An indictment unsealed this week by the US Department of Justice (DoJ) in a Pennsylvania federal court and another one from last October has shed more light on the vast criminal network that cyberthieves rely on to launder funds stolen from their victims.
The indictment that was unsealed today charged 14 individuals from Latvia, Bulgaria, the UK, Spain, and Italy with conspiracy to commit money laundering involving tens of millions of dollars stolen from victims in the US and other countries since 2016. All are alleged to belong to a larger transnational criminal group called QQAAZZ, which specializes in helping cybercriminals convert and "clean" stolen funds for a fee.
According to the DoJ, law-enforcement authorities in the five countries searched more than 40 homes in connection with the investigation and seized a Bitcoin-mining operation tied to the group in Bulgaria. Most of the home searches and arrests in the case so far have been in Latvia, the DoJ said in a statement disclosing the indictments this week.
This week's indictment listed several unnamed US businesses that had funds stolen, or nearly had funds stolen, and transferred to illegally opened bank accounts belonging to the 14 individuals. In each case, cybercriminals had first broken into the victim network and taken over its business account. They then used the QQAAZZ accounts to receive money stolen from the breached entities. Among the cybercrime groups that have used QQAAZZ as a money-laundering service are the operators of the Dridex banking Trojan and malware families such as Trickbot and GozNym.
Among the actual and attempted fraudulent wire transfers was one involving $498,536 from an automotive components manufacturer, another for $300,000 from a landscaping equipment manufacturer, and another for almost the same amount from a charitable organization.
Meanwhile, the earlier indictment unsealed last October accused five other Latvian members of QQAAZZ of involvement in the same money-laundering scheme. Also charged separately by criminal complaint in the case was a Russian national who was arrested in March 2020 when visiting the US.
The indictment papers described QQAAZZ as a sophisticated, multitier operation that has opened and maintained hundreds of personal and corporate bank accounts with major financial institutions around the world over the past several years. The bank accounts are being used to receive stolen funds belonging to organizations and individuals in the US and elsewhere.
QQAAZZ's modus operandi is to then transfer funds from these bank accounts to numerous other accounts belonging to the group in an elaborate set of transactions designed to conceal the origins of the stolen money. The group also has been using so-called "tumbling" services to convert some of the stolen funds to cryptocurrency. Once the origins of the stolen funds have been sufficiently obscured, QQAAZZ returns the fund to the cybercrime group that stole the money for a 40 to 50 percent fee.
The DoJ described QQAAZZ as having established dozens of shell companies around the world for no other purpose than to facilitate the creation of corporate bank accounts that could be used for money-laundering purposes. Many of the bank accounts were created using legitimate and fake identification documents belonging to individuals in Poland and Bulgaria, the DoJ said. To attract clients to its services, the group has been advertising on underground cybercrime forums, sometimes paying $10,000 per year for advertising space.
Members of QQAAZ operate at three levels. The leaders, sitting at the top of the hierarchy, develop strategies and direct midlevel managers on how to create fake bank accounts, promote their business, and coordinate and return stolen funds from the organization's cybercrime clients.
Those at the midtier are responsible for recruiting so-called "money-mules" to open bank accounts around the world. In some cases, midlevel managers also directly operate the accounts that QQAAZZ used for its money-laundering operation. The money mules at the bottom of the pack are responsible for actually registering bank accounts as well as the shell companies and associated corporate accounts.
The charges unsealed this week against members of the QQAAZZ group are the latest in a rapidly growing list of US indictments against foreign-based cyber actors in the past few weeks. September was a particularly busy month, with the US government indicting or announcing sanctions against multiple entities. Among them were members of China's APT41 group, three Iranians for allegedly stealing satellite tracking and aerospace data, members of Iran's APT39 group, four Russians for election interference, and two Iranians over a series of web defacements.
Some security experts see the activity as a sign of the US government's intent to demonstrate its ability to accurately identify and attribute attacks to specific individuals and groups. Many of the indictments do little more than publicly name and shame threat actors based in countries outside the US government's reach. But in the past when individuals named in these indictments have stepped outside the relative safety of their countries to visit more extradition-friendly nations, the US government has been quick to have them apprehended and deported to the US to stand trial.