Three members of a cybercrime group that used the GozNym banking Trojan to steal millions from U.S. businesses were sentenced today in parallel and multi-national prosecutions in Pittsburgh and Tbilisi, Georgia.
The GozNym group members were charged for stealing “an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions” according to a Europol press release from May.
In all, ten members of the GozNym cybercriminal group were indicted in May, five of them being arrested at the time, while five other Russian nationals charged in the indictment — including the developed behind the GozNym malware — remain on the run.
The indictment unsealed in Pittsburgh, USA, in May, charged GozNym members for conspiring to:
The malware used in the attacks is a “Trojan hybrid spawned from the Nymaim and Gozi ISFB malware,” a strain used “in attacks against more than 24 U.S. and Canadian banks” per IBM X-Force Research.
GozNym was delivered on the targets’ computers via massive scale malspam campaigns that targeted hundreds of thousands of individuals and organizations, and it was utilized to steal banking credentials from their victims’ infected systems.
The GozNym banking Trojan payloads and the malicious domains used in the attacks were hosted on the infrastructure of the Avalanche malware distribution network dismantled in 2016 when law enforcement seized, sinkholed, and blocked over 800,000 domains spread over 60 registrars.
Three members of GozNym cybercrime network sentenced in parallel multi-national prosecutions in Pittsburgh and Tbilisi, Georgia. https://t.co/zpAO6wqCof pic.twitter.com/Qz9UyQnG0I
— WDPAnews (@WDPAnews) December 20, 2019
GozNym members’ sentences
Bulgarian citizen Krasimir Nikolov was sentenced today in federal court in Pittsburgh “to a period of time served after having served more than 39 months in prison following his conviction on charges of criminal conspiracy, computer fraud, and bank fraud.”
His main role in the criminal organization was of account takeover specialist and casher, using online banking credentials stolen with the help of the GozNym malware to try and transfer victims’ money to attacker-controlled accounts.
“Nikolov will be transferred into U.S. Immigration and Customs Enforcement custody and removed from the United States to Bulgaria,” according to the DoJ press release.
Two other GozNym gang members, Alexander Konovolov and Marat Kazandjian (Konolov’s technical admin and main assistant within the GozNym network) were also arrested and prosecuted in Georgia to 7 and 5 years of imprisonment, respectively.
Konovolov (aka NoNe or none_1) was the head of the organization and the one who set up the criminal network and controlled over 41,000 infected computers.
“Konovolov assembled the team of elite cybercriminals charged in the Indictment, in part by recruiting them through underground online criminal forums,” the DoJ says.
A.K. (aka none_1) was sentenced to imprisonment for a term of 7 years. Considering the large extent of his cooperation with the investigation, M.K (aka phant0m)was sentenced to imprisonment for a term of 5 years. He will serve 1 year in prison and after this, he will be on conditional release for 4years. – Office of the Prosecutor General of Georgia
The Georgian trial was prosecuted with witness testimony from an FBI agent and a computer scientist from the FBI’s Pittsburgh Field Office, and evidence the FBI and U.S. Attorney’s Office obtained as part of their parallel investigation of the case.
“In announcing the prosecution of the GozNym international cybercrime syndicate with our law enforcement partners at Europol in May, I stated that borderless cybercrime necessitates a borderless response,” said U. S. Attorney Brady.
“This new paradigm involves unprecedented levels of cooperation with willing and trusted law enforcement partners around the world who share our goals of searching, arresting and prosecuting cyber criminals no matter where they might be.”