A Bulgarian man has appeared in federal court in Pittsburgh charged with bank fraud and hacking in connection with Avalanche — the huge cybercrime service network taken down in a multinational police operation earlier this month.
Krasimir Nikolov is charged in a six-count indictment stemming from his use of GozNym malware to compromise computers at four U.S. businesses. He used his access to the computers to steal online banking login credentials and attempt to funnel more than $1 million in fraudulent transfers to money mules in the U.S., according to the indictment.
As the indictment charges, GozNym malware has been used since late 2015 to target U.S. businesses by compromising first their email accounts, then their computer systems and finally their bank accounts.
“Victims receive phishing emails containing a hyperlink or an attachment designed to look like a legitimate business invoice,” according to a statement from Acting U.S. Attorney Soo C. Song. “By clicking on the hyperlink or attachment, the victim’s computer becomes infected with GozNym malware. The malware steals the victim’s online banking login credentials which the criminals then use to access the victim’s bank account and issue unauthorized wire transfers.”
The arrest and successful extradition of Nikolov is the latest in a string of victories for cybercrime specialists in federal law enforcement.
According to the indictment, attempted unauthorized transfers totaling nearly $1.5 million were made from the four victim companies — two in western Pennsylvania and two in California.
GozNym is one of more than 20 kinds of malware that had a command and control system hosted by Avalanche — a “bullet-proof” hosting and management system for cybercrime software that was at the center of a massive multinational cybercrime operation. Officials said the losses attributable to Avalanche world wide were hard to estimate, but probably amounted to hundreds of millions of dollars.
On Dec. 1, police and prosecutors from more than 30 countries culminated a four-year-long investigation by swooping in on the Avalanche network searching dozens of premises across Europe, arresting five people and seizing nearly 40 computer servers.
The Nikolov prosecution stemmed from the Avalanche investigation, but he wasn’t one of the five arrested Dec. 1.
Song said Nikolov was arrested at his residence in Varna, Bulgaria, on Sept. 8. He was extradited to the U.S. over the weekend, and appeared in court Monday. If convicted on all charges, he faces a maximum total sentence of up to 100 years in prison and a fine of $3.5 million.