Europol Targets Ukrainian Botnet GangAlleged Zeus, SpyEye Banking Trojan Cybercriminals Arrested
European police agencies have announced a "joint international strike against cybercrime," reporting that after a two-year investigation, they have disrupted a botnet gang that used and sold banking malware and cybercrime services that targeted victims and banks around the world.
Authorities say that an ongoing operation has now resulted in the arrests of five Ukrainian-based members of the alleged cybercrime ring, who have been accused of infecting "tens of thousands" of PCs with variants of the Zeus and SpyEye banking Trojans. Officials say the gang targeted "many major banks," sold hacking services for hire, and swapped stolen credentials, bank account information and malware variants on underground fraudster forums, causing at least $2.2 million in damage.
The law enforcement operation comprised a joint investigation team that included six EU countries: Austria, Belgium, Finland, the Netherlands, Norway and the United Kingdom. The operation was supported and coordinated by Europol - the EU's law enforcement agency - and its European Cybercrime Center (EC3) as well as Eurojust, which is the EU agency that handles judicial cooperation relating to criminal matters. It coordinated the operation at a judicial level with non-EU member states, including Ukraine. Other countries participating in the operation included Germany, Poland and the United States, officials say.
"The aim of this JIT [Joint Investigative Team] was to target high-level cybercriminals and their accomplices who are suspected of developing, exploiting and distributing Zeus and SpyEye malware - two well-known banking Trojans - as well as channeling and cashing-out the proceeds of their crimes," Europol says. "The cybercriminals used malware to attack online banking systems in Europe and beyond, adapting their sophisticated banking Trojans over time to defeat the security measures implemented by the banks."
Rob Wainwright, director of Europol, called this "one of the most significant operations coordinated by the agency in recent years." He says the five recent arrests, made in Ukraine on June 18 and 19, involved searches of eight houses in four cities there, plus the seizure of computer equipment for digital forensic analysis.
"This case demonstrates that it is only possible to combat cybercrime in a successful and sustainable way if all actors - that means investigative judges and judicial authorities - coordinate and cooperate across the borders," Ingrid Maschl-Clausen, a Eurojust member for Austria, said at a June 25 press conference in Vienna.
Europol says that 60 individuals have now been arrested as part of this ongoing operation; 34 were busted by Dutch police as part of an operation that targeted alleged money mules.
Authorities have not identified the most recent arrestees; Europol did not immediately respond to a related request for comment.
"This is another successful operation by Europol EC3 and demonstrates the value EC3 brings in dealing with cybercrime by enabling better and more effective cooperation between different law enforcement agencies," Dublin-based information security consultant Brian Honan, a cybersecurity adviser to Europol, tells Information Security Media Group. "Europol's work in developing frameworks for international cooperation amongst law enforcement agencies is gaining dividends. The success of this operation and other recent ones, is sending a clear message to cybercriminals that they are no longer untouchable."
Authorities say that each alleged member of the cybercrime group arrested in Ukraine focused on providing services that touched on numerous parts of the cybercrime ecosystem (see How Do We Catch Cybercrime Kingpins?). That ranged from creating malware, to using it to infect PCs, to harvesting large quantities of bank credentials and then using money mules to launder money. "On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking 'services' and looking for new cooperation partners in other cybercriminal activities," Europol says.
The related investigation remains ongoing and has produced terabytes of related data relating to malware, operational messages, forensic analysis and intelligence reports, Europol says. It notes: "The enormous amount of data that was collected and processed during the investigation will now be used to trace the cybercriminals still at large."