For decades, the security industry has warned that the cybercriminal economy has been developing its own highly specialized, professional supply chain. But only when law enforcement tears the lid off a well-honed hacker operation—as they did today with the global Goznym malware crew—does the full picture of every interlinked step in that globalized crime network come into focus.
On Thursday, police in six countries along with the US Justice Department and Europol announced the takedown of Goznym—linked with another operation known as Avalanche, an associated cybercrime operation that was largely dismantled in 2016—including the arrest of five of its members across Bulgaria, Georgia, Moldova, and Ukraine. Five more alleged members remain at large in Russia. In total, the operation infected 41,000 computers with fraud-focused malware, and attempted to steal $100 million from victims in the US, though it's not clear exactly how much of that theft they successfully pulled off.
Speaking at a press conference at Europol's headquarters in the Hague, global law enforcement hailed the arrests as an "unprecedented" example of international cooperation. But the indictment also details just how distributed and specialized the tasks of profit-focused hackers have become, composed largely of loosely associated freelancers, each responsible for a single step in the exploitation of victims. "You look at what happened here. What was Goznym? What was Avalanche?" asked Steven Wilson, the head of the European Cybercrime Centre. "This was a supermarket of cybercrime services. You're looking at coders, malware developers, bulletproof hosters, a whole range of cybercrime services."
The indictment lays out that long chain of cybercrime specialists:
- A Russian man, Vladimir Gorin, is accused of creating, developing, and managing the Goznym banking malware. Once installed on a machine, it acted as a keylogger, and hijacked victims' web browsers to inject phishing fields into banking websites when they attempted to log in, stealing their credentials to gain control of their accounts. The malware included a field in the browser designed to trick victims into entering a second factor code, too, intercepting that code and using it in real time to defeat two-factor authentication.
- Gorin allegedly leased that Goznym malware to Alexander Konovolov, the Georgian defendant named as the leader of the group, responsible for overseeing its operations and controlling the tens of thousands of infected computers in its botnet. Officials say he was aided by Marat Kazandjian, a technical assistant and administrator.
- A Ukrainian named Gennady Kapkanov, arrested earlier this year, is accused of renting out the infrastructure for the operation as a so-called "bulletproof" hosting provider. In fact, his Avalanche network provided hosting for more than 20 different malware operations, according to the indictment. While a part of that operation was disrupted in 2016, Kapkanov eluded capture at the time—despite reportedly firing an AK-47 at police from his window—when a judge released him due to a mistake in charging documents.
- A Moldovan man, Eduard Malanici, is accused of "crypting" the Goznym malware, obfuscating its code to hide it from antivirus software.
- A Russian man, Konstantin Volchov, allegedly ran the spamming operation that sprayed phishing emails out to potential victims, in the hopes that some might click on malicious attachment or links that would install Goznym on their computers.
- Once Goznym was installed and a victim's credentials were stolen, the malware sent those credentials to an administration panel. Two men, a Russian named Ruslan Katirkin and a Bulgarian named Krasimir Nikolov, allegedly controlled that panel and served as the group's "account takeover" specialists, logging into the victim's accounts and attempting to steal their funds through electronic transfers like wire transfers and ACH payments.
- Two other Russians, Vladimir Eremenko and Farkhad Manokhin, allegedly took care of the "cash-out" step of the process, managing the accounts that received and laundered the stolen funds. The money was then withdrawn from banks and ATMs by so-called "money mules"—low-level operatives in the scheme who weren't charged in the indictment. Manokhin was arrested in Sri Lanka in 2017 at the request of US law enforcement, but was released on bail and fled to Russia, where he's still at large, along with the other four Russian members of the Goznym crew.
Despite law enforcement's description at times of the Goznym operation as a unified crew, most of those defendants seem to have worked as freelancers who offered their services on Russian-language cybercrime forums. "The Goznym network was formed when these individuals were recruited from these online forums and came together to use their specialized skills in furtherance of the conspiracy," FBI special agent Robert Allan Jones said in the press conference. The group appears to have coordinated their activities over online chat.
The globalized nature of that loose network required an equally global sort of cooperation among police and prosecutors across a half-dozen countries, sharing evidence and synchronizing arrests, according to Eurojust official Gabriele Launhardt. "This kind of international cooperation is perhaps unprecedented. This is a sign that judiciary and police can and will always cope with however big a cybercrime organization can be, bringing down its infrastructure," Launhardt said. "To sum up, criminals cooperate across borders, and we will do the same, so no one escapes justice."
Left unspoken in those remarks about global coordination, of course, is that fully half of the defendants in the case have in fact escaped justice—in Russia, one country that doesn't seem to have cooperated at all in the investigation. As global as cybercrime crackdowns have become, the cybercriminals themselves remain more global still. And some hide behind borders where Western law enforcement still can't reach.