Europol arrests end GozNym banking malware gang

Arrests in Europe and the US appear to have ended the cybercrime careers of the gang behind the GozNym banking malware.

According to Europol, which coordinated the pursuit of 10 people in Ukraine, Moldova, Georgia, Bulgaria, Germany and the US, GozNym stole $100 million by infecting 41,000 devices around the world – mainly business computers.

Among those picked up were the alleged network mastermind, arrested in Georgia, and another individual in Ukraine who unsuccessfully attempted to evade police by producing a firearm. Five unnamed Russians remain on the run.

The GozNym malware was created sometime around 2015 by combining the code of two older pieces of malware, the well-known banking trojans Gozi which leaked in 2010, and the Nymaim dropper, a later malware most often used to unleash ransomware attacks.

The combination combined the best of two slightly different worlds, turning up in attacks on customers of two dozen US and Canadian banks in 2016.

The attacks used a common technique – blasting out the malware in phishing campaigns, or via exploit kits planted on websites; capturing online banking credentials; accessing those accounts to steal money; and laundering the proceeds:

The GozNym network exemplified the concept of cybercrime as a service, with different criminal services such as bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.

The gang behind it was highly-specialised in their roles, each carrying out different tasks from coding, sending phishing emails, and tending to the flow of money from victims.

Avalanche botnet

The breakthrough in collaring the people behind GozNym can be traced to Europol’s takedown of the Avalanche botnet in 2016. That had been used to host GozNym, which gave police several leads.

The operation stands out for the unusual way it was conducted, with simultaneous prosecution in four nations at the same time representing what Europol described as a “paradigm change.”

Normally, prosecutions progress haphazardly in different countries for reasons to do with the local laws and legal process.

Complicating this is the fact that an individual might be arrested in one country for crimes carried out in another that might or might not have mutual extradition agreements.

Said Scott Brady of the US Attorney’s Office for the Western District of Pennsylvania:

The law enforcement response must be equally broad and borderless. We believe this represents the new blueprint for how we attack cybercrime going forward.

This is good news – though sadly we suspect that there are plenty of cybercriminals and malware still to come…