Europol and the U.S. Justice Department, with the help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.
In a press conference in The Hague, prosecutors said 10 defendants in five countries are accused of using the malware to steal money from more than 41,000 victims, mostly businesses and financial institutions.
Five defendants were arrested in Moldova, Bulgaria, Ukraine and Russia. The leader of the criminal network and his technical assistant are being prosecuted in Georgia.
Five defendants remain on the run, said prosecutors.
The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.
GozNym is a powerful banking malware that spread across the U.S., Canada, Germany and Poland, and made up from two existing malware families, both of which had their source code leaked years earlier: Nymaim, a two-stage malware dropper that infects computers through exploit kits from malicious links or emails; and Gozi, a web injection module used to hook into the web browser, allowing the attacker to steal login credentials and passwords.
The banking malware hit dozens of banks and credit unions since it first emerged in 2016.
Described as malware “as a service,” the leader of the network obtained the code for the two malware families and built GozNym, then recruited accomplices and advertised the new malware on Russian speaking forums. The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.
Prosecutors said the malware network was hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes towards cybercrime and favored by criminals. Europol said the 2016 takedown of Avalanche, an infrastructure platform used by hundreds of criminals to host and run their malware campaigns.