June 27, 2015

We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and “swatting” attacks.

Ercan Findikoglu, posing with piles of cash.

Ercan Findikoglu, posing with piles of cash.

Prosecutors in New York had a big week. Appearing in the U.S. court system for the first time last week was Ercan “Segate” Findikoglu, a 33-year-old Turkish man who investigators say was the mastermind behind a series of Oceans 11-type ATM heists between 2011 and 2013 that netted thieves more than $55 million.

According to prosecutors, Findikoglu organized the so-called “ATM cashouts” by hacking into networks of several credit and debit card payment processors. With each processor, the intruders were able to simultaneously lift the daily withdrawal limits on numerous prepaid accounts and dramatically increase the account balances on those cards to allow ATM withdrawals far in excess of the legitimate card balances.

The cards were then cloned and sent to dozens of co-conspirators around the globe, who used the cards at ATMs to withdraw millions in cash in the span of just a few hours. Investigators say these attacks are known in the cybercrime underground as “unlimited operations” because the manipulation of withdrawal limits lets the crooks steal literally unlimited amounts of cash until the operation is shut down.

Two of the attacks attributed to Findikoglu and his alleged associates were first reported on this blog, including a February 2011 attack against Fidelity National Information Services (FIS), and a $5 million heist in late 2012 involving a card network in India. The most brazen and lucrative heist, a nearly $40 million cashout against the Bank of Muscat in Oman, was covered in a May 2013 New York Times piece, which concludes with a vignette about the violent murder of alleged accomplice in the scheme.

Also in New York, a Manhattan federal judge sentenced the co-creator of the “Blackshades” Trojan to nearly five years in prison after pleading guilty to helping hundreds of people use and spread the malware. Twenty-five year old Swedish national Alexander Yucel was ordered to forfeit $200,000 and relinquish all of the computer equipment he used in commission of his crimes.

As detailed in this May 2014 piece, Blackshades Users Had It Coming, the malware was sophisticated but marketed mainly on English language cybecrime forums to young men who probably would have a hard time hacking their way out of a paper bag, let alone into someone’s computer. Initially sold via PayPal for just $40, Blackshades offered users a way to remotely spy on victims, and even included tools and tutorials to help users infect victim PCs. Many of Yucel’s customers also have been rounded up by law enforcement here in the U.S. an abroad.

Matthew Tollis

Matthew Tollis

In a small victory for people fed up with so-called “swatting” — the act of calling in a fake hostage or bomb threat to emergency services with the intention of prompting a heavily-armed police response to a specific address — 22-year-old Connecticut resident Matthew Tollis pleaded guilty last week to multiple swatting incidents. (In an unrelated incident in 2013, this reporter was the victim of swatting, which resulted in our home being surrounded by a dozen or so police and Yours Truly being handcuffed in front of the whole neighborhood).

Tollis admitted belonging to a group that called itself “TeAM CrucifiX or Die,” a loose-knit cadre of young Microsoft XBox and swatting enthusiasts which later renamed itself the “ISIS Gang.” Interestingly, these past few weeks have seen the prosecution of another alleged ISIS Gang member — 17-year-old Finnish miscreant who goes by the nicknames “Ryan” and “Zeekill.” Ryan, whose real name is Julius Kivimaki, was one of several individuals who claimed to be involved in the Lizard Squad attacks that brought down the XBox and Sony Playstation networks in December 2014.

Kivimaki is being prosecuted in Finland for multiple alleged offenses, including payment fraud, money laundering and telecommunications harassment. Under Finnish law, Kivimaki cannot be extradited, but prosecutors there are seeking at least two to three years of jail time for the young man, who will turn 18 in August.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

Finally, investigators with Europol announced the arrest of five individuals in Ukraine who are suspected of developing, exploiting and distributing the ZeuS and SpyEye malware — well known banking Trojans that have been used to steal hundreds of millions of dollars from consumers and small businesses.

According to Europol, each cybercriminal in the group had their specialty, but that the group as a whole specialized in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.

“On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities,” Europol said. “This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks

The Europol statement on the action is otherwise light on details, but says the group is suspected of using Zeus and SpyEye malware to steal at least EUR 2 million from banks and their customers.

28 thoughts on “A Busy Week for Ne’er-Do-Well News

  1. Jonathan Jaffe

    Glad the good guys are catching some, but look at the time it took and the costs involved. A little sunshine yes, but there is still darkness,. Much more if barely 50% of merchant level breaches are reported. We need a better way.

    Jonathan @nc3mobi

  2. Edward Olsen

    I believe that those prosecuted for “swatting” should be charged with attempted murder in the first degree.

    1. ralph seifer

      Great idea, Edward. And have you any grasp of the chasm between (over)charging a defendant and the time and costs involved getting a case to trial, only to see a jury walk the defendant???

      Arrest and appropriate justice for these clowns is indeed welcome and necessary, but knee-jerk overreaction is unwelcome and wasteful of scarce assets. Ralph L. Seifer, Long Beach, California.

    2. George G

      I believe conspiracy to murder might be a charge easier to get a conviction on.

      1. TGuerrant

        Actually, conspiracy cases of any kind are very hard to prosecute.

    3. meh

      They need to bring back swift public execution for a lot of crimes.. I have a hard time believing 100 years ago they would accept paying hundreds of millions a year to let bored juvenile delinquents rape each other all day.

      1. Scope

        We are entering into a domain where tolerance is needed more than ever. The poorly made correlations of 100 years ago or longer are a sad reference to make in this instance. Reflect: our modern society has 2% of the violent and fatal outgoings of our ancient upbringings. Those 98% of killings and dismemberment’s were often made in the name of justice for this or that. People simply do not need strong armed into submission, we live in a largely peaceful society. To maintain that – “peace and tolerance” are needed, which in turn bring about well being and less need for criminal activity. Let the Hackers hack, slap them on the wrist unless they choose a truly vile path.
        Creativity and opportunity to be free from tyrannic corporations wielding state powers, lies in the hands of our tech talented. Take a parental approach, steer in the right direction.

  3. Mike Gale

    To control this “swatting” there should be genuinely discouraging penalties for both perpetrator and law enforcement agents who got conned. Plus healthy compensation for those attacked.

    We’re clearly looking at a system that doesn’t work well enough.

    1. markD

      These people ruin lives and sometimes arrange for them to be taken by violence in the case of this swatting activity. Horrible cruelty. There are times when I wonder if some Anonymous-like group might someday organize themselves into some sort of star chamber. Or maybe they are doing it now. A new kind of superhero. I even wonder if some hacking outfits are doing just that now, creating a breach to make public and otherwise widely expose bad practices that hurt so many innocents. Such brilliant minds could so easily get their jollies and make out like bandits being the anti-hackers and anti-predators, why don’t some of them think of that?

    2. SmellsPhishy

      A healthy dose of sunlight and hitting them where it hurts the most (the wallet, I mean), is probably the best way. Make swatters pay for the cost of time and material in deploying the SWAT teams, and compensation for the victim. And if you’re still living with mom & dad, they get the privilege of footing the bill. That’s the first strike. The next attempt, all the above + you do time.

  4. scamFRAUDalert

    These guys have handlers Brian. To combat cyber crime, we need to prosecute those at the very top. Internet security groups need to begin identifying individuals and organizations who are aiding these guys.

    Unfortunately, this will expose and impact our family, friends and some of the institutions we rely on to police the internet.
    It’s a battle worth fighting for the benefits out weigh the consequences of cyber criminal activities.

  5. markD

    Brian: Why must I submit a comment in order to subscribe to be notified of subsequent comments? What if I don’t have much to contribute but it is valuable to allow the spread and reading of comments as far as can be made to do? You need a “subscribe to comments” function and button. Thx

    1. JimV

      Simply providing a “+1” reply to an already-posted comment with which you agree and selecting the appropriate box entry for “reply notification” will easily accomplish what you seek without much effort or muddle to the online thread.

      1. markD

        Great, that’s what I was needing. Glad there is a routine already in place!!

  6. Austin

    I’m proud of our law enforcement officials in catching these thugs and bringing them to justice. One more for the good guys. Keep your information protected!

  7. NotHappie

    I still cannot wrap my head around where all this stolen cash is going and what it’s being used for(not just those listed in this story, but in general).

    I mean, there is really only SO many cars, drugs, prostitutes a person can go through, even if very generous with those they call friends.

    Tens of millions of dollars – per scheme – what is it funding?

    1. Jeff B.

      What is it funding? Probably running for Congress.

  8. zoxim

    Also sentenced this week was one Eric Saldarriaga, a private investigator, who received a 3 month sentence for hacking dozens of email accounts, most likely at the behest of The Church of Scientology. The NY Times has a write up here: http://www.nytimes.com/2015/06/27/business/dealbook/investigator-gets-3-months-in-prison-in-hacking-case.html?smid=tw-share&_r=2
    And one of the victims, Tony Ortega, who has a blog about Scientology writes about it here: http://tonyortega.org/2015/06/27/did-scientology-hire-the-man-sent-to-prison-for-hacking-us-not-his-job-to-find-out-judge-said/

  9. Jim

    Now, I would like to see the evidence from their capture, and compare it against the records of the domestic spy corps, and watch those perps walk. Remember our domestic spy idiots may and necessarily have tracked, and with held evidence.from either side. Creating the chaos that is now. Without a law enabling the constitution rights, you and I lost another one.

  10. curious

    Dear Brian,

    OT, but could you comment on Bank of America’s new online security. They’re doing away with the site key, and instead giving the user the option of getting one-time codes for each sign-on. Eliminating the site key seems like a step backwards. It does occur to me that while the site key helps protect consumers, perhaps it doesn’t directly help the bank.

    Actually, any comments about relative security at different banks would be useful.


    1. Cory


      The Site Key idea isn’t much of a roadblock to a minimally skilled attacker. On the real Bank of America page, you need to enter and submit your username before the Site Key is displayed. All a phishing site would have to do is pass the username you just gave them to the real Bank of America site and download your selected image from them, then present the image to you. All you might notice is the page loads a little slow.

      While it might stop the truly lazy or unskilled attacker, it isn’t much more than an illusion of security otherwise.


  11. IA Eng

    Awesome news, in more ways than one.

    It needs to make headlines, so many a crook will see that if you force the Feds into action, they will eventually pay for their actions.

    It shows cooperation amongst many countries, and it gets the procedures and paperwork right. Eventually more large fish will be plucked from their perches.

Comments are closed.