DOJ Busts $100M International GozNym Malware Cybercrime Ring: Mystery Gulfport, Mississippi Casino Victimized for Nearly $200K

Posted on: May 17, 2019, 06:00h. 

Last updated on: May 17, 2019, 06:08h.

The US Department of Justice (DOJ) said Thursday that it had shut down a vast cyber-criminal network that attempted to steal $100 million from various American businesses, including an unidentified casino in Gulfport, Mississippi.

Five Russian nationals remain fugitives from a multi-country dragnet in the GozNym international cybercrime bank fraud spree. (Image: DOJ/FBI)

The effort was carried out in partnership with the European Union’s law enforcement agencies Europol and Eurojust, along with other international authorities.

According to a 54-page indictment filed last month in the US District Court for Western Pennsylvania, the DOJ disrupted a sprawling cybercriminal enterprise spanning several countries in Eastern Europe that were using GozNym malware to infect tens of thousands computers in the US and Europe.

American businesses targeted were all over the map — literally and figuratively — including the unnamed Mississippi casino, a German medical device maker with a unit in Florida, a Kentucky stud farm, a California-based furniture seller, and two law offices, among others.

The indictment was filed in Western Pennsylvania because several victims in the case are from that region.

Casinos in Gulfport, Miss. include the Beau Rivage, Boomtown, Golden Nugget, Hard Rock, Harrah’s Gulf Coast, and the Island View. But which got hit remains a mystery, along with the other 12 business victims in the case, who are all identified only by number.

The casino in question is known as “Victim 11” in the indictment. A phishing email aimed at one of the casino’s employees successfully gave the criminals access to install the GozNym malware on the account. That, in turn, allowed the perpetrators access to the bank account by showing them the login credentials.

On or about April 21, 2016, the conspirators accessed Victim 11’s People’s Bank account, attempting to drain $197,300 from the account via four electronic funds transfers, according to the indictment.

Two transfers for $92,500 apiece were successfully gleaned from the Victim 11 account, totally $185,000. It’s unspecified in the indictment if the remaining $12,300 failed to reach the perpetrators or, if not, what happened to it.

The defendants — including five Russian nationals, as well as residents of Georgia, Ukraine, Moldova, and Bulgaria — conspired to use GozNym malware to pilfer victims’ online banking usernames and passwords, access funds in the victims’ accounts and “steal money from victims’ bank accounts and launder those funds using US and foreign beneficiary bank accounts controlled by the defendants,” according to DOJ.

Something Out of a Movie

In what sounds like a page out of a Tom Clancy novel or the plot of a James Bond movie, the DOJ charged 10 members of the GozNym ring with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering, with an eleventh member being charged in a related indictment.

Five Russian nationals charged in the case remain fugitives from justice, but the DOJ said it is working to overcome the inability to extradite those alleged cybercriminals back to the States by working with authorities in Georgia, Ukraine, and Moldova. The five yet-to-be apprehended criminals are believed to reside in those countries.

In this infographic, the Department of Justice shows what a sophisticated crime ring was involved in this case, with criminals all over Eastern Europe, Russia, and the Middle East. (Image: DOJ)

Adding to the Hollywood flair of this real life case are the cheeky nicknames used by the GozNym crew. For example, Alexander Konovolov, 35, of Georgia — the alleged ringleader of the group — was also known as “NoNe,” and “none_1.” His assistant, 31-year-old Marat Kazandjian, went by the callsign “phantom.”

Gennady Kapkanov, a 36-year old Ukranian, administered the secure hosting service known as the “Avalanche” network used by the cyber thiefs and was also known as “ffhost,” “firestarter,” and “User 41,” among other names. Eduard Malanici, a 32-year-old Moldovan, also known as “JekaProf,” allegedly coded the GozNym malware to avoid detection by anti-virus software on the victims’ computers.

GozNym derives its name from two trojan viruses: Gozi and Nymaim. The name was first used by IBM researchers. Gozi is a trojan virus that was originally developed to steal banking information, while Nymaim is a program used to drop other malware on computers. The combination malware resulting in GozNym was completed in 2016 and was reportedly behind the theft of millions of dollars from 24 US and Canadian banks that year.

A Tangled Web

Members of the GozNym group engaged in a nefarious but sophisticated operation to steal — and then launder — victims’ money. The Georgian ringleader leased access to malware from a Russian software developer that worked with a coding team to develop the illicit product. Next, the head man recruited other cybercriminals with specific skill sets, usually meeting them on underground, Russian language online venues.

The next step for the Georgian leader and his assistant, a Kazakh national living in Georgia, was to crypt the malware to avoid detection by anti-virus systems. After that, a team of spammers sent hundreds of thousands of emails to potential victims with the virus attached.

The emails were designed to look important and legitimate to entice victims to open the messages. Once a link in the message was clicked, victims’ computers were directed to a malicious server hosting the GozNym program.

The aforementioned Avalanche network hosted GozNym files on its servers and those servers acquired victims’ banking credentials, passing the data along to the conspirators. Account takeover specialists, including one in Bulgaria and a Russian national based in Ukraine, would access victims’ accounts and proceed with unauthorized electronic funds transfers.

The ill-gotten funds were then moved to drop accounts in Russia and Ukraine where the receivers, also called “mules,” would physically withdraw the cash from bank branches and ATM machines for distribution throughout the conspirator network.

Eastern Europe, Casinos, and Beyond: A Sordid History

The intersection of some Eastern European countries and casino gaming has recently produced stories with stunning criminal elements. Earlier this year, Kosovo announced a 10-year ban on most forms of gambling after two casino workers were killed in separate March robberies.

The casino gaming ban in the Balkan nation was announced after neighboring Albania made a similar move in late 2018. Countries in the region are prohibiting gambling as an avenue for cracking down on money laundering and nonstop violence.

But Eastern Europe isn’t the only area perpetrating massive cybercrime. The 2016 $101 million cyber heist on a Bangladeshi bank via the New York Federal Reserve Bank has yet to be completely solved, although one major figure in the scheme — a former manager at Rizal Commercial Banking Corp. in Manila — has been convicted and sentenced to four to seven years, along with a $109 million fine.

Rumors abound that North Korea is behind the heist, but no one from that country so far has been apprehended or charged.