Europol and US authorities are claiming victory after “dismantling” a major international cybercrime gang that used the GozNym banking trojan in an attempt to steal $100m from businesses.
A federal indictment was unsealed yesterday charging 10 members of the group with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh has already been charged in a previous indictment.
Five of the gang are based in Russia and will therefore probably escape justice. However, the leader of the group, Alexander Konovolov — aka “NoNe,” and “none_1” — 35, of Tbilisi, Georgia, is being prosecuted in his home country, along with his alleged right-hand man Marat Kazandjian, aka “phant0m,” 31, of Kazakhstan and Tbilisi.
Another man, Eduard Malanici, aka “JekaProf,” is being prosecuted in his native Moldova for charges relating to alleged provision of crypting services, while Gennady Kapkanov — aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41” — 36, of Poltava, Ukraine, is being prosecuted in the eastern European nation for charges of bulletproof hosting for the group via the infamous Avalanche network.
He was arrested in 2018 after shooting an assault rifle at Ukrainian police searching his flat, while another man, Krasimir Nikolov, of Varna, Bulgari, was extradited to the US in 2016 on charges of being the group’s account takeover specialist.
Each man had a specific role and was apparently recruited from Russian-speaking dark web forums. The GozNym malware was distributed to around 41,000 victim computers via phishing emails. Once they captured the victim’s online banking credentials, accounts were accessed and funds transferred to third-party accounts under the group’s control.
“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said Pennsylvania US attorney Scott Brady.
“The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime.”
Roy Rashti, cybersecurity expert at BitDam, argued that the dismantling of this network is just a drop in the ocean, but a welcome move nonetheless.
“The ‘Goz’ in GozNym stands for the notorious Gozi banker malware which, although not new, was very successfully co-opted and iterated by hackers,” he added.
“This provides yet another example of how adversaries tweak known attacks to bypass legacy security solutions to reach and exploit the end user. This strategy allows cybercrime groups to operate like any successful business — with efficiency, dynamism and always staying one step ahead. That is of course, until they get caught.”