Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:30 PM
Connect Directly

US Charges Members of GozNym Cybercrime Gang

The FBI and counterparts from other nations say group infected over 41,000 computers with malware that steals banking credentials.

US law enforcement authorities and their counterparts from five other countries have announced charges against 10 members of an international cybercrime operation that attempted to steal an estimated $100 million from organizations in the US and elsewhere in 2016.

An indictment unsealed Thursday by the US Attorney's Office for the Western District of Pennsylvania accused the individuals of committing bank fraud, wire fraud, and money laundering, in an operation of a sophisticated, international cybercrime network called GozNym.

Five of the indicted individuals are based in Russia and remain fugitives from justice, the US Department of Justice announced Thursday. The other individuals are based in Georgia, Ukraine, Moldova, and Bulgaria and face prosecutions in their respective countries.

A eleventh individual, Krasimir Nikolov, aka pablopicasso, was arrested in Bulgaria and extradited to the US in December 2016 on related charges. He has since pleaded guilty to participating in the GozNym operation. Nikolov is scheduled for sentencing in Pittsburgh federal court August 30, 2019, the DOJ said.

"The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime," US Attorney Scott Brady of the Western District of Pennsylvania said. "This prosecution represents an international cooperative effort to bring cybercriminals to justice."

According to the indictment, the eleven individuals belonged to a gang that stole money from the bank accounts of businesses located mostly in the United States and Europe.

The group is alleged to have infected tens of thousands of computers with GozNym, a malware for stealing online banking credentials from the infected systems. GozNym was designed to lurk on a system and wait until a user attempts to access their bank account online - then the malware steals their username and password and transmits them to a server controlled by the attackers.

Certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang.

An April 2016 IBM blog described GozNym as a hybrid malware tool that combines the best features of two earlier banking Trojans—Nymaim and Gozi. At the time, IBM said the malware was being actively used in attacks against customers of more than two-dozen banks in the US and Canada and had resulted in the theft of millions of dollars.

Limor Kessem, global executive security advisor of the X-Force team at IBM, says GozNym-facilitated fraud attacks amounted to over $4 million of dollars in losses within just the first few days of its activity. "[GozNym] was unique because the malware authors had created a double-headed monster," Kessem says.

GozNym combined the Nymaim dropper's stealth and persistence and Gozi's capabilities to facilitate wire fraud on infected user devices, she notes. "[It made] for a powerful combination like nothing else in the cybercriminal toolkit arena at the time," Kessem says.

The alleged leader of the GozNym operation was Alexander Konovolov, 35, a Tbilisi, Georgia native who often used the online handles NoNe and none_1, when carrying out his criminal activities. Konovolov is alleged to have controlled some 41,000 computers infected with GozNym malware.

Sophisticated Criminal Team

According to the indictment, Konovolov assembled the GozNym team by recruiting members via underground Russian-language speaking online forums. Many of the members that Konovolov recruited were individuals who advertised their specialized technical skills and availability on these forums.

Among them was Marat Kazandjian, 31, of Kazakhstan and Tbilisi, Georgia. The indictment against Kazandjian describes him as being Konovolov's primary assistant and technical administrator. Both Konovolov and Kazandjian are being prosecuted in Georgia.

Most of the other indicted members of the GozNym gang had specific and separate roles within the operation. 

Gennady Kapkanov, 36, of Ukraine is charged with operating Avalanche network, a so-called bulletproof hosting service on which the GozNym malware was hosted and from where it was distributed worldwide. Kapkanov is alleged to have offered similar malware hosting services for at least 200 other cybercriminals. Ukrainian authorities arrested Kapkanov in November 2016 after he shot at law enforcement officers conducting a search of his facilities. He is being prosecuted in Ukraine for his role in the GozNym campaign.

Moldova-national Eduard Malanici, 32, is accused of helping encrypt GozNym malware so it could evade detection by anti-malware tools and other security controls on victims. Malanici, along with two other unnamed accomplices, will stand trial in Moldova.

Vladimir Gorin, one of the five indicted individuals that currently remain free in Russia, is charged with developing, leasing, and managing GozNym. Another Russian national, Ruslan Katirkin, was an account-takeover specialist who used the credentials obtained by the GozNym malware to break into victim accounts and steal money from them.

Three other indicted individuals—Alexander Van Hoof of Ukraine, Viktor Eremenko, of Russia, and Farkhad Manokhin also of Russia—are accused of operating bank accounts for receiving and laundering funds stolen from the victims of the GozNym campaign. Katirkin, Eremenko, and Manokhin currently remain at large in Russia. Makokhin was actually arrested in 2017 in Sri Lanka and was awaiting extradition to the US when he managed to flee from the country and escape to Russia.

Nikolov, the only member of the gang that is facing prosecution in the US so far, was a "casher" or account-takeover specialist. Like Katirkin, his role in the GozNym operation was to use stolen credentials to break into bank accounts and steal money from them.

Though five of the indicted individuals remain free, they run the risk of capture and extradition if they set foot in a country with an extradition agreement with the US.

"If there's anything that discourages crime, it is seeing that it doesn't pay," Kessem says. The persistence of law enforcement in tracking down the alleged perpetrators over three years is also a win for cybercrime victims, especially organizations that can lose millions to such fraud attacks, Kessem says.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...