ARTICLES

Going After the GozNym Malware Gang

This is the second and final installment of this article. Part I began with my meeting with Scott Brady, the U.S. attorney for the Western District of Pennsylvania, in his office in October 2020. (Brady left that position on Feb. 26, 2021, after the change in administrations.) With him was Charles (“Tod”) Eberle IV, chief of his national security and cyber crime section. We talked about efforts their office had undertaken to counter cyber attacks from Eastern Europe. In the spring of 2016, Brian Stevens, a special agent in the FBI’s Pittsburgh field office, started hearing from banks about a wave of malware attacks at Pennsylvania companies. It turned out to be GozNym (pronounced goes-neem) malware that allowed the gang that deployed it to steal banking credentials from company computers and wire funds to accounts they controlled. As in the film “Ocean’s Eleven,” the gang’s leader had chosen his 10 recruits for their specialties. (Investigators called it “cyber crime as a service.”) He found them through Russian-speaking criminal forums, where they were all known by their online handles. It wasn’t even clear that they knew each other’s names. They used a “bulletproof” hosting service called Avalanche, a vast botnet that offered domains for their malware and money mule campaigns to launder their take. Eberle first worked with Stevens under the guidance of David Hickton, Brady’s predecessor. Their aim was to partner with Ukraine, Georgia, Moldova, and Bulgaria—the countries (except Russia) where the gang members lived—to prosecute them. But first there was a push led by a German prosecutor and investigator to take down Avalanche. The Americans, among others, joined the effort, and on Nov. 30, 2016, it succeeded. By then Eberle and Stevens had also managed to convince Bulgaria to arrest a gang member named Krasimir Nikolov, who within days would be extradited to Pittsburgh. They appeared to be on a roll. But only Bulgaria had an extradition treaty with the United States. The next steps—convincing prosecutors to bring charges and helping them win convictions in Ukraine and Georgia—were hard to predict. And the road ahead would prove bumpy.

Mixed Results

November 30 was not a good day for Gennady Kapkanov. Avalanche, the bulletproof hosting service he administered, had been taken down. And then the police wanted to search his small apartment in Poltava, Ukraine. One of his online handles was “firestarter,” and when the cops showed up he fired an assault rifle right through his front door. He was fortunate he didn’t hit anyone, but he made it easy for them to arrest him on those charges alone. A video of the arrest was later posted on YouTube.

If Nikolov’s arrest in Bulgaria suggested things would go smoothly, Kapkanov’s eruption pointed in a different direction. And things only got worse. After he was arrested and locked up, Kapkanov was brought to a district court the next day, where a prosecutor requested he be held for 40 days. Considering he had just attempted to shoot police officers, this did not seem like a stretch, but the judge inexplicably released him.And just as quickly he disappeared. He wouldn’t be recaptured until February 2018. His current status is not known, but no one is talking publicly about prosecuting him for cyber crimes.

It was not a good start. But then came another break. Eberle and Stevens hadn’t spent much time thinking about the five Russians in the gang, who seemed beyond their reach. But their luck hadn’t completely deserted them. In February 2017, they learned that one of the Russians had ventured far from home. Farkhad Rauf Ogly Manokhin had taken a trip to Sri Lanka, where he was arrested on charges filed against him in the U.S. And it just so happened that Sri Lanka and the United States had an extradition treaty. Would he be joining Nikolov?

He would not. He, too, was released. In his case, bail was set on condition that he remain in the country pending the outcome of an extradition request. He stuck around for a while, but by December he was gone. Two other members of the group were indicted by the United States but have faced no charges to date: Alexander Van Hoof from Ukraine and Eduard Malanici from Moldova. No information was available on their legal statuses.

These failures were disappointing, but they shouldn’t overshadow the successes. In fact, there was a good deal to celebrate. Western countries had successfully partnered with investigators and prosecutors outside their usual spheres of influence. Together they had taken down a notorious botnet that had operated with apparent impunity in Eastern Europe since 2009. They had secured cooperation from Ukraine, Bulgaria, Georgia, Moldova, and Sri Lanka. They had initiated legal action in four of those countries, even if the cooperation hadn’t proved durable in three. What the effort had already accomplished went well beyond a “name and shame” indictment. They had established relationships with their counterparts in countries that had no compelling reason to help them other than a shared interest in enforcing the rule of law. Critics had doubted this was even possible. And they hadn’t simply helped bring down a botnet. They’d broken up a malware gang and arrested three of its 11 members (even if two had escaped prosecution). And they weren’t done yet.

Their investigation had dug up a lot about this group. They believed they’d identified many of the players, and they thought they understood the roles most played. But there were also big gaps. They knew the handles of these guys, but not all of their real names. And they didn’t have enough evidence to prove what they thought they knew. But they were pretty sure the ringleader was in Georgia, in or near the capital of Tbilisi. And If the team from Pittsburgh was going to have a chance to see anyone brought to justice, it looked like it would have to happen in a court somewhere in Georgia.

A Partner in Georgia

I recently exchanged emails with Besik (“Beso”) Tkhelidze, who has worked for 33 years at the Prosecution Service of Georgia. Now a deputy department head at the Office of the Prosecutor General of Georgia, his unit provides procedural guidance on organized crime, including cyber crime, that the Central Criminal Police Department of the Ministry of Internal Affairs investigates. He was Eberle and Stevens’ main contact beginning in the spring of 2017, when the FBI contacted Georgia law enforcement and asked for help on its GozNym investigation. The FBI had Jabber conversations of the person they believed was spreading the malware used to steal millions of dollars from victims in various countries. But they only knew the leader by his user names, None and None_1.

Even though Georgia “was not a victim country,” Tkhelidze told me, they immediately expressed a willingness to help. Not long after the police and prosecutors opened an investigation, Stevens and Eberle suggested a meeting. In May 2017, they flew to Tbilisi. Tkhelidze found them personable and credible. But his initial reaction was that their investigation was misdirected. “I listened to them and thought to myself that they were addressing the ‘wrong country,’” he wrote me. Yet, the information they provided was “plausible,” and some of it was corroborated by first-hand information the Georgian investigators were uncovering. “This enabled us to ask questions and receive answers. It would have been impossible for us to form a complete and clear image of the case without such a direct face-to-face meeting.”

After their American partners left, it didn’t take long for the Georgian police to focus on two suspects who had IT skills and worked together. When their apartment was searched, one of the seized laptops was found to have GozNym malware. It also contained Jabber conversations with other members of the crime ring. “That was when I realized that our colleagues from the U.S. came to the ‘right address,’” Tkhelidze said. In Georgia, they do not include defendants’ names in press releases, but the suspected ringleader was Alexander Konovolov. Since 2015, he’d controlled more than 41,000 computers infected with GozNym malware. And Marat Kazandjian was thought to be his assistant and technical administrator. They were both Georgia citizens.

But that wasn’t the end of the investigation. Far from it. “Of course, all this was not sufficient to start thinking about criminal prosecution. We needed to achieve a higher evidentiary standard,” Tkhelidze said. And this was “unimaginable without international cooperation,” he added. From that initial meeting in Tbilisi to the arrest of the two suspects took two years. “The main difficulty lay with the differences in the laws and the legislative systems of the two countries,” said the man who supervised Georgia’s prosecutors. “Within the scope of the investigation launched on the basis of international cooperation, when each country acts within its jurisdiction, it is crucial to obtain evidence in such a form that it is beneficial and useful for the other country in accordance with its legislation.”

There were no quick solutions. It was a complicated case from the start, with evidence spread around the globe. Even with regular audio and video conferences, it was difficult to coordinate—further complicated by language barriers. Europol and Eurojust stepped in to help ensure the participating countries were able to communicate effectively. Multiple meetings were held at The Hague, where the organizations are based. But the differences in laws were also a serious impediment. The deepening personal relationships helped them work through these challenges, but at times Eberle felt he was back in law school, learning a system very different from the one he’d grown up with. A conspiracy in the U.S. wasn’t the same thing in Georgia. Even confessions or admissions weren’t necessarily treated the same way. It was at a meeting in The Hague in the summer of 2018 when they finally reached a turning point, Tkhelidze said. The two sides “managed to harmonize their views as much as possible.” They were finally ready to function as one team.

How It Ended

In May 2019, Georgia announced that it had arrested and charged Konovolov and Kazandjian for crimes in connection with the GozNym attacks. And the United States simultaneously announced that Brady’s office had unsealed an indictment naming those two and the other eight individuals who were allegedly part of the GozNym gang. It included a reference to co-conspirator Krasimir Nikolov, who had been extradited to Pittsburgh from Bulgaria in December 2016. The announcements were made at a press conference at Europol.

The location was important to Brady. “It was important to me to go the The Hague and announce it there, and not do it in the United States,” he told me during our interview. He wanted to avoid “the same old press conference at Main Justice, and we thank everybody—but it’s really U.S.-centric.” That would have conveyed the wrong message. “It was important to really have buy-in, and trust, and transparency, which Tod has really developed,” he said. “It’s important that at the end, everyone shares the credit. Because if good work is being done, there’s plenty of credit to share, and then that sets up the future.”

Brady’s remarks at the press conference reflected these views. So did the comments of Robert Jones, then special agent in charge of the FBI’s Pittsburgh field office. “Successful investigation and prosecution is only possible by sharing intelligence, credit, and responsibility,” he said. “Our adversaries know that we are weakest along the seams, and this case is a fantastic example of what we can accomplish collectively.” The announcement also mentioned that Nikolov had pleaded guilty the previous month and was scheduled to be sentenced in August. All that remained was the trial.

It lasted for several months, according to Tkhelidze. “It was extremely important to submit credible evidence to the court,” he wrote me. Georgia’s collaboration with the United States helped make this possible. One way, he said, was through the remote questioning of a U.S. investigator and an expert who had helped obtain evidence. The investigator was the FBI’s Brian Stevens, who testified via Skype. The expert was Ryan Albright, a computer scientist from the FBI who has since left the agency. Another witness who testified from the U.S. (and does not wish to be named) also provided significant information, Tkhelidze said. He called these contributions “unprecedented.”

In December 2019, the trial ended. Tbilisi City Court found both defendants guilty. Konovolov, was sentenced to seven years in prison. Kazandjian was sentenced to a five-year term. But he was given credit for cooperating with the investigation and granted a conditional release after the first year. The press releasefrom the Prosecutor’s Office of Georgia praised the U.S. Attorney’s Office, the FBI, DOJ’s Office of International Affairs, the U.S. Embassy in Tbilisi, and Eurojust and Europol. “The case at hand was invaluable experience, as well as a significant challenge,” the release said. “It also proved that there is no alternative to international legal cooperation for fighting against transnational crime.” That same month In Pittsburgh, Nikolov was sentenced to time served, which amounted to three years. Eberle said he had no complaints about any of these results.

There was one more press release related to these events that’s worth mentioning. In October 2019, Tod Eberle won the J.D. Falk award from the Messaging Malware Mobile Anti-Abuse Working Group—the same award that the German prosecutor and investigator had won in 2017 for their roles in taking down Avalanche. The award recognizes “people who are committed to making a better online world” and who “have demonstrated dedication to improving the Internet experience and protecting end-users.”

Lessons Learned

The Avalanche/GozNym takedowns illustrated the challenges, and potential rewards, of this kind of cooperation. The model is important because so many cyber attacks that plague American businesses (for instance, ransomware) originate from that part of the world. There are likely to be plenty of opportunities to put the lessons to use. In fact, four days before Brady’s office announced the Sandworm indictment in October that they couldn’t tell me about when I visited (it hadn’t been made public), they rolled out another one they couldn’t tell me about. This one charged 14 members of an organization called QQAAZZ for providing money laundering services to cyber criminals. It was another brand of “cyber crime as a service.” The named defendants were from Georgia, Latvia, Bulgaria, Romania, and Belgium. Criminal prosecutions had been initiated in the U.S., Portugal, Spain, and the United Kingdom. The press release listed 15 countries as U.S. law enforcement partners on the matter.

Eberle told me that the successes they’ve realized have gotten a lot of attention from colleagues around the country. The FBI’s Pittsburgh field office gets a lot of calls, he said, from agents asking for advice. During a webinar put on by the University of South Carolina School of Law, Eberle recounted some of his own takeaways from GozNym. “We’ve had some situations where we were able to take down the infrastructure that the criminals use—the servers, the malicious domains,” he said. “But if we aren’t identifying who the criminals are behind the infrastructure, then they’re just going to put the infrastructure back up in a matter of weeks.” What he’s learned, he said, is to avoid waiting for victims to call. By then the situation may already be out of control.

Eberle has become an evangelist for searches. “We’ve learned to become more proactive, and take the data that we’re getting from overseas searches to identify who are the key criminals out there.” Don’t wait until you have enough evidence to make an arrest, he said. It often makes more sense to act when you have probable cause for a search, “because the data can yield so many investigative leads.”

Scott Brady viewed the lessons through a wider lens. Too often prosecutors underestimate the opportunities for partnering with international prosecutors, he said. “Prosecutors, investigators have an interest in good government, have an interest in the rule of law, which will allow the economy to flourish,” he said. “They don’t want to be known to the West and to international businesses as a haven for cyber criminals. They want to be a home where international companies will relocate.”

From his perspective, it was all about building relationships. “It was important to really have buy-in, and trust, and transparency, which Tod has really developed,” Brady said. “It's important that at the end, everyone shares the credit.” And then one success leads to another. “And we do that by having face-to-face relationships,” he said. “So when there are investigations, the Georgians, or the Germans, or the French, or the Ukrainians say, ‘Well, we know Tod. And we trust him. So let's call him and see if we can figure out how to attack this.’”

Beso Tkhelidze in Georgia, who had once wondered whether the Americans had contacted the wrong country, came away impressed. He summed up his views this way: “It was a precedent when U.S. and Georgian investigators and prosecutors operated as members of a single investigative team based on mutual respect and trust. This was the foundation of successful collaboration.”