Account Takeover Fraud , Anti-Money Laundering (AML) , Cybercrime as-a-service

Three Members of GozNym Malware Gang Sentenced

Cybercriminals Tied to Theft of Over $100 Million Worldwide
Three Members of GozNym Malware Gang Sentenced

Three members of a cybercriminal gang that used the GozNym malware platform to steal approximately $100 million from victims across the globe have been sentenced for their roles in the scheme, according the U.S. Justice Department and prosecutors from the country of Georgia.

See Also: Check Kiting In The Digital Age

The three men, along with three others, were all charged in May as part of a global law enforcement investigation to shut down the GozNym malware-as-a-service platform. That effort included the U.S. Justice Department, FBI and Europol as well as local police in Bulgaria, Germany, Georgia, Moldova and Ukraine (see: FBI and Europol Disrupt GozNym Malware Attack Network).

Those arrested in May faced a series of charges including computer fraud, wire fraud, bank fraud and money laundering, according to the Justice Department. Altogether, international law enforcement charged 11 individuals with being part of the GozNym gang. And while others are in custody and being prosecuted, five Russian suspects remain at large, authorities say.

International Effort

The GozNym gang is alleged to have targeted over 41,000 different victims around the world, and infecting tens of thousands of PCs with malware, mainly in Europe and the U.S., according to the Justice Department. The scheme involved using the powerful Trojan to infect victims' devices, steal their online banking login credentials and access their accounts, and then launder the money through various accounts that they controlled, according to Europol, the European Union's law enforcement intelligence agency.

The three men sentenced last week in the U.S. and Georgia played central roles in how the gang operated, authorities say. This included Alexander Konovolov of Georgia, who was considered the primary leader of the gang, according to the U.S. Attorney's Office for the Western District of Pennsylvania, which oversaw the case.

Where the member of the GozNym gang operated (Source: Europol)

In addition to shutting down the GozNym network, the investigation is notable for the level of cooperation among different law enforcement agencies, and the fact that many of the suspects are being prosecuted in the countries where they reside, authorities say.

"In announcing the prosecution of the GozNym international cybercrime syndicate with our law enforcement partners at Europol in May, I stated that borderless cybercrime necessitates a borderless response," says U. S. Attorney Scott Brady. "This new paradigm involves unprecedented levels of cooperation with willing and trusted law enforcement partners around the world who share our goals of searching, arresting and prosecuting cyber criminals no matter where they might be."

Three Sentenced

The three members of the GozNym gang sentenced last week included one case that was prosecuted in the U.S. and two others in the country of Georgia.

On Friday, the Justice Department announced that Krasimir Nikolov of Varna, Bulgaria, had been sentenced time served after having already spent 39 months in federal prison since being extradited to the U.S. from Bulgaria in 2016. He was convicted on federal charges of criminal conspiracy, computer fraud, and bank fraud related to the GozNym attacks, according to federal prosecutors.

After being released from federal prison last week, Nikolov, who also went by the online names "pablopicasso," "salvadordali," "karlo," was transferred to the custody of U.S. Immigration and Customs Enforcement and will be sent back to authorities in Bulgaria.

Federal prosecutors say that Nikolov worked as an "account takeover specialist" for the group and would use the stolen credentials to access victims' bank accounts and transfer money to other accounts controlled by the gang.

In addition to Nikolov, the Prosecutor’s Office and Ministry of Internal Affairs of Georgia announced last week that two other men, Alexander Konovolov and Marat Kazandjian, were each sentenced for their roles in the scheme following a trial in that country and sentenced to prison terms there.

Konovolov, who lives in Tbilisi, Georgia and went by the name "NoNe," was considered the leader of the gang, organized its activities and recruited others to work on various criminal schemes, prosecutors say. He was sentenced to seven years in prison.

Finally, Kazandjian, who lived in both Kazakhstan and Georgia and went by the moniker "phant0m," is believed to have worked as Konovolov's assistant and as an IT administrator for the cybercriminal gang. He was sentenced to five years in prison, Georgia authorities say.

GozNym Malware

The GozNym malware was first discovered in April 2016 by researchers from IBM X-Force. This particular Trojan appeared to be a hybrid of two older strains of malware called Nymaim and Gozi ISFB, which led researchers to give it the name GozNym (see: New Hybrid Banking Trojan 'GozNym' Steals Millions).

In their analysis, the IBM researchers found that the GozNym Trojan combined the stealth and persistence of the Nymaim malware, along with the ability to target bank accounts through infected internet browsers that Gozi ISFB offered.

The result was a new type of malware-as-a-service platform that the GozNym criminal gang used to target bank accounts throughout the world. This malware was spread through an attack network called Avalanche that law enforcement dismantled in December 2016.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.