A New Castle paving company is just one victim of what federal investigators say was a complex transnational organized cybercrime network that tried to steal $100 million from unsuspecting victims.
A federal indictment has been unsealed in Pittsburgh naming ten people as part of plot using what is being called “GozNym” malware to infect tens of thousands of victim computers worldwide, primarily in the United States and Europe.
The indictment, which identifies the New Castle paving company only as “victim one”, received a phishing email designed to look like a legitimate email from Bank of America.
When an employee of the paving business clicked on a file in the email, it infected the company's computer with the malware, according to investigators.
The indictment says Alexander Konovolov, of the Republic of Georgia and Krasimir Nikolov, of Bulgaria, gained access to the paving company's banking account credentials and then attempted to electronically transfer more than $350,000 from those accounts.
The conspirators would then launder any funds collected, according to the indictment.
Other victims from around the country include law offices, a church, a contractor, casino, medical equipment distributor, and even a stud farm.
The defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria.
According to the indictment, Konovolov was the primary organizer and leader of the GozNym network who controlled more than 41,000 victim computers infected with GozNym malware.
Konovolov assembled the team of cybercriminals charged in the Indictment, in part by recruiting them through the underground online criminal forums.
Marat Kazandjian, also of Georgia, was allegedly Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian are being prosecuted in Georgia for their roles in the criminal network.
Krasimir Nikolov was searched and arrested by Bulgarian authorities and extradited to the United States in December 2016 to face prosecution.
Nikolov’s primary role in the conspiracy was that of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts controlled by fellow conspirators.
According to the indictment, the suspects advertised their specialized technical skills and services on underground, Russian-language, online criminal forums.
The GozNym network was formed when the defendants were recruited from the online forums and came together to use their specialized technical skills and services to form the conspiracy.
Gennady Kapkanov, age 36, of Poltava, Ukraine, was an administrator of a bulletproof hosting service known by law enforcement and computer security researchers as the “Avalanche” network. This network provided services to more than 200 cybercriminals, and it hosted more than 20 different malware campaigns, including GozNym.
Kapkanov’s apartment in Poltava, Ukraine was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure.
Kapkanov was arrested for shooting an assault rifle through the door of his apartment at Ukrainian law enforcement officers conducting the search.
Kapkanov is faces prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.
Alexander Van Hoof, 45, of Nikolaev, Ukraine, was a “cash-out” or “drop master” who provided fellow members of the conspiracy with access to bank accounts he controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts.
Eduard Malanici, 32, of Balti, Moldova, provided crypting services to cybercriminals. Malanici crypted GozNym malware to enable the malware to avoid detection by anti-virus tools and protective software on victims’ computers. Malanici, along with two associates, is being prosecuted in Moldova.
Five Russian nationals charged in the indictment who remain fugitives.
The indictment may be seen here