We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and “swatting” attacks.
Prosecutors in New York had a big week. Appearing in the U.S. court system for the first time last week was Ercan “Segate” Findikoglu, a 33-year-old Turkish man who investigators say was the mastermind behind a series of Oceans 11-type ATM heists between 2011 and 2013 that netted thieves more than $55 million.
According to prosecutors, Findikoglu organized the so-called “ATM cashouts” by hacking into networks of several credit and debit card payment processors. With each processor, the intruders were able to simultaneously lift the daily withdrawal limits on numerous prepaid accounts and dramatically increase the account balances on those cards to allow ATM withdrawals far in excess of the legitimate card balances.
The cards were then cloned and sent to dozens of co-conspirators around the globe, who used the cards at ATMs to withdraw millions in cash in the span of just a few hours. Investigators say these attacks are known in the cybercrime underground as “unlimited operations” because the manipulation of withdrawal limits lets the crooks steal literally unlimited amounts of cash until the operation is shut down.
Two of the attacks attributed to Findikoglu and his alleged associates were first reported on this blog, including a February 2011 attack against Fidelity National Information Services (FIS), and a $5 million heist in late 2012 involving a card network in India. The most brazen and lucrative heist, a nearly $40 million cashout against the Bank of Muscat in Oman, was covered in a May 2013 New York Times piece, which concludes with a vignette about the violent murder of alleged accomplice in the scheme.
Also in New York, a Manhattan federal judge sentenced the co-creator of the “Blackshades” Trojan to nearly five years in prison after pleading guilty to helping hundreds of people use and spread the malware. Twenty-five year old Swedish national Alexander Yucel was ordered to forfeit $200,000 and relinquish all of the computer equipment he used in commission of his crimes.
As detailed in this May 2014 piece, Blackshades Users Had It Coming, the malware was sophisticated but marketed mainly on English language cybecrime forums to young men who probably would have a hard time hacking their way out of a paper back, let alone into someone’s computer. Initially sold via PayPal for just $40, Blackshades offered users a way to remotely spy on victims, and even included tools and tutorials to help users infect victim PCs. Many of Yucel’s customers also have been rounded up by law enforcement here in the U.S. an abroad.
In a small victory for people fed up with so-called “swatting” — the act of calling in a fake hostage or bomb threat to emergency services with the intention of prompting a heavily-armed police response to a specific address — 22-year-old Connecticut resident Matthew Tollis pleaded guilty last week to multiple swatting incidents. (In an unrelated incident in 2013, this reporter was the victim of swatting, which resulted in our home being surrounded by a dozen or so police and Yours Truly being handcuffed in front of the whole neighborhood).
Tollis admitted belonging to a group that called itself “TeAM CrucifiX or Die,” a loose-knit cadre of young Microsoft XBox and swatting enthusiasts which later renamed itself the “ISIS Gang.” Interestingly, these past few weeks have seen the prosecution of another alleged ISIS Gang member — 17-year-old Finnish miscreant who goes by the nicknames “Ryan” and “Zeekill.” Ryan, whose real name is Julius Kivimaki, was one of several individuals who claimed to be involved in the Lizard Squad attacks that brought down the XBox and Sony Playstation networks in December 2014.
Kivimaki is being prosecuted in Finland for multiple alleged offenses, including payment fraud, money laundering and telecommunications harassment. Under Finnish law, Kivimaki cannot be extradited, but prosecutors there are seeking at least two to three years of jail time for the young man, who will turn 18 in August.
Finally, investigators with Europol announced the arrest of five individuals in Ukraine who are suspected of developing, exploiting and distributing the ZeuS and SpyEye malware — well known banking Trojans that have been used to steal hundreds of millions of dollars from consumers and small businesses.
According to Europol, each cybercriminal in the group had their specialty, but that the group as a whole specialized in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.
“On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities,” Europol said. “This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks
The Europol statement on the action is otherwise light on details, but says the group is suspected of using Zeus and SpyEye malware to steal at least EUR 2 million from banks and their customers.