November 8, 2010

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.

In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.

Codreanu and Adam

Dorin Codreanu and Lilian Adam, both originally from Moldova, are being transferred to New York, where they were charged on Sept. 30 in connection with the international money laundering scheme (hat tip to Sophos).

In related news, the government of Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC) announced late last month that it had detained six individuals suspected of helping the same international ZeuS gang launder money.

All six of those detained were bank employees, and one worked at the Bank of Moldova. According to Moldovan authorities, the suspects allegedly specialized in intercepting Western Union and MoneyGram payments that mules had sent to Eastern Europe after receiving bank transfers from organizations victimized by the ZeuS Trojan.

Altogether, Moldovan prosecutors are looking at 12 suspects, including a government official who is alleged to have provided the group with copies of ID cards needed to open bank accounts. That nation’s anti-corruption center said it has conducted over 30 searches at detainees’ houses, and seized at least $300,000, a gun, and two luxury cars.

Eleven of the 37 money mules charged in September in connection with these attacks are still at large. Photos of the suspects are available at this alert posted by the FBI.

32 thoughts on “Authorities Nab More ZeuS-Related Money Mules

  1. Yuri

    I think I am not alone in feeling like ‘ZEUS arrests are
    reported today’ isn’t much news anymore. 20,30,40 – I can extrapolate and say there will be 50, 60 ,100 arrests in the case. But the undermining thing about all these flashy reports by LE of more and more apprehensions is that author of the software as well as criminal masterminds of its distribution not only are at large but also are not known to the LE and keep on publishing release announcements/ownership changes as if nothing really happened. And you now what – for the hard-core criminals behind this and other such trojan networks indeed nothing changed. And they know for sure that in impoverished countries of 43 million people (Ukraine), 4,5 million (Moldova) , 141 million (Russia) and the list goes on, replacing 100/1000/10000 droppers/mules will be the smallest problem if at all.
    So,please Brian, put in bold font with Flash animation and announce it everywhere, the news of “Zeus author Ivan Ivanov [Joe Dow] was finally located and brought to justice” once you have them.

    1. BrianKrebs Post author

      I understand your sentiments, Yuri, and you are in large part correct. However, plenty of people who were victimized/terrorized by this type of fraud DO CARE and have been rooting for these individuals to be arrested. So in one sense, I owe it to my readership to inform them when this kind of thing happens, even if the authorities don’t catch the guys at the very top.

      1. Yuri

        Well, you are right on this one. Being a bit annoyed with big thieves escaping again and again the justice [philosophical aspect] I forgot for a moment about what victims would think if these arrests would not be made and reported back to them [damn down-to-earth bad aspect].

      1. KFritz

        Englisch, bitte schoen. Inglese, per favore. In other words, it’s a passive aggressive attack on the blog and readers to use a Slavic language and Cyrillic script to comment.

        1. AlphaCentauri

          If he wants to teach us a little Russian, I don’t mind. It would be nice if it were something more worth translating, though.

        2. Alex

          По-русски говорят в ООН. Это один из основных языков мира. Не говорить по-русски означает показывать всем свою безграмотность и ограниченность.

          1. JBV

            Translation for KFritz:

            Russian is spoken in the UN. This is one of the major languages of the world. Not to speak in Russian means show all ones ignorance and narrow-mindedness.

          2. Alex

            Спасибо, братишка. Когда британский и американский флоты будут наши, этот товарищ очень быстро изучит русский язык. И олбанский, в том числе.
            Хы, в каждой шутке есть доля шутки.
            С анархо-коммунистическим приветом, your Alex.

          3. AlphaCentauri

            “Когда британский и американский флоты будут наши, этот товарищ очень быстро изучит русский язык. ”

            Maybe, or maybe your sailors will learn
            English. Ironically, the fact that England was under foreign occupation for many years by the Romans and then the French — during which times only the illiterate provincials spoke the language that would become modern English — probably has a lot to do with why English has become so widely used on the internet. The grammar is simplified, making it easier to learn, yet the vocabulary is huge. And there is a culture of taking delight in adding even more new words to the language that makes it extremely flexible in a rapidly changing world.

            If the Russians hadn’t been so good at resisting foreign occupation all these years, maybe everyone would be using Russian on the internet now 😉

    2. KFritz

      As I’ve said before, it’s encouraging that Ukraine, Moldova, et al, are cooperating in the attack on the malware enterprise. It has the effect of bracketing Mother Russia, which won’t even begin to think about cooperation for quite a while.

        1. KFritz

          Unmenschlich Auslaender. Scungil barbari. If the Russian landscape wasn’t so green w/ vegetation, the envy of Russians towards ‘inferior’ peoples who ?somehow? prosper more would make it green.

  2. Moike

    I wonder how many have already ‘retired’ to places like Switzerland? First, this video references finding houses for ‘wealthy Russian industrialists’ who made money in banking.
    Then worries that those who don’t blink at an extra zero on property prices are driving up real estate prices:

  3. Martijn Grooten

    My reading of the CCECC story doesn’t say that all six are bank employees, just that 6 people have been arrested and that 6 out of 12 suspects are bank employees. Not that it matters; it’s really good to see that law enforcement agencies all over the world do care.

  4. KFritz

    I am curious about the structure of these gangs and their mules. The earlier stories emphasized American dupes, lured in by slick looking websites, driven by financial wants and needs, and just plain gullible. What % of stolen funds was moved through American shills and what % by these representatives of one of the languages spoken @ the UN?

    1. BrianKrebs Post author

      Most of these crime operations employed so-called “far end” mules, or individuals recruited in Eastern Europe to pick up the transfers, adding another layer of obfuscation to the scam.

      In some cases, the bad guys actually intercepted the transfers while they were in mid-send, and had them re-routed to other recipients. They can do this if they have access to the US mule’s drivers license number, and many of these mule recruitment gangs have mules upload scanned copies of their licenses as precondition of employment.

      1. Alex

        Брайан! У меня вот какой вопрос. Ну, то, что полиция даёт тебе информацию, это понятно, ты журналист. А вот идёт ли обратный процесс, даёшь ли ты инфу полиции, если находишь что-то интересное?

    2. george

      I was also wondering about the organizational structure of those gangs, though more about the level where malware coding is done. Most Dutch and German banks provide a link to a movie about Safe Internet Banking.
      for instance:
      The goal is of course to educate users, but they do it in the form of an interview with a repentant former malware coder. He claims being hired by mafia-type organizations, coding malware while having no idea about the damage done by his “software” on personal lives (I call this bulls..t) and having his and girlfrend life in danger (from his less than honorable “employers”) when he wanted to pull back. This is in contrast with what transpires from Brian interviews with malware coders (SpyEye, etc.) , they seem to be pretty much their own boss, marketing and promoting their “product” themselves or in a reduced circle of “friends” helping with communication in foreign languages.

  5. Club

    Alex то что журналюшки сливают инфу это факт.

    Krebs, cool story bro.

  6. kevin mcevoy

    Hi Brian
    Another letter seeking money mules down this way. This letter (see below) only wants Australians to apply. Looks like a move downunder on the premise that the criminality is not well known here which of course is correct
    Subject: Job opening ; (ID : 1297363450)…
    Date: Thu, 10 Feb 2011 10:45:44 -0800 (PST)
    From: Shaeleigh Gomez

    Greetings! At this time we have open position to offer.

    If you’re seeking for a part-time or full-time highly paying position, please go on further and receive full package on how to apply and get involved.

    Currently we offer great opportunity that will save you time and will provide you with solid income.

    Position is called “Fund Courier”. Your duty is to receive and forward funds.

    This is one of the most convenient opportunities you’ll find these days.

    What could be better to work right from the comfort of your house.

    You have to meet requirements before you can start:

    – Have a stable Internet connection
    – This vacancy is currently for Australia only
    – Must have a cellphone number to reach you at
    – Must have 2-3 hours a day Monday-Friday
    – Must be 18+ years old

    We will be more than happy to provide you with description and explanation of your position and how it works. For full info – please submit your request to: with subject “Vacancy info”, and one of our staff will respond back as soon as possible.

    Hope to hear from you soon, have a great evening!

    Tech Finance Team LLC.

Comments are closed.