author photo
By Bruce Sussman
Thu | Apr 9, 2020 | 12:16 PM PDT

His screen name is "Gangass."

U.S. investigators say he was moving major money for a Business Email Compromise (BEC) cybercrime group until his recent arrest. A group that has created victims from customers of U.S. banks such as Chase, USAA, Bank of America, PNC, and more.

In this case, his penchant for selfies was part of the evidence that unraveled his backstory.

Cybercriminal arrested: he loved selfies with cash

Maksim Boiko is 29 years old and has a very interesting selfie habit.

For years, the Russian national snapped photos of himself with piles of cash and posted it on Instagram or uploaded the selfies to his Apple iCloud account. Why not? Living in Russia, he was out of reach of Western law enforcement.

Just take a look at some of these shots from his Instagram.

Boiko cruising in a Mercedes with cash like it's a phone:

hacker-cash-instagram

He apparently likes the "cash as a phone" type of pose, some of them close up.

hacker-cash-instagram3

And then there's the selfie that investigators found in a court authorized search of his iCloud account; the BMW and the cash on full display:

hacker-cash-apple-icloud

And when he wasn't in the selfie, he still documented the cash he was hauling in, apparently for posterity. Here are some examples.

The first photo indicates it is more than a quarter million U.S. dollars, mainly in $100s:

hacker-cash-quarter-million

Investigators say the photo below, posted on his Instagram, involves stacks of Chinese Yuan, tied to his money laundering which sometimes involved Chinese banks. The photo even includes Boiko's first name (Maksim) on two different name signs: 

hacker-cash-instagram4

And here's a photo (below) of cash from the passenger seat. How do investigators know this was Boiko? They say his tattoo gave him away:

hacker-cash-instagram2

How did this BEC cybercriminal get caught?

In the case of the selfie-taking Gangass, he got caught because of his love for cash—photographing it, flaunting it, and carrying it.

We're not sure why, but in January 2020, Maksim Boiko and his wife came to Miami, Florida.

Court documents, which outline the case against him, explain what happened:

"Because he entered the country with $20,000 in U.S. currency, Boiko was interviewed by U.S. Customs and Border Protection. In the interview, Boiko stated that his income came from investments in Bitcoin and rental properties in Russia."

Yes, it was the cash he felt compelled to bring into the U.S. that triggered an FBI investigation.

Here's where that stands now, with Boiko in jail:

"The FBI has probable cause to believe that, contrary to these assertions, Boiko is a significant cybercriminal who launders money for other cybercriminals through: (1) providing other cybercriminals with access to criminally controlled bank accounts for the purpose of receiving and laundering funds stolen from victims' online bank accounts; and (2) converting criminally-derived funds from fiat currency into electronic currency, such as Bitcoin."

The fact that cybercriminals flaunt their success to help get themselves caught is no surprise to Vinny Troia. The author of Hunting Cyber Criminals tells SecureWorld he's seen this repeatedly:

"Oftentimes they'll make moves that will jeopardize their position. And so that's why I say vanity trump's OpSec. These guys will, you know, do things like use their real IP address to modify a Wikipedia entry just to get their name in there, you know, immortalized. It floors me every time."

And apparently, some will also bring $20,000 in cash to the airport. In hindsight, not the best move for Boiko.

[Related podcast with Vinny Troia: Talking to Hackers (Thru and Alias)]

Investigators explain how this BEC cybercriminal operated

The FBI says Boiko used secure and encrypted Jabber instant messaging platforms, including "exploit.im" which investigators say is used almost entirely by cybercriminals.

The court documents walk us through an example of the money laundering transactions Boiko is accused of facilitating:

On or about March 20, 2017, a known cybercriminal known as 'Moneybooster' had a chat with gangass@exploit.im. Moneybooster asked 'gangass' for a corporate account that could receive a wire of about '200-300k.' Within minutes, gangass responded by providing the following account:

(1) Company Name: Arco Technology (Hongkong) Limited;

(2) Company Address: Unit 2103, 21/F., Sino Centre, 582-592 Nathan Road, Mongkok, Kowloon;

(3) Bank Name: Bank of China (Hong Kong) Limited;

(4) Bank Address: 213 Queens Road East, Wan
Chai, Hong Kong;

(5) Account no: 012-899-0-800722-9 (USD).

After receiving the information, the cybercriminal informed gangass that "I've sent around 300k." Gangass responded, "[g]ot you,
bro!"

Several days later, the cybercriminal informed gangass that the transfer was blocked and did not go through. In response, gangass stated, "well, anyway, I already knew it didn't work out. The main thing, do you think the credentials are compromised or we can keep using them." Moneybooster wrote, in part, "it won't kill your credentials... but the same bank won't work for me because it's on the Chase blacklist."

Based on my training and experience, this conversation shows that Gangass was aware that the funds are being obtained from
a victim whose bank account login information was stolen and that the attempted transfer was fraudulent.

During the same conversation, Gangass told Moneybooster, "I have 1 more for you." Based on my training and experience, this constitutes an offer by Gangass to provide Moneybooster with another cash-out bank account.

On March 27, 2017, Gangass wrote to Moneybooster, "OTRv2." Based on my training and experience, "OTR" refers to going "off the
record" by switching to encrypted communications.

And then investigators linked this communication to the real world attempt to move the money:

"Documents retained by JPMC (JPMorgan Chase) showed that on the same date as the initial chat above, March 20, 2017, a wire in the amount of $276,300—the same approximate amount referred to by Moneybooster—was initiated from a victim business entity in California to the exact same account in Hong Kong (722-9) provided by gangass (Boiko).

JPMC rejected the wire on suspicion of fraud, and neither the victim business entity nor JPMC suffered any loss."

This attempt at cybercrime was stopped, but organizations around the world have lost some $26 billion to BEC between 2016 and 2019.

Cybercriminal tied to global BEC organization

The court documents against Boiko say he is likely helping to move money on behalf of a powerful Business Email Compromise gang with team members in many different countries. 

From a victim's standpoint, the BEC crime often starts when they receive an email asking them to update wiring instructions for an upcoming payment. This message appears to be coming from a trusted vendor but is from hackers, secretly directing the funds into an account they can use.

Read our story for more on how this plays out: Catholic Church Sends $1.7 Million to Hackers.

In this case, the FBI says cybercrime gang QQAAZZ starts each attack by laying the financial groundwork necessary to move massive sums of money. And they may be targeting your corporate account to do it.

The court documents reveal how this works:

(a) cybercriminals with unauthorized access to a victim's bank account contacted QQAAZZ via Jabber, a secure online instant messaging software, seeking a recipient bank account to which the cybercriminal could send the victim's stolen funds via electronic funds transfer;

(b) QQAAZZ provided the cybercriminal with the details of the specific bank account designated to receive the stolen funds;

(c) the cybercriminal initiated, or attempted to initiate, an electronic funds transfer from the victim's bank account to the recipient account provided and controlled by QQAAZZ;

(d) QQAAZZ received the stolen funds in its recipient bank account;

(e) QQAAZZ withdrew (i.e., "cashed-out") the funds, transferred the funds to other QQAAZZ-controlled bank accounts for withdrawal, or transferred the funds to illicit "tumbling" services where the funds were converted to cryptocurrency;

(f) QQAAZZ returned the stolen funds to the cybercriminal minus QQAAZZ's fee, which was typically between 40 to 50 percent of the total amount of stolen funds.

And somewhere in that mix, officials say that Maksim Boiko got his cut of the cash so he could pose for all those selfies from the road.

The FBI says QQAAZZ has been able to facilitate the theft of an estimated tens of millions of dollars from victims in the United States and throughout the world.

For more on the Enterprise Business Model of Cybercrime, listen to our podcast on BEC with a top investigator from the U.S. Secret Service:

Clearly, Boiko loved to flash the cash. But he got busted by his $20,000 stash he brought onto U.S. soil.

Comments