The nine accused – whose online nicknames include ‘tank', 'thehead' and ‘lucky12345' – infected thousands of computers with the notorious Zeus banking Trojan in 2009-2010 and stole victims' passwords and other online bank account details, according to charges brought before the Nebraska federal court in the US last Friday.
Their named victims include the Franciscan Sisters of Chicago, a religious order based in the Our Lady of Victory Convent in Lemont, Illinois, 50 miles from Chicago. The nuns had over £77,000 stolen from their Bank of America account, the indictment says. Other victims included the Bullitt Country Fiscal Court which allegedly lost more than £247,000.
But only two of the accused were in court – thanks to British police. Ukrainian nationals Yevhen Kulibaba, 36, and Yuriy Konovalenko, 31, were recently extradited to the US from the UK, and the Met Police are credited with “providing significant assistance” to the FBI's Omaha Cyber Task Force, which led the investigation.
According to the US Justice Department indictment, the crime gang used Zeus or Zbot malware to capture passwords, account numbers, PIN numbers, RSA SecureID token codes and other credentials to take over the victims' online bank accounts. They then transferred millions of dollars into the accounts of US-based ‘money mules' who wired the proceeds overseas to the gang.
According to the charges, Kulibaba operated the conspirators' money-laundering network in the UK while Konovalenko provided money mules' and victims' banking credentials and helped collect the victims' data.
The others accused include four men who remain at large – Russian Alexey Tikonov, and Ukrainians Vyacheslav Igorevich Penchukov, 32, Ivan Viktorvich Klepikov, 30, and 26-year-old Alexey Dmitrievich Bron.
Penchukov allegedly co-ordinated the exchange of stolen banking credentials, Klepikov was the systems administrator, and Bron the alleged financial manager of the criminal operation. Tikonov allegedly developed new codes to compromise banking systems.
The remaining three accused are unidentified individuals from Russia and Ukraine, referred to as John Doe 1, John Doe 2 and John Doe 3.
Commenting on the case, cybercrime expert Jahmel Harris, a security consultant at MWR InfoSecurity, said the indictment shows how online crime is now being prioritised by law enforcement at an international level.
He told SCMagazineUK.com: “Malware attacks are being taken more seriously by governments and police services around the world, and the recent arrest has shown how effectively worldwide law enforcement need to work together to take down large groups of cyber criminals.
“Crimes are being committed by people separated by location, against people from all over the world. Worldwide law enforcement must work together to tackle the types of attacks we're now seeing on the internet.”
Harris added: “Unfortunately, this case has only dealt with the users of the Zeus malware kit and the mules hired by them. These can be large gangs spanning the globe, but as one is arrested, we'll see several more appear so computer users must be vigilant with their internet security and take steps to be safe online.”
Acting assistant attorney general David A O'Neil of the US Justice Department's Criminal Division said last week: “The Zeus malware is one of the most damaging pieces of financial malware that has ever been used. As the charges unsealed today demonstrate, we are committed to making the internet more secure. With the invaluable co-operation of our foreign law enforcement partners, we will continue to bring to justice cyber criminals who steal the money of US citizens.”
As well as Bank of America, the US institutions affected included First Federal Savings Bank, First National Bank Of Omaha, Salisbury Bank & Trust, Key Bank, First National Bank of Omaha, and Union Bank & Trust.
Along with the Met Police, the FBI were helped by the Ukraine Security Service and the Dutch Police's National High Tech Crime Unit.