Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

US Indicts Members of Transnational Money-Laundering Organization

Members of the QQAAZZ group helped cybercriminals conceal origins of stolen funds, DoJ alleges.

An indictment unsealed this week by the US Department of Justice (DoJ) in a Pennsylvania federal court and another one from last October has shed more light on the vast criminal network that cyberthieves rely on to launder funds stolen from their victims.

The indictment that was unsealed today charged 14 individuals from Latvia, Bulgaria, the UK, Spain, and Italy with conspiracy to commit money laundering involving tens of millions of dollars stolen from victims in the US and other countries since 2016. All are alleged to belong to a larger transnational criminal group called QQAAZZ, which specializes in helping cybercriminals convert and "clean" stolen funds for a fee.

Related Content:

3 Months for the Cybercrime Books

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

According to the DoJ, law-enforcement authorities in the five countries searched more than 40 homes in connection with the investigation and seized a Bitcoin-mining operation tied to the group in Bulgaria. Most of the home searches and arrests in the case so far have been in Latvia, the DoJ said in a statement disclosing the indictments this week.

This week's indictment listed several unnamed US businesses that had funds stolen, or nearly had funds stolen, and transferred to illegally opened bank accounts belonging to the 14 individuals. In each case, cybercriminals had first broken into the victim network and taken over its business account. They then used the QQAAZZ accounts to receive money stolen from the breached entities. Among the cybercrime groups that have used QQAAZZ as a money-laundering service are the operators of the Dridex banking Trojan and malware families such as Trickbot and GozNym.

Among the actual and attempted fraudulent wire transfers was one involving $498,536 from an automotive components manufacturer, another for $300,000 from a landscaping equipment manufacturer, and another for almost the same amount from a charitable organization.

Meanwhile, the earlier indictment unsealed last October accused five other Latvian members of QQAAZZ of involvement in the same money-laundering scheme. Also charged separately by criminal complaint in the case was a Russian national who was arrested in March 2020 when visiting the US.

The indictment papers described QQAAZZ as a sophisticated, multitier operation that has opened and maintained hundreds of personal and corporate bank accounts with major financial institutions around the world over the past several years. The bank accounts are being used to receive stolen funds belonging to organizations and individuals in the US and elsewhere.

QQAAZZ's modus operandi is to then transfer funds from these bank accounts to numerous other accounts belonging to the group in an elaborate set of transactions designed to conceal the origins of the stolen money. The group also has been using so-called "tumbling" services to convert some of the stolen funds to cryptocurrency. Once the origins of the stolen funds have been sufficiently obscured, QQAAZZ returns the fund to the cybercrime group that stole the money for a 40 to 50 percent fee.

Complex Operation
The DoJ described QQAAZZ as having established dozens of shell companies around the world for no other purpose than to facilitate the creation of corporate bank accounts that could be used for money-laundering purposes. Many of the bank accounts were created using legitimate and fake identification documents belonging to individuals in Poland and Bulgaria, the DoJ said. To attract clients to its services, the group has been advertising on underground cybercrime forums, sometimes paying $10,000 per year for advertising space.

Members of QQAAZ operate at three levels. The leaders, sitting at the top of the hierarchy, develop strategies and direct midlevel managers on how to create fake bank accounts, promote their business, and coordinate and return stolen funds from the organization's cybercrime clients.

Those at the midtier are responsible for recruiting so-called "money-mules" to open bank accounts around the world. In some cases, midlevel managers also directly operate the accounts that QQAAZZ used for its money-laundering operation. The money mules at the bottom of the pack are responsible for actually registering bank accounts as well as the shell companies and associated corporate accounts.

The charges unsealed this week against members of the QQAAZZ group are the latest in a rapidly growing list of US indictments against foreign-based cyber actors in the past few weeks. September was a particularly busy month, with the US government indicting or announcing sanctions against multiple entities. Among them were members of China's APT41 group, three Iranians for allegedly stealing satellite tracking and aerospace data, members of Iran's APT39 group, four Russians for election interference, and two Iranians over a series of web defacements.

Some security experts see the activity as a sign of the US government's intent to demonstrate its ability to accurately identify and attribute attacks to specific individuals and groups. Many of the indictments do little more than publicly name and shame threat actors based in countries outside the US government's reach. But in the past when individuals named in these indictments have stepped outside the relative safety of their countries to visit more extradition-friendly nations, the US government has been quick to have them apprehended and deported to the US to stand trial.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.