Resume Reading — The $100 Million Bot Heist

Close
 

The $100 Million Bot Heist

The story of the world’s most-wanted cybercriminal.

When it comes to using computers to steal money, few can come close to matching the success of Russian hacker Evgeniy Bogachev. The…By Josephine Wolff

When it comes to using computers to steal money, few can come close to matching the success of Russian hacker Evgeniy Bogachev. The $3 million bounty the FBI has offered for Bogachev’s capture is larger than any that has ever been offered for a cybercriminal—but that sum represents only a tiny fraction of the money he has stolen through his botnet GameOver ZeuS.1 At its height in 2012 and 2013, GameOver ZeuS, or GOZ, comprised between 500,000 and 1 million compromised computers all over the world that Bogachev could control remotely. For years, Bogachev used these machines to spread malware that allowed him to steal banking credentials and perpetrate online extortion.2 No one knows exactly how much money Bogachev stole from his thousands of victims using GOZ, but the FBI conservatively estimates that it was well over $100 million.2 Meanwhile, Bogachev has spent lavishly on a fleet of luxury cars, two French villas, and a large yacht.1

Bogachev lives in the resort town of Anapa on the Black Sea, where Russian officials have declined for years to arrest him or extradite him to the United States. In fact, the Russian government has benefited from his criminal activity. While Bogachev has leveraged his vast network of compromised computers and credentials for financial gain, officials of the Russian government have also on occasion made use of his network and computer intrusions for espionage purposes of their own.1 But, while the FBI cannot arrest Bogachev so long as he remains safely in Russia, in the summer of 2014 they partnered with several companies and researchers to try to shut down GOZ and cut Bogachev off from the hundreds of thousands of compromised computers under his control. The GOZ takedown effort was an unprecedented law enforcement effort to fight cybercrime in terms of its scope, technical sophistication, and complexity. It included participants from Germany, the United Kingdom, the Netherlands, and New Zealand, as well as the U.S., and hinted at the potential for international cooperation and public-private partnerships to strengthen cybersecurity and attack criminal infrastructure.

It was called Operation Tovar.

Really very much wanted: In a Wanted poster, the FBI shows these four photographs of Evgeniy Bogachev, and lists some of the aliases he uses, including “lucky12345,” “slavik,” and “Pollingsoon.”FBI


Criminals who infect users’ computers and harness those machines to create botnets typically control those bots through a centralized command and control server that sends messages to the infected machines telling them what to do—for instance, when to send packets to a particular destination as part of a denial-of-service attack, or what emails to send. Since identifying all of the infected machines in a large bot and getting their owners to remove the bot’s malware is a slow and largely ineffective process, takedown efforts often center on shutting down these command and control servers, or cutting off their communication channels with the infected computers they are issuing orders to. The genius of the GOZ design lay primarily in its ability to hide and even change this command and control component of the bot, so that law enforcement struggled to identify a centralized control server, and the GOZ operators could quickly and easily shift to a new server in the event that their current one was discovered and cut off. To make it harder for anyone to figure out which servers were controlling the bot, GOZ-infected devices did not all communicate with a single centralized command and control server. Instead, the bot operated on a peer-to-peer architecture, so each new infected device maintained connections to other infected machines, some of which served as intermediate “proxy nodes,” relaying commands from GOZ operators and sending encrypted data back to their “master drop” servers.2 These proxy nodes made it considerably more difficult—though not impossible—to trace the bot back to a single controlling server, since the GOZ operators were not communicating directly with most of the infected machines they controlled.

Bogachev could redirect his victims’ paychecks to be directly deposited into accounts of his choosing.

The peer-to-peer architecture was not the only precaution Bogachev had taken in designing his bot. Just in case law enforcement officials were, eventually, able to trace the servers he was using to control GOZ, he also programmed the GOZ malware to automatically contact a series of 1,000 other Internet addresses every week and ask for instructions from any machines at those addresses, in case he ever needed to set up a new command and control server. The GOZ malware included a Domain Generation Algorithm, or DGA, that generated that list of 1,000 new domain names every week, each belonging to one of six top-level domains: .com, .net, .org, .biz, .info, or .ru. Every week, every machine infected with GOZ would go through that week’s list and try to contact each of the thousand domains. So if Bogachev’s servers were ever threatened and he needed to set up a new command and control server, he could use any one of those domains during the appropriate week to reestablish communication with all of the infected machines and regain control of the bot. This meant that any takedown efforts directed at his command and control servers—typically the most vulnerable element of a bot—would be largely useless, since Bogachev would have 1,000 opportunities to set up a new such server every week, and there was no way to predict which domains the DGA would come up with for any given week.

Just as Bogachev protected his command and control servers by hiding them behind layers of infected proxy machines, so, too, he shielded his bank accounts by routing stolen funds through other people. The GOZ malware was designed not just to harness the machines it infected to Bogachev’s bot, but also to steal banking and payroll credentials from those machines primarily by logging all of the users’ keystrokes, so that everything they typed (including passwords) would be captured and sent back to the bot’s operators. Using those stolen credentials, Bogachev could then initiate fraudulent wire transfers from his victims, or redirect their paychecks to be directly deposited into accounts of his choosing. Hospital payroll systems with their large numbers of employees and budgets were a common GOZ target; the FBI estimates that Bogachev stole hundreds of thousands of dollars in this manner from hospitals alone.2 GOZ could even access bank accounts protected with two-factor authentication that required users to enter not just a password but also another one-time code delivered by text message or physical token. Using a man-in-the-middle attack to intercept messages between the victim and their banking site, GOZ would present its victims with a fake login window that looked identical to their bank’s real login webpages. People trying to log in with two-factor authentication would receive their second authentication code over their phones or by token and then enter it directly into the fake login field. The GOZ malware would capture that authentication code and immediately send it back to the servers controlled by the GOZ operators using the instant messaging service Jabber, and the GOZ operators could then combine it with stolen passwords to access the targeted accounts protected by two-factor authentication.3

The Box That Built the Modern World

It was 11:30 am on a sunny Tuesday in mid-April, and the Hong Kong Express had been docked at Hamburg’s Container Terminal Altenwerder for exactly 33 hours. Already, the ship was half empty. Cargo from Asia was stacked in neat...READ MORE

Sending direct deposit payments or fraudulent transfers straight to his own accounts would have been risky for Bogachev. Even if law enforcement officers in the U.S. were unable to arrest him, they would likely have been able to trace his accounts, block, or at least flag, transfers to them, and restrict any money being paid to them from the U.S. So instead, Bogachev mirrored the proxy structure of his bot by building a small army of money mules whose accounts he could route money through before the stolen funds ultimately reached his organization. The mules were recruited via spam email campaigns sent out by the GOZ bot itself—“If you are taking a career break, are on a maternity leave, recently retired or simply looking for some part-time job, this position is for you,” the emails said. These mules—based in the U.S. so that their accounts and transactions would not attract suspicion—received wire transfers and salary payments directly from the victims, kept a sum as their payment (“Starting salary is $2,000 per month plus commission, paid every month”), and sent the rest along to another account, presumably belonging to the GOZ operators.2

This network of money mules ensconced safely in their own homes, sitting at their computers, was already significantly less risky than people walking around with large sums of cash and quantities of payment cards. But this set-up did not satisfy Bogachev for long. For one thing, it required collecting specific financial information and credentials from victims, and, for another, it relied on a vast network of potentially vulnerable or disloyal money mules. So Bogachev’s organization tested a ransom scheme, designing another piece of malware called Cryptolocker, which it spread to hundreds of thousands of computers using the GOZ bot infrastructure.

Cryptolocker, which first appeared in mid 2013, was also designed to steal money but in a different manner than the GOZ credential-theft malware. Instead of capturing financial account credentials, Cryptolocker would encrypt the hard drives of computers it infected and then demand that the victims make ransom payments if they ever wanted to be able to access their files again. The Cryptolocker ransomware demanded payments of hundreds of dollars, sometimes as high as $750, and gave its victims a window of 72 hours to pay, using either anonymous prepaid cash vouchers or the difficult-to-trace cryptocurrency Bitcoin, before the victims would receive a decryption key for their devices. (Many victims struggled to figure out how to make Bitcoin payments, so Bogachev and his conspirators helpfully set up a customer service website with step-by-step instructions.) Unlike redirecting a payroll account—which requires providing potentially traceable information about the new destination account payments should be sent to—the nature of these ransom payments meant they could not be easily tied to specific financial accounts that U.S. law enforcement could control or monitor, alleviating the need for money mules and the risk of Bogachev having his accounts identified and frozen. As with all elements of GOZ-directed financial crime, there is no conclusive evidence of how much money Cryptolocker managed to extort from its victims, but one analysis of Bitcoin logs indicated that during just one two-month period in 2013, from October 15 to December 18, the ransomware program raked in roughly $27 million.2


Operation Tovar began when U.K. law enforcement authorities provided the FBI with information about a suspicious server in the U.K. The server hosted a password-protected website called visitcoastweekend.com with a Frequently Asked Questions page that read (in Russian):

Starting on September we are beginning to work through the panel where you now find yourselves. [Fraudulent] Money transfers and drop [money mule] managers are synchronizing their work through our panel, which enables a much greater optimization of the work process and increase in the productivity of our work. Starting from this moment, all drop [money mule] managers with whom we are working and all [fraudulent] money transferors who work with us are working through this panel. We wish you all successful and productive work.2

The site also included a detailed list of hundreds of financial transactions with dates, company names, amounts, and the type of transfer. The FBI undertook the painstaking work of verifying that these transfers were indeed tied to the GOZ virus. Agents interviewed representatives from a composite materials company in the Western District of Pennsylvania to confirm that a $198,234.03 wire transfer on Oct. 21, 2011, from a SunTrust Bank account, the details of which were listed in the visitcoastweekend.com ledger, was, in fact, the result of credentials stolen from a GOZ-infected machine. “For all listed companies with respect to which the FBI manually reviewed information in the ledger and compared it to information from either field interviews or bank fraud reporting, the information was an exact match,” FBI special agent Elliott Peterson wrote in a court declaration.2

A penny for your files: The Cryptolocker ransomware message.Christiaan Colen

Meanwhile, the FBI found and interviewed several of the money mules recruited by the GOZ operators. Heidi Nelson described how, after losing her job in 2009 and posting her resume online, she was contacted by someone claiming to work for a Russian company who subsequently hired Nelson to receive payments and wire them to Russia. Renee Michelli told the FBI a similar story about being hired by a supposed Russian software company “1C” to receive payments within the U.S. and then transfer them to Russian accounts.3

The evidence provided by the money mules and the visitcoastweekend.com server helped the FBI begin to map out the extensive technical and human infrastructure responsible for spreading GOZ and Cryptolocker, but offered few hints as to who was in charge of the operation. To trace the ringleaders, the FBI turned to analysis done by security firm iDefense about the ability of GOZ to evade two-factor authentication using the Jabber messaging protocol. iDefense found that many of the credentials stolen by GOZ were transmitted via Jabber to the domain incomeet.com, which was hosted at the IP address 66.199.248.195. That particular IP address was associated with a server operated by a company called EZZI.NET, headquartered in Brooklyn, New York. The FBI interviewed an EZZI.NET employee who told them that the server in question had been leased to a customer named “Alexey S.” who said he was associated with a company called IP-Server Ltd, located in Moscow. The FBI obtained search warrants for the contents of the incomeet.com server in Brooklyn and found extensive chat logs in which different users (under pseudonyms such as “tank” and “aqua”) exchanged links to news articles about their successful thefts from banks. “This is what they damn wrote about me” tank messaged lucky12345 in July 2009, referencing a Washington Post article about money stolen from the Bullitt County Fiscal Court in Shepherdsville, Kentucky.3 Discussing the same article, aqua wrote to tank: “they described the entire scheme. The Bastards ... I’m really pissed. They exposed the entire deal.”

If Bogachev had been more careful about not using his real name when registering for accounts, he might not now be the FBI’s most wanted cybercriminal.

The FBI had found the people responsible for GOZ, but the only thing they knew about them was their pseudonyms. Agents began combing through the online forums where criminals discuss and disseminate malware programs. A search warrant related to another investigation allowed them to seize and search the contents of one such forum, Mazafaka.info, where they found someone sending messages under the username “Lastik,” who took credit for writing the GOZ malware. “I’m monster, and not his reincarnation ... I’m the author of Zeus,” Lastik wrote in a private message to another user sent through Mazafaka.info on June 5, 2010. In messages to several users on Mazafaka.info, Lastik indicated that he could be contacted at the addresses lucky12345@jabber.cz and bashorg@talking.cc, suggesting that he was also the lucky12345 whose chat transcripts had been found on the incomeet.com server. Furthermore, when registering for his Mazafaka account, Lastik/lucky12345 had provided the email address alexgarbar-chuck@yahoo.com as his contact address. With a search warrant, officers were able to retrieve all of the records related to that email address from a service provider. The service provider gave the FBI all of the information that customer had used to set up his account, including a home address in Krasnodar Krai, Russia, and his name: Evgeniy Bogachev.3

Cross-referencing the IP addresses used to access Bogachev’s email account with those used to access visitcoastweekend.com and a Cryptolocker command-and-control server (traced from the U.S. to the U.K. to Luxembourg), the investigators found that there was significant overlap and deduced that Bogachev was involved in both schemes. Moreover, he had high-level administrative access to the GOZ server, leading the FBI to believe he was a “leader of the GOZ conspiracy.”

The identification of Bogachev was no small feat, as highlighted by the fact that the FBI was able to identify several of his co-conspirators only by their online aliases (“Temp Special,” “Ded,” “Chingiz 911,” and “mr. kyky-pyky”). If Bogachev had been more careful about not using his real name when registering for accounts, or masking his IP address when he accessed the GOZ and Cryptolocker servers, he might not now be the FBI’s most wanted cybercriminal—though it’s also possible he felt confident that the Russian authorities wouldn’t turn him over and therefore didn’t go out of his way to hide his identity.


The work of tracking down Bogachev and the servers running GOZ and Cryptolocker was largely low-tech: interviewing money mules and victims, cross-referencing lengthy data logs, combing through websites and Russian hacker forums. By contrast, the actual takedown efforts to remove the hundreds of thousands of infected machines from Bogachev’s control involved extensive technical expertise—much of which is redacted from the public records of the incident—to cut off the communications between all of GOZ’s complicated layers of peer and proxy nodes while also seizing the servers issuing them commands, including machines in Canada, Ukraine, and Kazakhstan.

Law enforcement also had to make sure that Bogachev and his associates would be unable to reestablish control over the infected machines through a new server using the domain names generated each week by the DGA. The FBI worked with a number of security researchers to reverse engineer the DGA and figure out how it generated the list of domain names it provided to the infected computers every week. That way, the FBI would know which thousand domains were being selected every week in advance. Then, right before the takedown, they acquired a temporary restraining order that required domain registries in the U.S. to redirect any attempts to contact those thousand domains to a substitute, government-run server. Since the domains generated by the DGA with the .ru top-level domain were not controlled by registries in the U.S., but rather by companies in Russia, the order also required U.S. service providers to block any connection requests to the .ru domains generated by the DGA.

It would only be a matter of time before he would find ways to tweak it, infect more machines, and get back to business.

The culmination of all these efforts—the DGA reverse-engineering and preemptive restrictions on the domains it generated, the seizure of Cryptolocker command and control servers all over the world, the court orders authorizing redirection of the connection attempts by any GOZ-infected machines—came in June 2014 and the coordinated takedown delivered a significant blow to the bot’s operations. Operation Tovar was touted by the FBI as a massive and multilayered strike against every element of the infrastructure underlying GOZ and Cryptolocker, a triumph of international cybercrime fighting and public sector/private industry collaboration, a victory of law enforcement sleuthing and technical ingenuity over the increasingly sophisticated online criminal world. In a statement posted by the FBI on their website on June 2, 2014, FBI Executive Assistant Director Robert Anderson called GOZ “the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” and U.S. Deputy Attorney General James Cole praised the operation’s combination of “traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.”4 One month later, on July 11, 2014, the Justice Department reported that the number of computers infected with GOZ malware had been reduced by 31 percent thanks to law enforcement intervention.5

To some extent, all of the FBI’s claims were true—Operation Tovar was a triumph of defense over offense, it was an example of U.S. law enforcement partnering effectively with industry and international officials, and it was a very technically sophisticated endeavor. But it also relied largely on the carelessness of GOZ operators and their money mules rather than technical vulnerabilities inherent to the operation Bogachev had established. So even though the FBI had dealt a significant—if temporary—setback to GOZ, Bogachev’s criminal model was still solid, and it would only be a matter of time before he, as well as numerous other copycats, would find ways to tweak it, infect more machines, and get back to business.

In 2014, just as Operation Tovar was being completed, a new strain of ransomware, dubbed CryptoWall, appeared and went on to claim roughly $18 million in ransoms, according to FBI estimates. (By comparison, Cryptolocker, over the course of its operation, was believed to have netted at least $3 million.) In the fall of 2014, a pair of Cryptolocker copycats, dubbed Cryptolocker 2.0 and Cryptolocker.F, were detected on computers in Australia and soon spread to the rest of the world.

In May 2017, a massive ransomware attack dubbed WannaCry shut down some 200,000 computer systems in hospitals, banks, governments, and companies worldwide, from Russia’s Interior Ministry to the United Kingdom’s National Health Service to police departments in India. The locked computers displayed messages demanding ransom payments, but by some estimates the attackers made no more than around $50,000 from those demands since many of the affected organizations chose to look for technical fixes rather than pay for each individual infected device.6 However, the damage the attack caused, both to the affected organizations as well as to their customers, patients, and citizens, was still substantial.

Months later, evidence emerged that WannaCry had originated from North Korea, and the U.S. itself publicly accused the North Korean government of launching the attack.7 This attribution to a national government rather than a criminal operation cast uncertainty on whether WannaCry had ever been intended primarily as a means for financial profit. North Korea’s involvement suggested the attack might instead have been meant more as an attempt to wreak havoc on the country’s many enemies with any financial gains serving merely as an added bonus. Ransomware appeared to have transcended its roots as a tool for financially motivated crime and developed into a more general attack model that cost its victims no less even as it brought in smaller sums for its perpetrators.


Josephine Wolff is an assistant professor in the public policy and computer security departments at Rochester Institute of Technology. She is also a faculty associate at Harvard’s Berkman Klein Center for Internet & Society and a fellow at the New America Cybersecurity Initiative, and has written for Slate, The Atlantic, Scientific American, and other publications.

Adapted excerpt from You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches by Josephine Wolff; © 2018 Massachusetts Institute of Technology.


References

1. Schwirtz, M. & Goldstein, J. Russian Espionage Piggybacks on a Cybercriminal’s Hacking. The New York Times (2017).

2. Peterson, E. “Declaration in Support of Application for an Emergency Temporary Restraining Order and Order to Show Cause Re Preliminary Injunction.” (United States District Court for the Western District of Pennsylvania, May 27, 2014).

3. Craig, J.K. U.S. v. Evgeniy Bogachev, No. 2:14-cr-00127-UNA (District Court for the Western District of Pennsylvania May 30, 2014).

4. “GameOver Zeus Botnet Disrupted. Collaborative Effort Among International Partners,” FBI statement, June 2, 2014.

5. “Department of Justice Provides Update on GameOver Zeus and Cryptolocker Disruption,” FBI statement, July 11, 2014.

6. Kharpal, A. WannaCry Ransomware Hackers Have Only Made $50,000 Worth of Bitcoin. CNBC (2017).

7. Bossert, T.P. It’s Official: North Korea Is Behind WannaCry. Wall Street Journal (2017).

Join the Discussion