For decades, the security industry has warned that the cybercriminal economy has been developing its own highly specialized, professional supply chain. But only when law enforcement tears the lid off a well-honed hacker operation—as they did today with the global Goznym malware crew—does the full picture of every interlinked step in that globalized crime network come into focus.
On Thursday, police in six countries along with the US Department of Justice and Europol announced the takedown of the Goznym malware operation—linked with another operation known as Avalanche, an associated cybercrime operation that was largely dismantled in 2016—including the arrest of five of its members across Ukraine, Moldova, Bulgaria, and Georgia. Five more alleged members remain at large in Russia. In total, the operation infected 41,000 computers with fraud-focused malware, and attempted to steal $100 million from victims in the US, though it’s not clear exactly how much of that theft they successfully pulled off.
Speaking at a press conference today at Europol’s headquarters in the Hague, global law enforcement hailed the arrests as an “unprecedented” example of international cooperation. But the indictment also details just how distributed and specialized the tasks of profit-focused hackers have become, composed largely of loosely associated freelancers, each responsible for a single step in the exploitation of victims. “You look at what happened here. What was Goznym? What was Avalanche?” asked Steven Wilson, the head of the European Cybercrime Centre. “This was a supermarket of cybercrime services. You’re looking at coders, malware developers, bullet-proof hosters, a whole range of cybercrime services.”
The indictment lays out that long chain of cybercrime specialists:
- A Russian man, Vladimir Gorin, is accused of creating, developing, and
managing the Goznym banking malware. Once installed on a machine, it acted
as a keylogger, and hijacked victims’ web browsers to inject phishing
fields into banking websites when they attempted to log in, stealing
their credentials to gain control of their accounts. The malware
included a field in the browser designed to trick victims into
entering a second-factor code, too, intercepting that code and using
it in real-time to defeat two-factor authentication.
- Gorin allegedly leased that Goznym malware to Alexander Konovolov,
the Georgian defendant named as the leader of the group,
responsible for overseeing its operations and controlling the tens of
thousands of infected computers in its botnet. Officials say he was aided by Marat
Kazandjian, a technical assistant and administrator.
- A Ukrainian named Gennady Kapkanov, arrested earlier this year, is
accused of renting out the infrastructure for the operation as a
so-called “bulletproof hosting”provider. In fact, his Avalanche
network provided hosting for more than 20 different malware
operations, according to the indictment. While a part of that
operation was disrupted in
Kapkanov eluded capture at the time—despite reportedly firing an
AK-47 at police from his window—when a judge released him due to a
mistake in charging
- A Moldovan man, Eduard Malanici, is accused of “crypting” the Goznym
malware, obfuscating its code to hide it from antivirus software.
- A Russian man, Konstantin Volchov, allegedly ran the spamming
operation that sprayed phishing emails out to potential victims in
the hopes that some might click on malicious attachment or links that would install Goznym on their computers.
- Once Goznym was installed and a victim’s credentials were stolen via phishing, the malware sent those credentials to an administration panel. Two men, a Russian man Ruslan Katirkin and a Bulgarian named Krasimir Nikolov, allegedly controlled that panel and served as the
group’s “account takeover” specialists, logging into the victim’s
accounts and attempting to steal their funds through electronic
transfers like wire transfers and ACH payments.
- Two other Russians, Vladimir Eremenko and Farkhad Manokhin, allegedly
took care of the “cash-out” step of the process, managing the
accounts that received and laundered the stolen funds. The money was then withdrawn from banks and ATMs by so-called “money mules”—low-level operatives in the scheme who weren’t charged in the indictment. Manokhin was arrested in Sri Lanka in 2017 at the request of US law enforcement, but was released on bail and fled to Russia, where he’s still at large, along with the other four Russian members of the Goznym crew.
Despite law enforcement’s description at times of the Goznym operation as a unified crew, most of those defendants seem to have worked as freelancers who offered their services on Russian-language cybercrime forums. “The Goznym network was formed when these individuals were recruited from these online forums and came together to use their specialized skills in furtherance of the conspiracy,” FBI special agent Robert Allan Jones said in the press conference. The group appears to ahve coordinated their activities over online chat.
The globalized nature of that loose network required an equally global sort of cooperation among police and prosecutors across a half-dozen countries, sharing evidence and synchronizing arrests, Eurojust official Gabriele Launhardt said. “This kind of international cooperation is perhaps unprecedented. This is a sign that judiciary and police can and will always cope with however big a cybercrime organization can be, bringing down its infrastructure,” Launhardt said. “To sum up, criminals cooperate across borders, and we will do the same, so no one escapes justice.”
Left unspoken in those remarks about global coordination, of course, is that fully half of the defendants in the case have in fact escaped justice—in Russia, one country that doesn’t seem to have cooperated at all in the investigation. As global as cybercrime crackdowns have become, the cybercriminals themselves remain more global still. And some hide behind borders where Western law enforcement still can’t reach.