Gameover Zeus & Cryptolocker Indictment: Over $100 Million Stolen
The Department of Justice today trumpeted the indictment a Russian national (Evgeniy Bogachev) for his leadership in two separate cybercrime schemes that stole over $100 million: Gameover Zeus & Cryptolocker. According to the DOJ:
Gameover Zeus is " the most sophisticated and damaging botnet we have ever encountered" and has infected between 500,000 and 1 million computers around the world. Once this program infected a computer, it stole passwords and financial information to facilitate the fraudulent wire transfers from victim's accounts to foreign bank accounts controlled by the criminals. "Individual fraudulent wire transfers conducted through Gameover Zeus commonly exceed $1 million."
Cryptolocker used malware to freeze target computers. The criminals would then send a ransom note demanding a $700 payment in bitcoin or untraceable credit cards to unlock the computer. Cryptolocker infected more than 234,000 computers worldwide, including more than 100,000 in the United States. The DOJ estimated that " the criminals behind Cryptolocker collected over $27 million in ransom payments from victims seeking to get access to their files back."
When I was an Assistant United States Attorney, I participated in some major cybercrime initiatives. After the fold, the reasons why I am more frightened than reassured by the DOJ's announcement.
1. The Financial Incentives For Cybercrime Are Enormous
Bogachev and his crew of Eastern European hackers are alleged to have pocketed more than $100 million from their cybercrime. TThe $27 million in ransoms collected to unfreeze computers attacked by Cryptolocker is particularly noteworthy. At a rate of $700/victim, that means that more than 35,000 people who knew that they were the victims of the Cryptolocker scheme decided to pay to try to get their data back. The price was apparently high enough to be profitable for the criminals, but not so high that victims would refuse to pay. If victims would rather pay than fight, the hackers will run wild.
The sophistication of Gameover Zeus is chilling. Hackers are always trying to gain access to passwords in order to empty bank accounts. Bogachev and his crew apparently were able to target small and medium size business that were likely to have online bank accounts, but unlikely to have sophisticated anti-hacking defenses. They were able to repeatedly steal more than $1 million before the DOJ was able to divert the attacks.
Like many recent cybercrimes, Gameover Zeus was run out of Ukraine (Kiev and Donetsk). In order to attack the scheme, the DOJ had to coordinate the seizure of servers in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom. At the same time, the DOJ had to work with officials in each of those countries to redirect more than 300,00 computers from sending additional money to the criminals, even after the first wave of servers were seized.
2. Bitcoin and Untraceable Payments
This story provides a stark example of the danger posed by bitcoin and other cyber-currency. Bitcoin helps to make crime profitable because it is untraceable. Prior stories have highlighted bitcoin's appeal for drug dealers and others who trade in contraband. Bogachev and his cronies do not have to obtain, market and ship product to obtain their bitcoin or untraceable credit card payments. Their only overhead is the cost of developing their malware to infect computers and demand payment.
3. No Arrests Were Made
Only one individual was named in the indictment (Evgeniy Bogachev) and he has not been arrested. Bogachev apparently remains at liberty in Russia, and the DOJ is publicly appealing to the Russians to finally arrest him. "We are asking Russian law enforcement to take action to bring this defendant and those working with him to justice, and will work with our counterparts to do so." Given the state of foreign relations among Ukraine (where the schemes were implimented) and Russia (where Bogachev currently lives), I would not hold my breath awaiting his extradition.