After the bad actors behind the Goznym banking malware raked in over $100 million in stolen money from the malware's victims, Europol finally managed to dismantle the criminal operation. In the middle of May 2019 Europol published an official statement, informing of the successful end of the global operation against Goznym.
Much like the international police operation to tear it down, Goznym was also a global entity, affecting over 40 thousand victims in various European countries as well as in the US. As part of the Europol operation, searches were conducted in a number of Eastern European countries, including Bulgaria, Georgia, Ukraine, and Moldova.
The Goznym threat was primarily spread through phishing emails that contained malicious attachments disguised as legitimate work documents. Once the victim opened up the malicious attachment, Goznym was downloaded from a remote server and infected the machine, ready to log and steal banking credentials and information. The criminals behind Goznym used the stolen bank accounts to transfer and eventually launder money through a number of US and foreign beneficiary accounts held by them.
How Goznym Operated
Europol explained in-depth how Goznym was circulated and how intricate the network of different services and skill sets surrounding the criminal operation was. The ringleader of the operation, a Georgia national, used dark web forums to recruit a number of specialists with varying skill sets. Those included both cryptography specialists who encrypted the malware to make it undetectable by antivirus software, as well as what Europol calls "drop masters" - people who funneled the stolen money through various bank accounts. A different member of the criminal group was responsible for organizing and launching the spam phishing email campaigns that were used to distribute Goznym.
The organization running Goznym also employed the services of the Avalanche bot network. Avalanche is the name of a criminal group that specializes in phishing attacks, electronic banking fraud and ransomware. Before Avalanche was dismantled in 2016 by a multi-national joint police force operation, it offered bulletproof hosting services for the needs of the Goznym group. The person who had a central role in Avalanche is also going to face prosecution in Ukraine.