An international crime gang which used malware to steal $100m (£77m) from more than 40,000 victims has been dismantled.
A complex police operation conducted investigations in the US, Bulgaria, Germany, Georgia, Moldova and Ukraine.
The gang infected computers with GozNym malware, which captured online banking details to access bank accounts.
The gang was put together from criminals who advertised their skills on online forums.
The details of the operation were revealed at the headquarters of the European police agency Europol in The Hague.
It said that the investigation was unprecedented, especially in terms of cross-border co-operation.
Ten members of the network have been charged in Pittsburgh, US on a range of offences, including stealing money and laundering those funds using US and foreign bank accounts.
Five Russian nationals remain on the run, including one who developed the GozNym malware and oversaw its development and management, including leasing it to other cyber-criminals.
Various other gang members now face prosecution in other countries, including:
- The leader of the network, along with his technical assistant, faces charges in Georgia
- Another member, whose role was to take over different bank accounts, has been extradited to the US from Bulgaria to face trial
- A gang member who encrypted GozNym malware to make sure it was not detected on networks faces prosecution in Moldova
- Two more face charges in Germany for money-laundering
Among the victims were small businesses, law firms, international corporations and non-profit organisations.
One of the things that the operation has highlighted is how common the selling of nefarious cyber-skills has become, says Prof Alan Woodward, a computer scientist from University of Surrey.
“The developers of this malware advertised their ‘product’ so that other criminals could use their service to conduct banking fraud.
“What is known as ‘crime as a service’ has been a growing feature in recent years, allowing organised crime gangs to switch from their traditional haunts of drugs to much more lucrative cyber-crime.”
What is GozNym?
It is a hybrid of two other pieces of malware, Nymaim and Gozi.
The first of these is what is known as a “dropper”, software that is designed to sneak other malware on to a device and install it. Up until 2015, Nymaim was used primarily to get ransomware on to devices.
Gozi has been around since 2007. Over the years it has resurfaced with new techniques, all aimed at stealing financial information. It was used in concerted attacks on US banks.
Combining the two created what one expert called a “double-headed monster”.