In an international law enforcement operation, a globally operating and organised cybercrime network was dismantled. The criminal network used GozNym malware to steal an estimated $100 million from more than 41,000 victims, primarily businesses and their financial institutions.

A criminal indictment returned by a federal grand jury in Pittsburgh, USA, charged 10 members of the GozNym criminal network with conspiracy to commit the following:

• infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
• use the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
• steal money from victims’ bank accounts and laundering those funds using US and other beneficiary bank accounts controlled by the defendants.

The international law enforcement operation initiated criminal prosecutions against members of the network in four different countries. During the course of the operation, searches were conducted in Bulgaria, Georgia, Moldova and Ukraine. Criminal prosecutions have been initiated in Georgia, Moldova, Ukraine and the United States.

This operational is a result of the international law enforcement cooperation between participating EU Member States (Bulgaria and Germany) as well as Georgia, Moldova, Ukraine and the United States (in alphabetical order). Europol, the European Agency for Law Enforcement Cooperation as well as Eurojust, the European Union’s Judicial Cooperation Unit supported the case.

The defendants advertised their specialised technical skills and services on underground, Russian-speaking online criminal forums. The GozNym network was formed when these individuals were recruited from the online forums by the GozNym leader, who controlled more than 41,000 victim computers infected with GozNym malware. The leader of the GozNym criminal network and his technical assistant are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.

Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the service known as the ‘Avalanche’ network. The Avalanche network provided hosting services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.