentials, using which they managed to fraudulently steal money and then launder funds using the U.S. and foreign bank accounts controlled by the defendants.
“The defendants advertised their specialized technical skills and services on underground, Russian-speaking online criminal forums. The GozNym network was formed when these individuals were recruited from the online forums by the GozNym leader who controlled more than 41 000 victim computers infected with GozNym malware,” the Europol said.
“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.”
The victims of this criminal network were primarily U.S. businesses and their financial institutions, including a number of victims located in the Western District of Pennsylvania.
GozNym malware network was hosted and operated through “Avalanche” bulletproof service, whose administrator was arrested in Ukraine during a search in November 2016.