European and US law enforcement bring down GozNym cyber-crime gang

News by Bradley Barth

A coordinated international law enforcement operation in Europe and the US an has dismantled the GozNym cybercriminal network responsible for some €100 million of theft from its victims.

A coordinated international law enforcement operation in Europe and the US an has dismantled the GozNym cybercriminal network responsible for infecting roughly 41,000 computers with banking malware and stealing approximately €100 million from victims.

In the US fa ederal indictment charges 10 individuals with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. Five of these individuals were arrested in European countries that are diplomatically friendly with the US. The remaining five remaining fugitives are believed to be hiding out in Russia, where cyber-criminals who target the West are often granted safe haven.

The takedown was a joint effort conducted by  Europol, Eurojust, and law enforcement agencies in Bulgaria, Georgia, Germany, Moldova and Ukraine as well as the US Attorney’s Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office. The US Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, the Shadowserver Foundation and the Department of Justice’s Office of International Affairs also contributed.

The GozNym group had its heyday in 2015 and 2016 shortly after a group of cyber-criminal specialists – recruited from dark web forums – created and propagated a malware program that mixed source code from Nymaim ransomware and the Gozi e-banking Trojan. GozNym was designed to capture and exfiltrate online banking login credentials, which the attackers would then use to log into victims’ accounts and steal their funds before laundering the money through a network of financial accounts.

Many of the victims were businesses and their financial institutions. Affected businesses ranged from a furniture business in Chula Vista, California to a casino in Gulfport, Mississippi to a stud farm in Midway Kentucky, according to a DOJ press release.

GozNym’s activities came to a crashing halt, however, following the 2016 takedown of the Avalanche network, which provided bulletproof hosting services to GozNym and other cyber-criminal groups. That investigation led to an earlier, separate indictment filed in 2016 against GozNym co-conspirator Krasimir Nikolov of Bulgaria, who awaits sentencing this August after pleading guilty in a US Pittsburgh, Pennsylvania federal court last April. Nikolov (aka pablopicasso, salvadordali and karlo) admitted to acting as the "casher" or "account takeover specialist" who accessed victims’ accounts via their credentials.

Like Nikolov, the 10 men charged on 17 April each took on specialised roles, often times based on skills that they brought with them upon forming the GozNym group. These roles included spamming, coding, handling financials, and more, Europol reported in its own agency press release.

According to the indictment, it was Alexander Konovolov (aka NoNe and none_1), 35, of Tbilisi, Georgia, who allegedly served as the network’s leader and recruited the other members. He is currently being prosecuted in Georgia alongside his alleged main assistant and technical administrator Marat Kazandjian (aka phant0m), 31, of Kazakhstan and Tbilisi, Georgia.

Gennady Kapkanov (aka Hennadiy Kapkanov, flux, ffhost, firestarter, and User 41), 36, of Poltava, Ukraine, is also accused of being a member of the defunct Avalanche network that provided GozNym was bulletproof hosting services. The DOJ says that Kapkanov was arrested back in November 2016 after allegedly firing an assault rifle through his Ukrainian apartment door as authorities attempted a search. He now faces new charges in the US and is being prosecuted in Ukraine.

Another Ukrainian, Alexander Van Hoof (aka al666), 45, from the city of Nikolaev, allegedly was a "cash-out" or "drop master" who provided his co-conspirators with access to bank accounts that he set up and controlled to receive funds that were illegally transferred from victims’ online bank accounts.              

And Eduard Malanici (aka JekaProf and procryptgroup), 32, of Balti, Moldova, is accused of encrypting the GozNym malware to help it avoid detection by security software. Malanici and two associates are being prosecuted in his home country.

The five Russians named in the indictment are identified as :

  • Vladimir Gorin (aka Voland, mrv, and riddler) of Orenburg. Gorin allegedly created and developed the GozNym malware.
  • Konstantin Volchkov (aka elvi), 28, of Moscow. Volchkov allegedly conducted spamming services that served up phishing emails on behalf of the GozNym group.
  • Ruslan Katirkin (aka stratos and xen), 31, of Kazan, Russia. Katirkin was allegedly another account takeover specialist.
  • Viktor Vladimirovich Eremenko (aka nfcorpi), 30, of Stavropol. Eremenko is an accused drop master.
  • Farkhad Rauf Ogly Manokhin (aka frusa) of Volgograd. Manokhin is an accused drop master who in February 2017 was arrested in Sri Lanka on behalf of the US, but fled back to Russia after being released on bail.

"The impact of this development in the GozNym story is huge," said Limor Kessem, global executive security advisor of IBM Security’s X-Force team, one of the researchers who first discovered GozNym. "If there’s anything that discourages crime, it is seeing that it doesn’t pay."

"Let’s take for example the initial GozNym-related arrest of Krasimir Nikolov. It was almost immediately after the arrest that GozNym faded out and disappeared, never to return again," Kessem continued in an email interview with SC Media. "Also, seeing the persistence of law enforcement here to track down the alleged perpetrators over three years is really a win for all victims of cybercrime, especially organisations that can lose millions to such fraud attacks."

This article was originally published on SC Media US.

Bradley Barth

Bradley Barth recommends

Read more

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews