How the FBI Cracked the GozNym Malware Case

With a lot of help from Eastern European countries—but not Russia.

A person illicitly typing on a keyboard in a dark room.
Photo illustration by Slate. Photo by M-A-U/iStock/Getty Images Plus.

Catching cybercriminals has always been challenging partly because the person stealing money from your online accounts is probably sitting somewhere far from the reach of U.S. law enforcement, often in Russia or Eastern Europe. And those countries, which may take in much more money than they lose from cybercrime, are not always eager or easy to work with on international investigations. That’s why the FBI and Department of Justice tend to make a big deal about it when they work with their counterparts in other countries to identify and arrest the members of international cybercrime organizations, as they did this week in their announcement of the takedown of the GozNym network. In 2016, the GozNym malware was used to steal bank account credentials and, subsequently, money from those accounts. (More on exactly how much money was taken in a minute.)

The announcement included an unsealed indictment, filed in April, that names 10 individuals responsible for distributing the GozNym malware. The 10 people involved live in Russia, Georgia, Ukraine, Moldova, and Bulgaria, and those last four countries have already cooperated in investigating, arresting, and prosecuting the individuals involved. But the five Russians named in the indictment have still not been arrested, and among the long list of international partners the U.S. worked with on this investigation, Russian law enforcement is noticeably absent.

It’s no surprise that the United States and Russia don’t exactly see eye to eye on matters of cybersecurity right now, but what is perhaps a little bit surprising is that so many Eastern European countries were willing to cooperate with U.S. officials here. Ukraine, after all, has been hailed as a “haven for hackers” in the past, and other Eastern European nations like Romania have long been viewed as cybercrime hubs. Cracking down on cybercrime in these places won’t have the same impact as prosecuting Russia-based cybercriminals would, but it’s a good start. And it deprives Russian cybercriminals of some of their most obvious and nearby allies and supporting figures, especially since there are many Russian speakers (and significant Russian populations) in most of these countries.

Online communications in Russian are, in fact, how the international team of law enforcement officials was able to identify the 10 people named in the GozNym case and the different roles each one played in the criminal network. GozNym, so named because it is a hybrid of the Gozi and Nymaim strains of malware, infected tens of thousands of computers, primarily in the United States and Europe. It was distributed via phishing emails, many of which appear to have contained fake Bank of America invoices as attachments that, when opened, downloaded the malware onto the victims’ computers. Once installed, GozNym served as a keystroke logger, to capture any banking credentials, and also injected fake banking login webpages to people’s browsers in order to prompt them to input their credentials.

Part of this injection scheme included the ability to defeat two-factor authentication logins by using a special fake “token panel” that captured RSA token codes from victims and allowed the perpetrators to then reuse those codes to take over the victims’ accounts. Two-factor authentication typically requires you to input a one-time code from a token, text message, or app in addition to your usual password. So when people whose computers were infected with GozNym tried to log in to accounts protected with two-factor, the fake banking sites would prompt them to enter a one-time code provided by their token (or other second factor). And when they typed the one-time code into the fraudulent token panel (which they believed was actually their bank’s way of asking them for their second factor), the thieves were then able to intercept that code and use it to log in to the victim’s bank account before the code expired. Once they had compromised the accounts, the perpetrators then tried to make transfers from the victims’ accounts into their own bank accounts.

The case against the 10 men named in the indictment hinges on their online advertisements for their own criminal skills and services, as well as their communications with one another in late 2015 and early 2016. For instance, in a Nov. 22, 2015, message obtained by law enforcement officials, Georgian Marat Kazandjian sent Bulgarian Krasimir Nikolov a link to the GozNym token panel and an access password for it. (The password was “qwerty123,” suggesting that even cybercriminals who steal passwords for a living don’t bother making very good ones.)

The scheme differed from earlier cybercrime models in that the suspects were initially traced according to their online advertisements for their services, rather than their online sales of stolen data—a model the DOJ referred to as “cybercrime as a service.” But otherwise it followed a fairly familiar format for financial cybercrimes: delivery of malware via phishing emails followed by electronic financial transfers that were routed through multiple bank accounts before being “cashed out” and delivered to their final recipients.

Exactly how much money was stolen using GozNym remains unclear, though the U.S. government would very much like you to believe that number is $100 million. The Department of Justice announcement emphasizes that the malware was used “in an attempt to steal an estimated $100 million,” while the indictment states that the malware “had the potential to cause in excess of $100 million in losses.” In fact, of the 13 victims listed in the indictment, only five actually suffered any financial losses; the others had their banking credentials stolen, and transfers were attempted from their accounts but apparently unsuccessfully. The five financial losses described in the indictment add up to $443,855.12, or about 0.4 percent of $100 million.

Of course, there may well be other losses that went unreported, but it’s still worth bearing in mind that that $100 million figure was probably more of an aspirational one for the GozNym crime ring, rather than an actual tally of their profits. (It’s also notable and impressive how many of the attempted bank transfers described in the indictment were unsuccessful even after the perpetrators had stolen the necessary account credentials.)

That doesn’t mean the takedown isn’t a victory for law enforcement, though the reported profits and inability to prosecute half the people named in the indictment make it a more measured triumph than the DOJ’s announcement might have you believe. It’s both a heartening sign that there is still progress being made working with other countries on combating cybercrime, and a sobering reminder that without Russian cooperation, there is only so much that can be done. And for every would-be cybercriminal in Eastern Europe whose takeaway from this story may be that they should consider an alternative career path, there are probably two or three in Russia for whom it reinforces their sense that they are untouchable.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.