author photo
By Bruce Sussman
Wed | May 29, 2019 | 9:27 PM PDT

What does it take to steal $100 million from 40,000 victims?

Now we know.

The  U.S. Department of Justice and Europol revealed incredible details of a cybercrime network that was run like a business and made profits like one.

Inside story: this is how cybercrime networks operate 

This is the story of the GozNym cybercrime network, based on indictment documents from U.S. Federal Court in Pittsburgh, Pennsylvania.

We'll go step by step on how the network started, developed, and worked to steal so much from businesses, financial institutions, and individuals.

This map will help as we go through the steps:


  1. A leader steps up to start the cybercrime network.
  2. The leader, located in the nation of Georgia, uses the crime-as-a-service model: he leases access to malware from a developer. 
  3. The developer, who is in Russia, works with coders to create GozNym, a custom piece of malware made to steal online banking credentials from victims' computers.
  4. The leader needs more help. He recruits technical specialists by advertising in online crime forums used by those who speak Russian. The leader needs the following: crypters, spammers, account takeover operatives, and drop masters.
  5. The leader and his technical assistant (based in Kazakhstan) work with crypters in Moldova. Their job: encrypt the malware so antivirus cannot detect it on victims' computers.
  6. When the malware is ready, spammers send hundreds of thousands of phishing emails to potential victims across continents. If a receiver clicks a link, the victim's computer is redirected to a malicious domain and the GozNym malware is downloaded onto the device.
  7. After infection, if specialists on the GozNym team could successfully steal banking login credentials, that information was sent through illicit web hosting and several layers of servers to a central access panel used by the network.
  8. Account takeover specialists in Bulgaria and Ukraine then used the credentials to access business and personal accounts and started electronically transferring money out of them.
  9. Drop masters (also known as cash-outs) located in Russia and Ukraine then provide illicit bank accounts so the stolen money has somewhere to go.
  10. The drop masters then wire the money to other accounts, or money mules withdraw the money in person from banks or at ATMs. From there, the stolen money gets distributed to members of the GozNym network.

The global takedown of this criminal network

As we said earlier, this revealing look at how the cybercrime network operated came from court documents in Pittsburgh, where the FBI was part of the investigation.

“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge Robert Jones. “Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively."

Cybercrime victims of the GozNym network

The U.S. Department of Justice also painted a picture of who could be a potential victim from a cybercrime cartel like this.

The answer is anyone. And any organization. Here is a sample of U.S. organizations that had money drained from accounts by this cybercrime operation:

  • An asphalt and paving business located in New Castle, PA;
  • A law firm located in Washington, D.C.;
  • A church located in Southlake, TX;
  • An association dedicated to providing recreation programs and other services to persons with disabilities, located in Downers Grove, IL;
  • A distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, FL;
  • A furniture business located in Chula Vista, CA;
  • A provider of electrical safety devices located in Cumberland, RI;
  • A contracting business located in Warren, MI;
  • A casino located in Gulfport, MS;
  • A stud farm located in Midway, KY; and
  • A law office located in Wellesley, MA
Will the cybercriminals ever be prosecuted?

Some of the suspects, in this case, are already being prosecuted.

The alleged leader of the network, Alexander Konovolov, aka “NoNe,” and “none_1,” is being prosecuted along with his technical assistant in the country of Georgia.

The crypter of the group (and assistants) are also being prosecuted right now by officials in Moldova. Officials say the lead crypter is Eduard Malanici, aka “JekaProf,” and “procryptgroup. He's 32 years old.

Unfortunately, at least one suspect has already escaped.

Drop Master Farkhad Rauf Ogly Manokhin, aka “frusa,” was arrested in Sri Lanka at the request of the United States. After being granted bail, he fled back to Russia and is now out of reach of Western law enforcement.

He is one of five Russian nationals wanted by the FBI. All of them appear on this wanted poster:


So what does it take to steal $100 million from 40,000 victims—and who would do it? Now we know.

[RELATED: Business Email Compromise Case Studies and Cyber Defense, a SecureWorld web conference available on-demand]

[RESOURCE: Collaborate with your IT security peers across North America at your regional SecureWorld conference]