Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 PM
Connect Directly

US Indicts Members of Transnational Money-Laundering Organization

Members of the QQAAZZ group helped cybercriminals conceal origins of stolen funds, DoJ alleges.

An indictment unsealed this week by the US Department of Justice (DoJ) in a Pennsylvania federal court and another one from last October has shed more light on the vast criminal network that cyberthieves rely on to launder funds stolen from their victims.

The indictment that was unsealed today charged 14 individuals from Latvia, Bulgaria, the UK, Spain, and Italy with conspiracy to commit money laundering involving tens of millions of dollars stolen from victims in the US and other countries since 2016. All are alleged to belong to a larger transnational criminal group called QQAAZZ, which specializes in helping cybercriminals convert and "clean" stolen funds for a fee.

Related Content:

3 Months for the Cybercrime Books

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

According to the DoJ, law-enforcement authorities in the five countries searched more than 40 homes in connection with the investigation and seized a Bitcoin-mining operation tied to the group in Bulgaria. Most of the home searches and arrests in the case so far have been in Latvia, the DoJ said in a statement disclosing the indictments this week.

This week's indictment listed several unnamed US businesses that had funds stolen, or nearly had funds stolen, and transferred to illegally opened bank accounts belonging to the 14 individuals. In each case, cybercriminals had first broken into the victim network and taken over its business account. They then used the QQAAZZ accounts to receive money stolen from the breached entities. Among the cybercrime groups that have used QQAAZZ as a money-laundering service are the operators of the Dridex banking Trojan and malware families such as Trickbot and GozNym.

Among the actual and attempted fraudulent wire transfers was one involving $498,536 from an automotive components manufacturer, another for $300,000 from a landscaping equipment manufacturer, and another for almost the same amount from a charitable organization.

Meanwhile, the earlier indictment unsealed last October accused five other Latvian members of QQAAZZ of involvement in the same money-laundering scheme. Also charged separately by criminal complaint in the case was a Russian national who was arrested in March 2020 when visiting the US.

The indictment papers described QQAAZZ as a sophisticated, multitier operation that has opened and maintained hundreds of personal and corporate bank accounts with major financial institutions around the world over the past several years. The bank accounts are being used to receive stolen funds belonging to organizations and individuals in the US and elsewhere.

QQAAZZ's modus operandi is to then transfer funds from these bank accounts to numerous other accounts belonging to the group in an elaborate set of transactions designed to conceal the origins of the stolen money. The group also has been using so-called "tumbling" services to convert some of the stolen funds to cryptocurrency. Once the origins of the stolen funds have been sufficiently obscured, QQAAZZ returns the fund to the cybercrime group that stole the money for a 40 to 50 percent fee.

Complex Operation
The DoJ described QQAAZZ as having established dozens of shell companies around the world for no other purpose than to facilitate the creation of corporate bank accounts that could be used for money-laundering purposes. Many of the bank accounts were created using legitimate and fake identification documents belonging to individuals in Poland and Bulgaria, the DoJ said. To attract clients to its services, the group has been advertising on underground cybercrime forums, sometimes paying $10,000 per year for advertising space.

Members of QQAAZ operate at three levels. The leaders, sitting at the top of the hierarchy, develop strategies and direct midlevel managers on how to create fake bank accounts, promote their business, and coordinate and return stolen funds from the organization's cybercrime clients.

Those at the midtier are responsible for recruiting so-called "money-mules" to open bank accounts around the world. In some cases, midlevel managers also directly operate the accounts that QQAAZZ used for its money-laundering operation. The money mules at the bottom of the pack are responsible for actually registering bank accounts as well as the shell companies and associated corporate accounts.

The charges unsealed this week against members of the QQAAZZ group are the latest in a rapidly growing list of US indictments against foreign-based cyber actors in the past few weeks. September was a particularly busy month, with the US government indicting or announcing sanctions against multiple entities. Among them were members of China's APT41 group, three Iranians for allegedly stealing satellite tracking and aerospace data, members of Iran's APT39 group, four Russians for election interference, and two Iranians over a series of web defacements.

Some security experts see the activity as a sign of the US government's intent to demonstrate its ability to accurately identify and attribute attacks to specific individuals and groups. Many of the indictments do little more than publicly name and shame threat actors based in countries outside the US government's reach. But in the past when individuals named in these indictments have stepped outside the relative safety of their countries to visit more extradition-friendly nations, the US government has been quick to have them apprehended and deported to the US to stand trial.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting