Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

US Charges Members of GozNym Cybercrime Gang

The FBI and counterparts from other nations say group infected over 41,000 computers with malware that steals banking credentials.

US law enforcement authorities and their counterparts from five other countries have announced charges against 10 members of an international cybercrime operation that attempted to steal an estimated $100 million from organizations in the US and elsewhere in 2016.

An indictment unsealed Thursday by the US Attorney's Office for the Western District of Pennsylvania accused the individuals of committing bank fraud, wire fraud, and money laundering, in an operation of a sophisticated, international cybercrime network called GozNym.

Five of the indicted individuals are based in Russia and remain fugitives from justice, the US Department of Justice announced Thursday. The other individuals are based in Georgia, Ukraine, Moldova, and Bulgaria and face prosecutions in their respective countries.

A eleventh individual, Krasimir Nikolov, aka pablopicasso, was arrested in Bulgaria and extradited to the US in December 2016 on related charges. He has since pleaded guilty to participating in the GozNym operation. Nikolov is scheduled for sentencing in Pittsburgh federal court August 30, 2019, the DOJ said.

"The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime," US Attorney Scott Brady of the Western District of Pennsylvania said. "This prosecution represents an international cooperative effort to bring cybercriminals to justice."

According to the indictment, the eleven individuals belonged to a gang that stole money from the bank accounts of businesses located mostly in the United States and Europe.

The group is alleged to have infected tens of thousands of computers with GozNym, a malware for stealing online banking credentials from the infected systems. GozNym was designed to lurk on a system and wait until a user attempts to access their bank account online - then the malware steals their username and password and transmits them to a server controlled by the attackers.

Certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang.

An April 2016 IBM blog described GozNym as a hybrid malware tool that combines the best features of two earlier banking Trojans—Nymaim and Gozi. At the time, IBM said the malware was being actively used in attacks against customers of more than two-dozen banks in the US and Canada and had resulted in the theft of millions of dollars.

Limor Kessem, global executive security advisor of the X-Force team at IBM, says GozNym-facilitated fraud attacks amounted to over $4 million of dollars in losses within just the first few days of its activity. "[GozNym] was unique because the malware authors had created a double-headed monster," Kessem says.

GozNym combined the Nymaim dropper's stealth and persistence and Gozi's capabilities to facilitate wire fraud on infected user devices, she notes. "[It made] for a powerful combination like nothing else in the cybercriminal toolkit arena at the time," Kessem says.

The alleged leader of the GozNym operation was Alexander Konovolov, 35, a Tbilisi, Georgia native who often used the online handles NoNe and none_1, when carrying out his criminal activities. Konovolov is alleged to have controlled some 41,000 computers infected with GozNym malware.

Sophisticated Criminal Team

According to the indictment, Konovolov assembled the GozNym team by recruiting members via underground Russian-language speaking online forums. Many of the members that Konovolov recruited were individuals who advertised their specialized technical skills and availability on these forums.

Among them was Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia. The indictment against Kazandjian describes him as being Konovolov's primary assistant and technical administrator. Both Konovolov and Kazandjian are being prosecuted in Georgia.

Most of the other indicted members of the GozNym gang had specific and separate roles within the operation. 

Gennady Kapkanov, 36, of Ukraine is charged with operating Avalanche network, a so-called bulletproof hosting service on which the GozNym malware was hosted and from where it was distributed worldwide. Kapkanov is alleged to have offered similar malware hosting services for at least 200 other cybercriminals. Ukrainian authorities arrested Kapkanov in November 2016 after he shot at law enforcement officers conducting a search of his facilities. He is being prosecuted in Ukraine for his role in the GozNym campaign.

Moldova-national Eduard Malanici, 32, is accused of helping encrypt GozNym malware so it could evade detection by anti-malware tools and other security controls on victims. Malanici, along with two other unnamed accomplices, will stand trial in Moldova.

Vladimir Gorin, one of the five indicted individuals that currently remain free in Russia, is charged with developing, leasing, and managing GozNym. Another Russian national, Ruslan Katirkin, was an account-takeover specialist who used the credentials obtained by the GozNym malware to break into victim accounts and steal money from them.

Three other indicted individuals—Alexander Van Hoof of Ukraine, Viktor Eremenko, of Russia, and Farkhad Manokhin also of Russia—are accused of operating bank accounts for receiving and laundering funds stolen from the victims of the GozNym campaign. Katirkin, Eremenko, and Manokhin currently remain at large in Russia. Makokhin was actually arrested in 2017 in Sri Lanka and was awaiting extradition to the US when he managed to flee from the country and escape to Russia.

Nikolov, the only member of the gang that is facing prosecution in the US so far, was a "casher" or account-takeover specialist. Like Katirkin, his role in the GozNym operation was to use stolen credentials to break into bank accounts and steal money from them.

Though five of the indicted individuals remain free, they run the risk of capture and extradition if they set foot in a country with an extradition agreement with the US.

"If there's anything that discourages crime, it is seeing that it doesn't pay," Kessem says. The persistence of law enforcement in tracking down the alleged perpetrators over three years is also a win for cybercrime victims, especially organizations that can lose millions to such fraud attacks, Kessem says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.