September 30, 2010

Troy Owen never thought he’d see the day when the cyber thieves who robbed his company of $800,000 would ever be charged with any crime. Owen said investigators had warned him early on that the perpetrators were mostly overseas in places like Ukraine and Moldova, and that it might be tough to pursue those responsible.

But earlier today, authorities in New York announced they had charged more than 60 individuals — and arrested 20 — in connection with international cyber heists perpetrated against dozens of companies in the United States, including Owen’s.

In November 2009, cyber crooks used a sophisticated password stealing Trojan horse program called “ZeuS” to hack into computers at Owen’s firm — Plano, Texas-based Hillary Machinery. The program swiped the company’s online banking passwords, allowing the attackers to initiate more than $800,000 in bogus transfers out of the company’s online account to dozens of people in the United States who helped launder the money and send it to the attackers in Eastern Europe.

Fraudulent wire transfers from Hillary Machinery.

More than $14,100 of Hillary’s money was wired to Stanislav Rastorgeuv, a 22-year-old Russian national who entered the United States in June 2009 on a “J1” student visa. According to charging documents, Rastorgeuv was the poster child for money launderers looking to recruit new mules to help retrieve the proceeds of ZeuS Trojan virus attacks.

Authorities say almost all of those arrested or charged in this case are young Eastern Europe men and women who were either planning to travel to, or were already present in, the United States on J1 student visas. Once the students  were in the United States, the organizers  of the mule organization gave  the recruits fake foreign passports to open accounts at local banks.

Then, days or weeks after those accounts were opened, other actors in the group would transfer money from cybercrime victims into the mule accounts, typically in amounts close to $10,000. Once the transfers were complete, the mules would quickly withdraw the money, keep a portion for themselves (usually 8 to 10 percent) and transfer the remaining amount to other participants in the fraud scheme, usually individuals overseas.

Some mules were asked to open a large number of bank accounts to help launder stolen funds. Charging documents say Rastogeuv opened up multiple bank accounts under his own name and using fake passports for fictitious individuals, including the names “Petr Rubsashkin” and “Alexey Iankov.” In addition to the unauthorized transfer sent to him by Hillary Machinery, Rastogeuv allegedly helped to launder nearly $30,000 from other victim companies over the next two months.

U.S. authorities say the ringleader of the New York-based money mule gang was Artem “Artur” Tsygankov, a Russian citizen living in New York who allegedly recruited Rastogeuv and other mules, supplied them with fake identity documents, and managed their daily activities. In all, the New York gang cleared more than $3 million from victim corporations using hundreds of accounts opened under false identities.

Others are charged with hacking into and siphoning funds from online brokerage accounts. Jamal Beyrouti, 53, Lorenzo Babbo, 20, and 29-year-old Vincenzo Vitello worked with hackers who infiltrated trading accounts at E-Trade and TD Ameritrade, executing fraudulent sales of securities and transferring the proceeds to accounts the mules controlled. At the same time, the attackers blasted victims’ phones with a barrage of calls to prevent the brokerage firms from contacting them to confirm the legitimacy of the transactions. The scam allowed mules to transfer roughly $1.2 million from hacked brokerage accounts.

Today’s announcement is the culmination of a year-long investigation by the U.S. Attorney’s Office for the Southern District of New York, the FBI, the NYPD, the Department of State Diplomatic Security Service, the New York Office of Homeland Security Investigation, and the U.S. Secret Service.

The law enforcement sweep announced today also coincides with a related action in the United Kingdom, where police this week charged 11 men and women from Belarus, Estonia, Latvia, and Ukraine with facilitating money mule operations in the U.K. The e-Crimes Unit of the U.K. Metropolitan Police said gang members arrested there are believed to have stolen more than $30 million from banks and businesses worldwide, and roughly £6 million (US $9.5 million) from financial institutions in the United Kingdom during a three-month period.

“As today’s arrests show, the modern, high-tech bank heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity,” Manhattan U.S. Attorney Preet Bharara said in a written statement. “And it can be accomplished in the blink of an eye, with just a click of the mouse. But today’s coordinated operation demonstrates that these 21st Century bank robbers are not completely anonymous; they are not invulnerable. Working with our colleagues here and abroad, we will continue to attack this threat, and bring cyber criminals to justice.”

Stanislav Rastorguev, from fbi.gov

Hillary Machinery’s Owen said he’s pleased about the news, but he isn’t breaking out the bubbly just yet: While Stanislav Rastorgeuv is charged with conspiracy to commit bank fraud and the false use of a passport and faces 40 years in prison and more than $1 million in fines, he is among 17 individuals charged today that authorities say are still at large.

“This is still excellent news, even if they haven’t caught everyone involved,” Owen said. “I had already pretty much given up hope that they’d be able to find these guys. I’m just glad they’re finally starting to bring some of these people to justice.”

If Owen is jaded, it may have something to do with the legal nightmare he and his company had to endure after the theft. A month following the cyber heist, the firm’s bank – Plains Capital Bank – sued Hillary Machinery in a preemptive bid to convince a judge to declare that the bank’s online security was commercially reasonable and capable of protecting customers from the latest cyber threats.

Both parties later settled the dispute for an undisclosed amount. But there are many similar cases now working their way through U.S. courts, as more and more businesses and banks tussle over who is responsible for cyber heists that frequently net thieves hundreds of thousands of dollars.

More often than not, victimized businesses are left holding the bag. That’s because unlike consumers – who under U.S. law cannot be held liable for fraud against their accounts if they report the unauthorized activity promptly – businesses enjoy no such protections.

Owens said he’s not waiting around for the banks to get their acts together: His company now only conducts online banking from a dedicated computer that is only used to access the company’s bank accounts online.

“Even if they do manage to catch all of these crooks, I wonder how many people are waiting in line to take their place,” Owen mused. “I still think wholeheartedly that the best approach is to have good, preventative security in place.”

Update, Oct. 5, 12:40 a.m.: The FBI’s Wanted page now indicates Rastorguev has surrendered.


32 thoughts on “U.S. Charges 37 Alleged Money Mules

  1. Tom Seaview

    Great post, as usual, Brian: more detail & useful info than the “traditional media” provides.

  2. js

    The eTrojan threat “burst out” in 2007. That makes many of these guys the age of minors if they were in on the ground floor as in the circles inventing Gpcode.ai, Backdoor, Trojan-IM…. now its 2010 and the first major arrests.

    The SMB owners need to work with chambers of commerce on the wirefraud with the banking system. It’s in their self interest to establish local relationships, re build the trust between the two parties and move ahead.

    How hard is it for a business owner to go to their banker and say “I want to have positive pay,” and “prescribe limits & what approvals I would accept on wire transfers,” and if you don’t want to give it to my business as a reasonable cost of doing business together I take my payroll & deposits and walk to a sound banker.

    Purchase Order & Payroll fraud is the next targeted patsy yet to surface. Currently auditing is the only way to detect ghost wages & salaried employees and real money for phantom goods & services.

    If these guys could get in and hotwire $10k they can get in and approve account payables, generate payroll records — all undetected in a mid size company — for at least 6 months or tax time.

    1. Benjamin

      Relying on any security practice instituted by your bank will not protect you. Anything offered by your bank will only be an imperfect fail-safe should your account be compromised. Even with Positive Pay and ACH calendars, you can still be hit.

      Fraudsters will find a way unless you protect your end-user. Period.

  3. js

    The US Visa system has been under review since 9/11.

    It would be interesting to see which “organizations” sponsored all these J1’s. Would it point back to a cleptocracy?
    If so what will be the US & EU response?

    Also these mules were given forged passports to open accounts — for which governments?

    This show the passport system has been p0wnd and is useless — if guys like this use well forged passports like toilet paper.

    Shills for sponsers, forged passports — but all they did was steal money! Good thing they were not up to other kinds of no good nik.

    Will there be congressional hearings on this?

  4. JCitizen

    Great article Brian!!!! I am surprised the authorities got at far as they did! Very good news!! 🙂

    I was right there sympathetic with the victims, believing that the thieves wouldn’t come to justice this fast. And especially any of them that were the criminal element of the cases we have read before.

    I may take a while to get the king pins, but I have more confidence that ever this will be achieved!

    1. JCitizen

      That is “It may take a while”, not “I may take a while”. Please excuse my misspelling! 🙁

  5. george

    I’m thrilled to see in a space of only 2 days some of those no-good guys and gals being apprehended. Even if others will soon take their places, those arrests will be featured in mainstream media and will raise awareness for the risks involved in doing online banking from a non-dedicated computer and for future potential (unwitting) money mules. Of course, the mainstream media reports will be general and lack essential details but fortunately your blog, Brian, next to a few others, a key source of information for those who want to understand more about what’s going on.
    Thank you for mentioning the out-of-court settlement between Plains Capital and Hillary Machinery, I was wondering for a while what happened with that preemptive action and googled for news, but nothing come out. Following-up on stories’ epilogue is one aspect making your blog great.

  6. denrix

    It is obvious for me, that the mules’ surnames mentioned are fake.
    E.g, “Rastorgeuv” couldn’t be a Russian surname, while there is a popular one “Rastorguev”. Same applies to “Rubsashkin” and “Iankov”, which sound like intentionally misspelled Russian surnames.

    1. Gary

      I was about to say the same thing.

      One hopes that the prosecutors, confused by foreign names, haven’t misspelled them in the indictments, thus threatening the case.

      However, Iankov is a possible alternative spelling of Yankov, a valid Russian surname.

  7. Carl

    Brian has done an excellent job of covering what we cannot get from the MSM.

    I do think the poor victim from Texas looks very funny with this comment:

    “Owens said he’s not waiting around for the banks to get their acts together: His company now only conducts online banking from a dedicated computer that is only used to access the company’s bank accounts online.”

    He’s not waiting around for the banks to come to his business and take care of IT security for him? That is hilarious to me. People don’t like taking responsibility for protecting themselves from criminals.

  8. John

    Brian,

    I think your coverage of this type of crime is excellent. However I do have one dispute found in each of your articles. You keep calling this type of crime a bank robbery. The banks were not the one robbed. Their computers were not compromised. The business’s you list in each article were the ones robbed. Their computers were compromised, and their funds were stolen. Banks can not be held completely responsible for the actions or lack of action by the end user of their products. This is not to say that all of the blame belongs to the commercial customers. Banks do need to wake up and pay attention to this type of crime. The banks need to try and educate their customers on the danger of online banking. Education is the key to preventing this from happening to you. Most business owners teach their employees how to prevent a robbery in the store, why cant they do the same when it comes to their networks?

    1. Leo

      To perpetrate their theft, the criminals gained unauthorized access to the victim’s accounts. Most banks do not have the ability to detect unauthorized access due to a large reliance on usernames and passwords to validate the customer. Some banks can detect unauthorized behavior even when supplied with the customer’s correct username and password.

      In this light, Hillary Machinery’s bank’s security measures were probably not commercially reasonable and the theft amounts to a bank robbery.

    2. T.Anne

      Aren’t the comments terming it a bank robbery from Manhattan U.S. Attorney Preet Bharara?

      Plus, it sounded to me as if the funds were stolen from both banks and businesses (so some targets were banks directly). Although, perhaps I misunderstood that part. However, as Leo said, although they may have gone through the merchant it is entirely possible that the only reason they were successful was because the bank’s security measures were not strong enough – making the bank liable.

      1. Benjamin

        Well, therein lies the rub. What is reasonable security? The bank secures their network and encrypts the data all the way to the user’s PC, but the user doesn’t watch their end or protect their account. They get hacked, and it becomes the Bank’s fault?

        Pointing fingers doesn’t fix anything but the blame. The fact is, banks and customers need to come to an agreement on what is considered reasonable security in their case. It should eb a contract in writing which states what each party is liable for, and it should be consistent for all business customers of that FI. The problem is not that bank’s aren’t stepping up or that customers aren’t protecting themselves enough. Those are just symptoms of the problem. the real problem is that there’s not COMMUNICATION about what is expected of each party.

        1. Marty

          Hmmm… What is “reasonable security” with respect to a bank’s electronic banking systems?

          Is just the use network security and data encryption “reasonable security”? Most likely not. That is like saying that the lock on the bank vault is “reasonable security”. There are other ways to rob the bank than breaking into the vault, which is why a bank’s “reasonable security” includes many other layered security measures like hardened bank buildings, surviellance cameras, security guards with guns, money handling procedures, etc. Similarly, “reasonable security” associated with the bank’s electronic banking systems extends beyond just securing their network and encrypting their data. Bank customers should expect that “reasonable security” includes layered security measures like fraud detection where the focus is on a bank detecting and preventing anomalous transactions which result in bank robbery. After all, isn’t that the premise of a _bank_, that the bank takes custody of their customer’s money, using it for various purposes, all the while protecting it from being stolen (i.e. bank robbery)? Do we really need a contract for this?

          As Brian has stated previously:

          “No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system.”

          There are a lot of ways for banks to provide the expected “reasonable security” given the above premise. The most basic and simplest, is to implement anomaly detection in their electronic banking systems. These types of bank robberies all have one thing in common – transaction anomalies. Wire transfers at off hours, where all previous transactions were during normal business hours. International wires, where all previous transactions were US only. Security configuration changes, with transactions to new accounts right after the change. Transfer of dollar amounts that aren’t typical of all previous transactions. One time transfers to new accounts, where all previous transactions were to existing accounts. The list of anomalies goes on and on.

          There is no reason that this basic fraud detection should not be part of a bank’s “reasonable security” which is expected by the bank’s customers. The banks (actually in most cases it is really the financial services companies the banks buy insourced or outsourced banking services from), today have the ability to detect all these types of anomalies and to hold the transaction until it is verified. They also have the ability to establish account restrictions (i.e. never allow international wire transfers, only allow transfers to certain types of accounts, inter-intra state restrictions, to create pre-established account white lists, etc.). There is quite a long list banks can choose from.

  9. Leo

    The FFIEC guidance on Internet banking is apparently a joke.

    http://www.fdic.gov/news/news/financial/2005/fil10305.html

    For five years this guidance has been around. Complaints about implementation of true two-factor authentication have revolved around the costs involved. Yet how much money has this single trojan allowed criminals to steal?

    “[S]ingle-factor authentication… [is] inadequate for high-risk transactions involving… the movement of funds to other parties.” When performing a transfer of funds something functionally beyond a username and password combination should be used. These crimes are a perfect example of why.

    If people weren’t scared enough about losing money to banks and small business weren’t already hurting financially news that they could be sued BY THE BANK for banking online should definitely rattle consumer confidence to hurt the industry.

    1. Benjamin

      “If people weren’t scared enough about losing money to banks and small business weren’t already hurting financially news that they could be sued BY THE BANK for banking online should definitely rattle consumer confidence to hurt the industry.”

      It’s funny to me that the end result is that it hurts the industry instead of simply hurting the online banking applications. When the entire industry is running into this problem the obvious solution for a business owner who doesn’t want to take the risk of banking online is to simply not bank online. You can still do ACH and wires, and can do all of the same functions as you can online, but no one will target you for online fraud.

      I’m not saying it’s elegant, I’m not saying it’s perfect, but it’s the only 100% solution in the world to protect you from online fraud.

      If you, as a business owner, are not willing to protect yourself from online fraud, you should not be using online banking.

    2. BankingSecurityGuy

      “When performing a transfer of funds something functionally beyond a username and password combination should be used. These crimes are a perfect example of why.”

      In many cases, the banks and customers in question *were* using two-factor authentication, not just usernames and passwords. The malware used by the criminals is able to defeat the types of two-factor authentication currently in use.

      The banking industry was reluctant to implement two-factor authentication; not primarily because of the cost to the bank, but because their customers hated it. But implement it they did. At the time, hackers couldn’t get around it. Now they can.

      The banking industry is now desperately looking for better types of authentication which can’t be circumvented so easily. Several such methods exist. Banks are eager to implement them to prevent fraud, but simultaneously are (once again) very reluctant to implement them because (once again) customers hate using them.

  10. John

    I would have to say Benjamin stated it best ” The problem is not that bank’s aren’t stepping up or that customers aren’t protecting themselves enough. Those are just symptoms of the problem. the real problem is that there’s not COMMUNICATION about what is expected of each party.” This statement goes with what I wrote earlier. Education is the key. Banks need to create a program for educating all their customers on the risks of online banking. They already have programs in place to teach you how great online banking can be. I would think it would not be very hard to take it full circle. As most people who visit this site probably already know end users do not understand the risks online because no one has taken the time explain it to them. Banks have to send out a copy of the privacy policy each year. I recommend that they send out how to be safer online once a year also.

  11. Bart

    Only one perp was captured. Why did the authorities name them? Is there no chance any would enter the U.S.?

  12. PC.Tech

    http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/
    1 October 2010 – “Ukrainian police on Thursday arrested five people suspected of orchestrating an international fraud ring that siphoned more than $70m out of bank accounts by infecting computers with the Zeus trojan. The action by Ukraine’s SBU was part of an unprecedented partnership among law enforcement agencies in the US, the UK, the Netherlands, and Ukraine, the FBI said in a press release* issued on Friday…”
    * http://www.fbi.gov/pressrel/pressrel10/tridentbreach100110.htm

    .

    1. brian krebs

      Thanks, PC Tech. I am working on a story about the “detentions” in Ukraine, but didn’t want to publish something that was just a rehash of the FBI press release. Look for a story with many more details in the next few days or so.

    1. brian krebs

      Hi Heron! No I hadn’t see that story, but there aren’t many details about what happened. It’s not clear from the piece how the machines were involved or how they may have been tampered with.

      1. Heron

        Brian, a statement on Aldi’s website claims the company has been advised not to reveal details about the card reader tampering while authorities investigate what happened. The breach is affecting people in eleven states now, including the Washington, D.C. metro area, according to the “Office of Inadequate Security” blog:
        http://www.databreaches.net/?p=14383

        Aldi is based in Germany, by the way, and the company also owns the Trader Joe’s chain.

        1. JCitizen

          This also points to the fact that many times, it is the vendor/brick-&-mortar store, that has been cracked for peoples personal ID.

          It has happened to me once; shame on me. Next time, I’ll know whose place of business was compromised!

  13. AlphaCentauri

    My first thought was why is the US allowing in so many Russians and Ukrainians while keeping out Canadians?

    But seriously, while I understand that student visas are easier to get than other types, it seems like someone with a visa that doesn’t permit them to work in the US who opens a bank account and then proceeds to wire money OUT of the US ought to attract some attention. (If not, there are a lot of parents who would like to find out how to get the money to flow in that direction from their students’ bank accounts, lol.)

    1. brian krebs

      Actually, I believe the J1 visas allow them to have a short-term job and travel for a bit, but the duration is only about 4 months total. It’s basically a work-travel program. for example, if you go to Rehoboth Beach, Del. in the summer, you will quickly notice that a large percentage of the kids working there are from Russia or Ukraine. Almost all of them are on temporary student/J1 visas and are here under the work-travel program.

  14. Ivan

    Like you collapsed USSR in 1991, we will collapse your country by cyber weapons. It’s like tax for american ppl stupidity, they should pay it to more smarter persons on another side of Earth.
    Cybercriminal is power! Bye-bye usa.

    1. Michael

      We did *not* “collapse” the USSR in 1991. Your economy was ready to come apart at the seams from years of mismanagement. Sure, we kept the pressure on but so did the USSR so I call this even but a purely supply-side-driven economy is doomed from the start. How many tractors do you want to build this year?

Comments are closed.