Authorities in the United Kingdom on Wednesday charged 11 individuals with running an international cybercrime syndicate that laundered millions of dollars stolen from consumers and businesses with the help of the help of the ultra-sophisticated ZeuS banking Trojan.
The gang is believed to be responsible for stealing more than $30 million from banks worldwide between October 2009 and September 28, 2010, and roughly £6 million (US$9.5 million) from financial institutions in the United Kingdom over a three-month period.
According to sources close to the case, members of the group also were heavily involved in online banking thefts perpetrated against dozens of small businesses and organizations based in the United States. Eight gang members were charged with money laundering, and 10 were charged with conspiracy to defraud. Police arrested 20 people in a pre-dawn raid on Tuesday; nine were bailed on Wednesday. The Metropolitan Police’s Central e-Crime Unit said those individuals may face charges at a later date. Those charged were due to appear in Westminster Magistrates’ Court court early this morning.
The individuals arrested in the U.K. are thought to be a subset of a global cybercrime operation. The Wall Street Journal now reports that the U.S. Attorney’s office in Manhattan is preparing to announce that 60 people have been charged in connection with a major ZeuS crime ring.
Sources say the ringleader of the U.K. gang, 32-year-old Ukrainian property developer Yevhen Kulibaba (pictured above right), shuttled some of the stolen funds from the U.K. to Ukraine and to Latvia, where he has been building a home with his wife. Information obtained by KrebsOnSecurity indicates that Kulibaba’s wife may be Karina Kostromina (pictured above left), a 33-year-old Latvian woman who was among those charged with money laundering and conspiracy in connection with this case. The U.K. Metropolitan Police declined to confirm or deny whether Kulibaba and Kostromina were married, although their public statement puts the two in the same neighborhood – Nevada Heights, Chingford, Essex.
Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko — also of Nevada Heights — is described by the e-Crime Unit as a self-employed Web designer from Ukraine. Sources say Konovalenko was chiefly responsible for managing a large number of “money mules,” people hired to withdraw, carry or transmit cash stolen by the gang. A review of Konovalenko’s social networking site identities suggests he is a blood relative of Kulibaba’s, but U.K. police declined to confirm or deny this information.
Also charged with conspiracy and stealing money from online bank accounts is Milka Valerij (pictured below), a 29-year-old Ukrainian whom U.K. police say was a building laborer.
The oldest alleged member of the group — 34 year-old Georgian Zurab Revazishvili — is facing violations of the U.K. Identity Cards Act of 2005, which makes it a crime to possess false identity documents. The Metropolitan Police statement on the crimes doesn’t specify what Revazishvili’s role was, but sources say he may have been responsible for creating false identity documents for the gang’s money mules.
ZeuS is a commercial crimeware kit sold for a few thousand dollars per copy in underground online forums. It is primarily designed to steal sensitive financial data stored on victim computers or transmitted through victim Web browsers. ZeuS’s most advanced features allow criminals to inject content into a bank’s Web page as it is displayed in the victim’s browser in real time, take screen shots from infected PCs, and quietly redirect victims from banking Web sites to counterfeit versions set up by the attackers. ZeuS is set up so that stolen data is sent to a “drop server” controlled by the attacker, and it allows miscreants to control the infected systems remotely. Check out this link for a more comprehensive discussion of the features built into ZeuS.
Currently, there are at least 160 unique ZeuS control networks online worldwide, according to Zeus Tracker, a site that keeps tabs on the number and geographic distribution of unique ZeuS botnets.
Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been tracking ZeuS related activity and spam for many months. Fried said that while rounding up those who are buying and deploying ZeuS botnets is important, going after the money mule infrastructure is the best way to ensure that the stolen data can’t be used.
“These ZeuS operations are a pipeline, and the money mules are a very important part of that,” Fried said. “[Online banking] credentials have intrinsic value, but it’s not until you’re able to utilize that information — and that’s where the money mules come in — that those credentials have real value. That’s why choking off the money mule network will probably have the best short-term detrimental effect against ZeuS.”