Two Romanian Nationals Convicted in 'Bayrob' Malware CaseFound Guilty in Case Involving a Massive Botnet
Two Romanian nationals have been convicted by a federal jury for their roles in stealing more than $4 million from victims by creating a botnet of more than 400,000 PCs through custom-designed malware called Bayrob, the U.S. Department of Justice announced Thursday.
Following a 12-day trial in federal court in Cleveland, Bogdan Nicolescu and Radu Miclaus were each found guilty of numerous charges, including wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft and conspiracy to commit money laundering.
The two men face between 20 and 30 years in prison when they are sentenced by Chief U.S. District Judge Patricia Gaughan in August.
A third man involved in the scheme, Tiberiu Danet, pleaded guilty last year and is awaiting sentencing.
Nicolescu, Miclaus and Danet were arrested by Romanian police in Bucharest in 2016, following an eight-year FBI investigation. The scheme that law enforcement uncovered included the sending of tens of millions of malicious emails, credit card fraud, identity theft and even cryptomining using the power of the botnet that the group created, authorities say.
The three men were referred to as the "Bayrob Group," named after the Trojan that infected the PCs to create the botnet, according to federal prosecutors.
The Bayrob Scheme
The Bayrob Group started its scheme sometime in 2007.
During this time, the three men - Nicolescu (aka "Masterfraud,"), Miclaus (aka "Minolta") and Tiberiu (aka "Amightysa") - created proprietary malware that eventually became known as Bayrob, the DOJ says.
The group then created a series of malicious emails that looked like legitimate messages from well-known companies, such as Western Union and Norton AntiVirus. Another looked like it came from the IRS. Each of these emails contained an attachment, and if the victim clicked on it, the Bayrob Trojan would download, according to prosecutors.
The malware would then scan the victim's PCs looking for email addresses and then use these contact lists to send out even more emails that would infect other computers. The group could also direct their network to sign up for AOL accounts, which could send out even more emails, the DOJ reports.
Eventually, the Bayrob Group created a botnet of 40,000 PCs, mainly in the U.S., authorities say. At its peak, the botnet could send out tens of millions of fraudulent emails.
The Trojan also allowed the group to steal credit card and other personal information stored on victims' PCs. Eventually, the three men turned the botnet into a cryptomining operation, harvesting that massive PC power, according to the DOJ.
At one point, the group was able to inject malicious pages into legitimate websites, such as eBay. When victims thought they were following legitimate instructions, they were actually doing what the group wanted instead. Thousands of fraudulent listings for cars, motorcycles and other goods contained images infected with malware that would redirect shoppers to sites designed to look like eBay, prosecutors say.
While victims thought they were paying for items on eBay, the money actually was sent to a phony escrow agent, who then shipped the money to the Bayrob Group. The items were never delivered, prosecutors report.
The fraudsters' business became so lucrative that they eventually hired "money mules" to pick up payments and cash from phony companies and accounts and bring the proceeds back to them, according to DOJ.
Mistakes Led to Arrest
For a number of years, the Bayrob Group kept its operations hidden behind vast amounts of encrypted communication methods, including PGP, instant messages using the Off-The-Record protocol and a double layer of proxies that controlled the command-and-control servers used to communicate with the botnet, according to the security firm Symantec, which has studied the group for years.
The gang also used VPNs to connect with these proxies, Symantec found.
Eventually, researchers with Symantec discovered a weak point in one of the proxies and were able to trace the network back to the group in Bucharest. This was also the tipoff that the FBI needed.
Federal authorities originally believed that the group had swindled victims out of more than $4 million, but an estimate by Symantec found that the number could have been as high as $35 million.
All three men were arrested in 2016, and they eventually were extradited to the U.S. to face the charges. Nicolescu and Miclaus each decided to bring their case to trial, which ended Thursday in the guilty verdict. They'll remain in custody until their sentencing in August.
Danet pleaded guilty in November 2018 to numerous charges stemming from the case, including aggravated identity theft, wire fraud, conspiracy to engage in wire fraud, conspiracy and conspiracy to commit money laundering. He is scheduled to be sentenced on May 2.