Tuesday, May 21, 2019

Russian Cyberthieves Hit Gulfport Casino

The Justice Department issued the following press release last week:

A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation. GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe. The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust.

United States Attorney Scott W. Brady of the Western District of Pennsylvania made the announcement at Europol, located in The Hague, Netherlands, along with his international partners.

The operation was conducted by the United States Attorney’s Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office, along with the Office of the Prosecutor General of Georgia, Prosecutor General’s Office of Ukraine, Office of the Prosecutor General of the Republic of Moldova, Public Prosecutor’s Office Verden (Germany), the Supreme Prosecutor’s Office of Cassation of the Republic of Bulgaria, Ministry of Internal Affairs of Georgia, National Police of Ukraine, General Police Inspectorate of the Republic of Moldova, the Luneburg Police of Germany and the Republic of Bulgaria’s General Directorate for Combatting Organized Crime with the significant assistance of Europol and Eurojust.

“International law enforcement has recognized that the only way to truly disrupt and defeat transnational, anonymized networks is to do so in partnership,” said U.S. Attorney Brady. “The collaborative and simultaneous prosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in how we investigate and prosecute cybercrime. Cybercrime victimizes people all over the world. This prosecution represents an international cooperative effort to bring cybercriminals to justice.”

Earlier today, the U.S. Attorney’s Office for the Western District of Pennsylvania unsealed an Indictment returned by a federal grand jury in Pittsburgh charging 10 members of the GozNym criminal network with conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. An eleventh member of the conspiracy was previously charged in a related Indictment. The victims of these crimes were primarily U.S. businesses and their financial institutions, including a number of victims located in the Western District of Pennsylvania.

“This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge Robert Jones. “Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility. Our adversaries know that we are weakest along the seams and this case is a fantastic example of what we can accomplish collectively."

According to the Indictment, the defendants conspired to:

infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials; use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts; and, steal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria. The operation was an unprecedented international effort to share evidence and initiate criminal prosecutions against members of the same criminal network in multiple countries.

At the request of the United States, Krasimir Nikolov, aka “pablopicasso,” “salvadordali,” and “karlo,” of Varna, Bulgaria, was searched and arrested by Bulgarian authorities and extradited to the United States in December 2016 to face prosecution in the Western District of Pennsylvania. Nikolov’s primary role in the conspiracy was that of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts controlled by fellow conspirators. Nikolov is named as a GozNym conspirator in the newly unsealed indictment, although he is charged in a related Indictment filed in the Western District of Pennsylvania. Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019. He is scheduled to be sentenced on Aug. 30, 2019.

Five of the named defendants reside in Russia and remain fugitives from justice. However, to overcome the inability to extradite the remaining defendants to the United States for prosecution, an unprecedented effort was undertaken to share evidence and build prosecutions against defendants in the remaining countries where they reside, including Georgia, Ukraine and Moldova. The prosecutions are based on shared evidence acquired through coordinated searches for evidence in Georgia, Ukraine, Moldova and Bulgaria, as well as from evidence shared by the United States and Germany from their respective investigations.

The GozNym network exemplified the concept of “cybercrime as a service.” According to the Indictment, the defendants advertised their specialized technical skills and services on underground, Russian-language, online criminal forums. The GozNym network was formed when these individuals were recruited from the online forums and came together to use their specialized technical skills and services in furtherance of the conspiracy. (KF: What? No Julia Roberts or Angie Dickinson? Dorks)

According to the Indictment, Alexander Konovolov, aka “NoNe,” and “none_1,” age 35, of Tbilisi, Georgia, was the primary organizer and leader of the GozNym network who controlled more than 41,000 victim computers infected with GozNym malware. Konovolov assembled the team of cybercriminals charged in the Indictment, in part by recruiting them through the underground online criminal forums. Marat Kazandjian, aka “phant0m,” age 31, of Kazakhstan and Tbilisi, Georgia, was allegedly Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian are being prosecuted in Georgia for their respective roles in the GozNym criminal network.

Gennady Kapkanov, aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41,” age 36, of Poltava, Ukraine, was an administrator of a bulletproof hosting service known by law enforcement and computer security researchers as the “Avalanche” network. This network provided services to more than 200 cybercriminals, including Konovolov and Kazandjian, and it hosted more than 20 different malware campaigns, including GozNym. Kapkanov’s apartment in Poltava, Ukraine was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure. Kapkanov was arrested for shooting an assault rifle through the door of his apartment at Ukrainian law enforcement officers conducting the search. Through the coordinated efforts being announced today, Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.

Alexander Van Hoof, aka “al666,” age 45, of Nikolaev, Ukraine, was a “cash-out” or “drop master” who provided fellow members of the conspiracy with access to bank accounts he controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts.

Eduard Malanici, aka “JekaProf,” and “procryptgroup, age 32, of Balti, Moldova, provided crypting services to cybercriminals. Malanici crypted GozNym malware in furtherance of the conspiracy to enable the malware to avoid detection by anti-virus tools and protective software on victims’ computers. Malanici, along with two associates, is being prosecuted in Moldova.

Victims of the GozNym malware attacks include:

An asphalt and paving business located in New Castle, Pennsylvania;
A law firm located in Washington, DC;
A church located in Southlake, Texas;
An association dedicated to providing recreation programs and other services to persons with disabilities located in Downers Grove, Illinois;
A distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, Florida;
A furniture business located in Chula Vista, California;
A provider of electrical safety devices located in Cumberland, Rhode Island;
A contracting business located in Warren, Michigan;
A casino located in Gulfport, Mississippi;
A stud farm located in Midway, Kentucky; and
A law office located in Wellesley, Massachusetts;

Five Russian nationals charged in the Indictment who remain fugitives from justice include:

Vladimir Gorin, aka “Voland,” “mrv,” and “riddler,” of Orenburg, Russia. Gorin was a malware developer who oversaw the creation, development, management, and leasing of GozNym malware, including to Alexander Konovolov.

Konstantin Volchkov, aka “elvi,” age 28, of Moscow, Russia, provided spamming services to cybercriminals. Volchkov conducted spamming operations of GozNym malware on behalf of the conspiracy. The spamming operations involved the mass distribution of GozNym malware through “phishing” emails. The phishing emails were designed to appear legitimate to entice the victim recipients into opening the emails and clicking on a malicious link or attachment, which facilitated the downloading of GozNym onto the victims’ computers.

Ruslan Katirkin, aka “stratos,” and “xen,” age 31, of Kazan, Russia, resided in Khmelnytskyi, Ukraine, during the time frame of the charged conspiracy. Katirkin, like Krasimir Nikolov, was a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts controlled by fellow conspirators.

Viktor Vladimirovich Eremenko, aka “nfcorpi,” age 30, of Stavropol, Russia, and Farkhad Rauf Ogly Manokhin, aka “frusa,” of Volgograd, Russia, were “cash-outs” or “drop masters” on behalf of the GozNym criminal network. Like Alexander Van Hoof, Eremenko and Manokhin provided fellow members of the conspiracy with access to bank accounts they controlled that were designated to receive stolen funds from GozNym victims’ online bank accounts. Manokhin was arrested at the request of the United States while visiting Sri Lanka in February 2017. Following his arrest, Manokhin was released on bail but was required to remain in Sri Lanka pending the outcome of his extradition proceedings to the United States. In December 2017, Manokhin unlawfully absconded from Sri Lanka and successfully fled back to Russia prior to the conclusion of the extradition proceedings.

Other agencies and organizations partnering in this effort include the United States Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation. The Justice Department’s Office of International Affairs provided significant assistance throughout the investigation and spearheaded the efforts to enable the United States to request searches, arrests, and extraditions in the foreign countries as well as the sharing of evidence with those countries through Mutual Legal Assistance Treaty requests.

The case is being prosecuted by Assistant U.S. Attorney Charles A. “Tod” Eberle, Chief of National Security and Cybercrime for the Western District of Pennsylvania.

Kingfish note: There is only one casino in Gulfport: Island View.


Anonymous said...

(R)ussia the fringe tiki torch right wing friend..

Anonymous said...

sorry KF , THIS ONE WONT GET MANY COMMENTS. around this place georgia is a state that partially borders florida.

Anonymous said...

@9:28, last I checked Georgia IS in fact a state that borders AL, SC, TN, NC AND FL! Not sure why you decided to post such an asinine comment but trolls will be trolls I guess.

Hermit King said...

10:16 that WHOOSH sound is 9:28's comment flying over your head like a C-130

You called them asinine but you became the joke.

The Georgia in the story, is the former Soviet state. Ukraine recently had a "Russian majority" region become occupied by Putin's forces. Well a few years ago the same thi g happened in Georgia.

Both nations have regions that are currently occupied by Putin's military. Most likely the hackers in Ukraine/Georgia are operating out of the occupied regions.

I know it ain't the Saints or College football so most Mississippiand are completely clueless about what happens beyond the SEC.

Anonymous said...

Is this the same Malware the casino uses on the slot machines to steal all the players money?

Anonymous said...

i think 9:28 was referring to the 'georgia' mentioned in the article. maybe 10:16 can give us a geography lesson on that one as well.

Anonymous said...


Georgia is also a country. It is the "Georgia" to which is referred in the article. "Georgia, a country at the intersection of Europe and Asia, is a former Soviet republic that’s home to Caucasus Mountain villages and Black Sea beaches. It’s famous for Vardzia, a sprawling cave monastery dating to the 12th century, and the ancient wine-growing region Kakheti. The capital, Tbilisi, is known for the diverse architecture and mazelike, cobblestone streets of its old town."

Anonymous said...

All those AK-47 names make this extremely difficult to read.

Jim Cantore said...

I thought we were the land mass between Louisiana and Alabama.....

Anonymous said...

Is that why the slot machines do not pay out very much???/

Anonymous said...

Is King the only news outlet covering this story?

Anonymous said...

why are there 2 georgia name the same thing

Ophelia said...

Who gives a damn about what happens to casinos? They can all go rot in the ocean depths for all any intelligent person cares. The Russian cyberthieves are welcome to them.

Suscribe to latest on JJ.

Recent Comments

Search Jackson Jambalaya

Subscribe to JJ's Youtube channel


Trollfest '09

Trollfest '07 was such a success that Jackson Jambalaya will once again host Trollfest '09. Catch this great event which will leave NE Jackson & Fondren in flames. Othor Cain and his band, The Black Power Structure headline the night while Sonjay Poontang returns for an encore performance. Former Frank Melton bodyguard Marcus Wright makes his premier appearance at Trollfest singing "I'm a Sweet Transvestite" from "The Rocky Horror Picture Show." Kamikaze will sing his new hit, “How I sold out to da Man.” Robbie Bell again performs: “Mamas, don't let your babies grow up to be Bells” and “Any friend of Ed Peters is a friend of mine”. After the show, Ms. Bell will autograph copies of her mug shot photos. In a salute to “Dancing with the Stars”, Ms. Bell and Hinds County District Attorney Robert Smith will dance the Wango Tango.

Wrestling returns, except this time it will be a Battle Royal with Othor Cain, Ben Allen, Kim Wade, Haley Fisackerly, Alan Lange, and “Big Cat” Donna Ladd all in the ring at the same time. The Battle Royal will be in a steel cage, no time limit, no referee, and the losers must leave town. Marshand Crisler will be the honorary referee (as it gives him a title without actually having to do anything).

Meet KIM Waaaaaade at the Entergy Tent. For five pesos, Kim will sell you a chance to win a deed to a crack house on Ridgeway Street stuffed in the Howard Industries pinata. Don't worry if the pinata is beaten to shreds, as Mr. Wade has Jose, Emmanuel, and Carlos, all illegal immigrants, available as replacements for the it. Upon leaving the Entergy tent, fig leaves will be available in case Entergy literally takes everything you have as part of its Trollfest ticket price adjustment charge.

Donna Ladd of The Jackson Free Press will give several classes on learning how to write. Smearing, writing without factchecking, and reporting only one side of a story will be covered. A donation to pay their taxes will be accepted and she will be signing copies of their former federal tax liens. Ms. Ladd will give a dramatic reading of her two award-winning essays (They received The Jackson Free Press "Best Of" awards.) "Why everything is always about me" and "Why I cover murders better than anyone else in Jackson".

In the spirit of helping those who are less fortunate, Trollfest '09 adopts a cause for which a portion of the proceeds and donations will be donated: Keeping Frank Melton in his home. The “Keep Frank Melton From Being Homeless” booth will sell chances for five dollars to pin the tail on the jackass. John Reeves has graciously volunteered to be the jackass for this honorable excursion into saving Frank's ass. What's an ass between two friends after all? If Mr. Reeves is unable to um, perform, Speaker Billy McCoy has also volunteered as when the word “jackass” was mentioned he immediately ran as fast as he could to sign up.

In order to help clean up the legal profession, Adam Kilgore of the Mississippi Bar will be giving away free, round-trip plane tickets to the North Pole where they keep their bar complaint forms (which are NOT available online). If you don't want to go to the North Pole, you can enjoy Brant Brantley's (of the Mississippi Commission on Judicial Performance) free guided tours of the quicksand field over by High Street where all complaints against judges disappear. If for some reason you are unable to control yourself, never fear; Judge Houston Patton will operate his jail where no lawyers are needed or allowed as you just sit there for minutes... hours.... months...years until he decides he is tired of you sitting in his jail. Do not think Judge Patton is a bad judge however as he plans to serve free Mad Dog 20/20 to all inmates.

Trollfest '09 is a pet-friendly event as well. Feel free to bring your dog with you and do not worry if your pet gets hungry, as employees of the Jackson Zoo will be on hand to provide some of their animals as food when it gets to be feeding time for your little loved one.

Relax at the Fox News Tent. Since there are only three blonde reporters in Jackson (being blonde is a requirement for working at Fox News), Megan and Kathryn from WAPT and Wendy from WLBT will be on loan to Fox. To gain admittance to the VIP section, bring either your Republican Party ID card or a Rebel Flag. Bringing both and a torn-up Obama yard sign will entitle you to free drinks served by Megan, Wendy, and Kathryn. Get your tickets now. Since this is an event for trolls, no ID is required. Just bring the hate. Bring the family, Trollfest '09 is for EVERYONE!!!

This is definitely a Beaver production.

Note: Security provided by INS.

Trollfest '07

Jackson Jambalaya is the home of Trollfest '07. Catch this great event which promises to leave NE Jackson & Fondren in flames. Sonjay Poontang and his band headline the night with a special steel cage, no time limit "loser must leave town" bout between Alan Lange and "Big Cat"Donna Ladd following afterwards. Kamikaze will perform his new song F*** Bush, he's still a _____. Did I mention there was no referee? Dr. Heddy Matthias and Lori Gregory will face off in the undercard dueling with dangling participles and other um, devices. Robbie Bell will perform Her two latest songs: My Best Friends are in the Media and Mama's, Don't Let Your Babies Grow up to be George Bell. Sid Salter of The Clarion-Ledger will host "Pin the Tail on the Trial Lawyer", sponsored by State Farm.

There will be a hugging booth where in exchange for your young son, Frank Melton will give you a loooong hug. Trollfest will have a dunking booth where Muhammed the terrorist will curse you to Allah as you try to hit a target that will drop him into a vat of pig grease. However, in the true spirit of Separate But Equal, Don Imus and someone from NE Jackson will also sit in the dunking booth for an equal amount of time. Tom Head will give a reading for two hours on why he can't figure out who the hell he is. Cliff Cargill will give lessons with his .80 caliber desert eagle, using Frank Melton photos as targets. Tackleberry will be on hand for an autograph session. KIM Waaaaaade will be passing out free titles and deeds to crackhouses formerly owned by The Wood Street Players.

If you get tired come relax at the Fox News Tent. To gain admittance to the VIP section, bring either your Republican Party ID card or a Rebel Flag. Bringing both will entitle you to free drinks.Get your tickets now. Since this is an event for trolls, no ID is required, just bring the hate. Bring the family, Trollfest '07 is for EVERYONE!!!

This is definitely a Beaver production.

Note: Security provided by INS