THE HAGUE, Netherlands—A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation, according to the U.S. Department of Justice.
“GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe. The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust,” the DoJ stated.
United States Attorney Scott W. Brady of the Western District of Pennsylvania made the announcement at Europol, located in The Hague, Netherlands, along with his international partners.
Numerous Governments Involved
The operation was conducted by the United States Attorney’s Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office, along with the Office of the Prosecutor General of Georgia, Prosecutor General’s Office of Ukraine, Office of the Prosecutor General of the Republic of Moldova, Public Prosecutor’s Office Verden (Germany), the Supreme Prosecutor’s Office of Cassation of the Republic of Bulgaria, Ministry of Internal Affairs of Georgia, National Police of Ukraine, General Police Inspectorate of the Republic of Moldova, the Luneburg Police of Germany and the Republic of Bulgaria’s General Directorate for Combatting Organized Crime with the significant assistance of Europol and Eurojust.
“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” Brady stated. “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime. Cybercrime victimizes people all over the world. This prosecution represents an international cooperative effort to bring cybercriminals to justice.”
What Indictment Alleges
According to the Indictment, the defendants conspired to:
- Infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials
- Use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts
- Steal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants
“The defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria. The operation was an unprecedented international effort to share evidence and initiate criminal prosecutions against members of the same criminal network in multiple countries,” the DoJ said.
Searched & Arrested
At the request of the United States, Krasimir Nikolov, aka “pablopicasso,” “salvadordali,” and “karlo,” of Varna, Bulgaria, was searched and arrested by Bulgarian authorities and extradited to the United States in December 2016 to face prosecution in the Western District of Pennsylvania. Nikolov’s primary role in the conspiracy was that of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts controlled by fellow conspirators. Nikolov is named as a GozNym conspirator in the newly unsealed indictment, although he is charged in a related Indictment filed in the Western District of Pennsylvania. Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019. He is scheduled to be sentenced on Aug. 30, 2019, the DoJ stated.
Five Fugitives
“Five of the named defendants reside in Russia and remain fugitives from justice. However, to overcome the inability to extradite the remaining defendants to the United States for prosecution, an unprecedented effort was undertaken to share evidence and build prosecutions against defendants in the remaining countries where they reside, including Georgia, Ukraine and Moldova. The prosecutions are based on shared evidence acquired through coordinated searches for evidence in Georgia, Ukraine, Moldova and Bulgaria, as well as from evidence shared by the United States and Germany from their respective investigations,” the DoJ said.