Ukrainian authorities have arrested five key suspects in a massive international bank fraud ring that used malware to steal at least $70 million from small businesses, municipalities, churches and others in the
The five are alleged to be part of a multi-national ring that includes about 60 other suspects who were arrested this week in the U.S. and the United Kingdom for their roles in schemes that used the Zeus malware to infect computers and steal bank log-in credentials from more than 300 victims in the U.S.
The ring attempted to steal $220 million from bank accounts, but have only succeeded to nab a third of this, due to coordinated efforts by the Federal Bureau of Investigation with authorities in the U.K., the Netherlands and Ukraine.
The FBI wouldn’t disclose the names of the five suspects seized by Ukrainian authorities Thursday or indicate what role they played in the ring other than to say that at least $14 million in actual losses has been attributed so far to them specifically and that they were very proficient in utilizing the Zeus malware successfully.
But a bureau official, who asked not to be named, said the busts show that top criminal players are being taken out — not just the low-hanging fruit who operate as mules.
“These cyber criminals think that they are hiding over in a different country and are untouchable,” the official said. “This shows that we are working with our joint partners internationally and that [the criminals] can be held accountable for their actions.”
The ring began having success about a year and a half ago, the FBI source says, when they began targeting hospitals, universities, municipalities and small business across the country.
Hackers in East Europe would send targeted phishing e-mails to chief financial officers, accounting officers and treasurers at the victim organizations — people who would have access to an organization or company’s online bank accounts — and infect their computers with a Zeus trojan. The malware would steal the log-in credentials for the bank account, allowing the hackers to initiate money transfers out of the accounts, known as automated clearing house (ACH) transfers. The hackers were able to siphon huge sums in multiple transfers — in some cases hundreds of thousands of dollars from a single account — before the victim or bank realized what was happening.
In August, for example, thieves were able to purloin $600,000 from the Catholic Diocese in Des Moines in this manner.
On Tuesday, authorities in the UK announced they had arrested 20 suspects involved in the theft of at least $9 million from UK bank accounts. This figure could rise to $30 million as more evidence is amassed.
This announcement was followed on Thursday by one from U.S. authorities in New York who said they had charged 37 people from East Europe who served as so-called money mules and organizers.
These individuals, most of whom are 20-something East Europeans in the U.S. on student visas, were recruited on Russian social networking sites and elsewhere to aid the thieves. The students, once in the U.S., were given fake passports to open fraudulent bank accounts that were used by the hackers in East Europe to receive stolen funds from victim bank accounts. The mules then either transferred the money to other accounts outside the U.S. or withdrew it and smuggled cash bundles back to East Europe, keeping between 8 and 10 percent for their trouble.
The FBI source said that more than 3,500 mules have participated in the fraud operations in the U.S. alone, both
U.S. citizens and foreign residents.
The mules often claim to be unwitting participants, asserting they were hired to help companies do what were characterized as legitimate payment processing. In the case of the Catholic Diocese in Des Moines, one mule told security blogger Brian Krebs that the money he helped process was going to be used as part of legal settlements for victims of clergy abuse.
The U.S. investigation into fraudulent ACH transfers, dubbed Operation Trident Breach, began in May 2009 when FBI agents in Nebraska learned of ACH transfers that were going to 46 different bank accounts throughout the U.S. As other cases popped up around the country, agents began to coordinate efforts. To date, the bureau has tracked 390 cases of ACH fraud that have resulted in 92 suspects being charged and 39 arrests. It’s unclear if they’re all related to one ring.
“This may all link back [to the same ring],” the FBI source said, “but at this point in time we don’t want to specifically state that it does. But this organization is one of the most significant . . . and most successful in their attacks on small and medium businesses.”
Although the arrests in the U.S. have nabbed mostly mules and their managers, the arrest of the five suspects in Ukraine hits at a higher echelon of the ring.
The FBI says the operation is a testament to the relationships it has developed in the last four years through attaches overseas and through cybercrime agents that are embedded in law enforcement agencies in Romania, Estonia, the Netherlands and elsewhere.
See also:
- U.S. Charges 37 Alleged Mules and Others in Online Bank Fraud Scheme
- British Raid Nabs 19 Suspects in $9 Million Online Bank Heist
Authors: Kim Zetter