Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/15/2020
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Indicts Members of Transnational Money-Laundering Organization

Members of the QQAAZZ group helped cybercriminals conceal origins of stolen funds, DoJ alleges.

An indictment unsealed this week by the US Department of Justice (DoJ) in a Pennsylvania federal court and another one from last October has shed more light on the vast criminal network that cyberthieves rely on to launder funds stolen from their victims.

The indictment that was unsealed today charged 14 individuals from Latvia, Bulgaria, the UK, Spain, and Italy with conspiracy to commit money laundering involving tens of millions of dollars stolen from victims in the US and other countries since 2016. All are alleged to belong to a larger transnational criminal group called QQAAZZ, which specializes in helping cybercriminals convert and "clean" stolen funds for a fee.

Related Content:

3 Months for the Cybercrime Books

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

According to the DoJ, law-enforcement authorities in the five countries searched more than 40 homes in connection with the investigation and seized a Bitcoin-mining operation tied to the group in Bulgaria. Most of the home searches and arrests in the case so far have been in Latvia, the DoJ said in a statement disclosing the indictments this week.

This week's indictment listed several unnamed US businesses that had funds stolen, or nearly had funds stolen, and transferred to illegally opened bank accounts belonging to the 14 individuals. In each case, cybercriminals had first broken into the victim network and taken over its business account. They then used the QQAAZZ accounts to receive money stolen from the breached entities. Among the cybercrime groups that have used QQAAZZ as a money-laundering service are the operators of the Dridex banking Trojan and malware families such as Trickbot and GozNym.

Among the actual and attempted fraudulent wire transfers was one involving $498,536 from an automotive components manufacturer, another for $300,000 from a landscaping equipment manufacturer, and another for almost the same amount from a charitable organization.

Meanwhile, the earlier indictment unsealed last October accused five other Latvian members of QQAAZZ of involvement in the same money-laundering scheme. Also charged separately by criminal complaint in the case was a Russian national who was arrested in March 2020 when visiting the US.

The indictment papers described QQAAZZ as a sophisticated, multitier operation that has opened and maintained hundreds of personal and corporate bank accounts with major financial institutions around the world over the past several years. The bank accounts are being used to receive stolen funds belonging to organizations and individuals in the US and elsewhere.

QQAAZZ's modus operandi is to then transfer funds from these bank accounts to numerous other accounts belonging to the group in an elaborate set of transactions designed to conceal the origins of the stolen money. The group also has been using so-called "tumbling" services to convert some of the stolen funds to cryptocurrency. Once the origins of the stolen funds have been sufficiently obscured, QQAAZZ returns the fund to the cybercrime group that stole the money for a 40 to 50 percent fee.

Complex Operation
The DoJ described QQAAZZ as having established dozens of shell companies around the world for no other purpose than to facilitate the creation of corporate bank accounts that could be used for money-laundering purposes. Many of the bank accounts were created using legitimate and fake identification documents belonging to individuals in Poland and Bulgaria, the DoJ said. To attract clients to its services, the group has been advertising on underground cybercrime forums, sometimes paying $10,000 per year for advertising space.

Members of QQAAZ operate at three levels. The leaders, sitting at the top of the hierarchy, develop strategies and direct midlevel managers on how to create fake bank accounts, promote their business, and coordinate and return stolen funds from the organization's cybercrime clients.

Those at the midtier are responsible for recruiting so-called "money-mules" to open bank accounts around the world. In some cases, midlevel managers also directly operate the accounts that QQAAZZ used for its money-laundering operation. The money mules at the bottom of the pack are responsible for actually registering bank accounts as well as the shell companies and associated corporate accounts.

The charges unsealed this week against members of the QQAAZZ group are the latest in a rapidly growing list of US indictments against foreign-based cyber actors in the past few weeks. September was a particularly busy month, with the US government indicting or announcing sanctions against multiple entities. Among them were members of China's APT41 group, three Iranians for allegedly stealing satellite tracking and aerospace data, members of Iran's APT39 group, four Russians for election interference, and two Iranians over a series of web defacements.

Some security experts see the activity as a sign of the US government's intent to demonstrate its ability to accurately identify and attribute attacks to specific individuals and groups. Many of the indictments do little more than publicly name and shame threat actors based in countries outside the US government's reach. But in the past when individuals named in these indictments have stepped outside the relative safety of their countries to visit more extradition-friendly nations, the US government has been quick to have them apprehended and deported to the US to stand trial.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7779
PUBLISHED: 2020-11-26
All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails - for example, [email protected]-----------------------------------------------------------!.
CVE-2020-7778
PUBLISHED: 2020-11-26
This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands.
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.