{
	"id": "c052ed01-6126-47e7-b14b-821959218793",
	"created_at": "2026-04-29T08:22:12.1362Z",
	"updated_at": "2026-04-29T10:42:31.360573Z",
	"deleted_at": null,
	"sha1_hash": "2e3a8ed821dd146a5650d6e234e2ec000e318cf0",
	"title": "Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole Millions From American Business",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153831,
	"plain_text": "Behind The Mystery Of Russia's 'Dyre' Hackers Who Stole\r\nMillions From American Business\r\nBy Thomas Brewster\r\nPublished: 2017-05-04 · Archived: 2026-04-29 07:39:20 UTC\r\nPaint maker and retailer Sherwin-Williams Company was a victim of one of Russia's most active cyber gangs in\r\n2014, according to a search warrant. (AP Photo/Pat Wellenbach)\r\nAround Halloween 2014, Ohio-based building materials and paint company Sherwin-Williams got an expensive\r\nscare - a cyberattack. Seven suspect wires worth around $6.45 million were sent from its French subsidiary's\r\ncorporate account at Morgan Chase to organizations across China, Latvia, Liechtenstein and the Netherlands\r\nbetween October 27 and 30. They were not legitimate transactions. And those organizations were being used as\r\npart of a huge illegal operation.\r\nThis is according to a just-unsealed search warrant unearthed by Forbes, which revealed the $30 billion-valued\r\nSherwin-Williams was hit by one of the Russia's most successful criminal gangs, known as Dyre. A source with\r\nknowledge of the fraudulent transfers confirmed the facts outlined in the FBI warrant.\r\nIt seemed that the Dyre crew's rapid rise to prominence was curtailed in late 2015, when Russia's FSB made\r\nmultiple arrests of individuals suspected of being part of the group. Now sources say the hackers are likely active\r\nagain with Trickbot, new but remarkably similar malware. Those sources also tell Forbes they believe many of\r\nthose arrested for the multi-million criminal operation were released without being charged. And those allegations\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nPage 1 of 5\n\nhave only intensified fears that the Russian government does little to stop hackers carrying out costly cyberattacks\r\nagainst foreign businesses.\r\nThe rise, demise and rebirth of Dyre\r\nFor Sherwin-Williams, which boasts annual revenues of circa $10 billion, the cyber heist was pocket change. But\r\nit was a significant coup for Dyre, also the name of its own brand of banking malware that replaced infected\r\nvictims' bank login pages with an imitation website to steal account passwords. According to the search warrant,\r\nunsealed in April by an Ohio court, Dyre swindled another major Ohio-based organization, Miba Bearings US,\r\nrobbing the engine parts manufacturer of $4.8 million, its money transferred to bank accounts in China and Hong\r\nKong. Sherwin-Williams declined to comment. Miba acknowledged Forbes' emails but hadn't provided comment\r\nat the time of publication. Neither had previously disclosed the breaches.\r\nA phishing email containing the Dyre malware, designed to steal bank logins.\r\nPhishMe\r\nMiba and Sherwin-Williams are just two of many victims. At its height, Dyre was the most active financial\r\nmalware on the web, stealing tens of millions from firms across America, the U.K. and Australia. Another major\r\nvictim was the budget airline RyanAir, which was reportedly robbed of $5.5 million. By the time Sherwin-Williams was hacked, not long after Dyre first appeared in mid-2014, 45,000 U.S.-based PCs were infected with\r\nthe group’s malware (also known as Dyreza), out of a worldwide total of 133,000, according to the warrant.\r\nThe scope of the operation was extraordinary in both its aggressive expansion and its profitability. To dupe\r\ncompanies, the Dyre attackers used some particularly aggressive tactics. Where the target didn't enter their\r\nbanking passwords into the fake web page, the hackers would call them directly over Skype, pretending to be the\r\nbank and encouraging them to hand over login information. On at least one occasion, according to the search\r\nwarrant, a Dyre agent pretended to be a law enforcement officer.\r\nA configuration file for Dyre showed the criminals created as many as 1,100 phishing websites, imitating login\r\npages for all major Western banks, from Goldman Sachs to Wells Fargo to the Royal Bank of Scotland. They also\r\nwent after customers of major platforms like Salesforce, which holds financial information such as payrolls.\r\nDyre topped the list for most active bank malware in 2015, but has been out of action since 18 November that\r\nyear.\r\nIBM\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nPage 2 of 5\n\nThe Dyre crooks ran a huge network of “money mules” -- individuals and businesses that funnel funds from stolen\r\nvictims through various bank accounts in a bid to prevent law enforcement from following the money back to the\r\ngang leaders. Dyre’s mules were situated in China, Hong Kong, The Netherlands and Latvia to name a few,\r\naccording to the warrant. But they weren’t just employed to move money through financial institutions. They also\r\nlaundered pilfered funds by purchasing Apple products, games consoles and military equipment to be resold\r\nwithin Russia for an amount higher than their commercial retail price, according to Brett Stone-Gross, e-crime\r\nanalyst at CrowdStrike. They included MacBooks, iPads, PS4s, Xbox consoles, Roomba robot vacuums, guitars,\r\nrifle scopes and laser sights.\r\nThe whole operation came crumbling down in November 2015 when a Moscow-based film company, 25th Floor,\r\nwas raided and arrests made. But there’s little information on just what role, if any, 25th Floor employees played\r\nin the Dyre conspiracy. Adding intrigue to the Dyre tale was the fact that 25th Floor was producing a film called\r\nBotnet, a thriller loosely based on a 2010 case involving a $3 million cybercrime. According to a source with\r\nknowledge of the FSB investigation, as many as 50 arrests were made during that raid, but most were released.\r\nForbes could not independently verify that claim. 25th Floor CEO Nikolay Volchkov, who didn’t appear to be\r\namongst those apprehended at the time, did not respond to requests for comment.\r\nGlobal law enforcement agencies have continued to dismantle the campaign’s mule infrastructure, as the FBI\r\nwarrant, dated September 2016, attests. In November, U.K. police arrested 14 individuals involved in a money\r\nmule group that laundered $14.2 million for Dyre and another notable cybercriminal operation called Dridex.\r\nThe ghost of Dyre lives\r\nMuch mystery remains about Dyre’s leaders. No names were ever released and no public charges revealed by\r\nRussian police. Sources with knowledge of the hackers’ activities say they believe some or all of the original gang\r\nmembers are still perpetrating cybercrimes. And not long after Dyre died, TrickBot was born. Its code contains\r\nnotable similarities to Dyre’s eponymous malware and does much the same, imitating bank logins. Thus far it's\r\nbeen targeting major financial bodies in Australia and the U.K., including ANZ, HSBC and Lloyds Bank,\r\naccording to configuration files for the malware.\r\nIt's yet to target U.S. organizations on the same scale as Dyre did, but IBM executive security advisor Limor\r\nKessem believes it's a matter of time before TrickBot goes big. This month, the malware went from carrying out\r\none to three major attacks per month, up to five, according to IBM data released in April.\r\nThough there's no clear evidence linking the Dyre overlords with those behind TrickBot, the technical clues\r\nindicate they're the same, according to security experts and an FBI official, who asked to remain anonymous as he\r\nwas not authorized to talk publicly on the subject. \"I do suspect that TrickBot was not created by a new team, and\r\nthat at least parts of the old Dyre team is involved in its development and operation,\" added Kessem.\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nPage 3 of 5\n\nEvgeniy Bogachev is one of the FBI's Most Wanted and found his way onto American sanctions of Russian\r\nindividuals and entities following the U.S. election hacks of 2016. Dyre is linked to his alleged cybercrime\r\noperation, The Business Club, which has been tied to espionage activity.\r\nDepartment of Justice\r\nDyre has also been linked to one of the world's biggest cybercrime gangs: the Business Club, a sprawling\r\noperation headed up by FBI Most Wanted, Evgeniy Bogachev. An indictment from May 2014 claimed he’d stolen\r\nas much as $100 million through cyberattacks with the Gameover Zeus banking malware and the Cryptolocker\r\nransomware.\r\n“We assess that [Dyre] is some or all of the same people including Bogachev,” said SecureWorks analyst Alex\r\nTilley. He pointed to technical links, including the use of a downloader tool called Upatre, used by both Dyre and\r\nGameover Zeus, while noting some intriguing timing: “The timing is crucial from a technical point of view: the\r\nGameOver Zeus takedown was in June 2014 and after a few attempts at regaining control of the malware it goes\r\nquiet. Then two weeks later Dyre appears and it’s going after the same target sector as GameOver Zeus and is\r\nusing the same types of web injects… the facts don’t point at any other group being setup to attack the same\r\ntargets, using the same methods and evolutions of the same malware/tooling at that time.”\r\nGoing further down the rabbit hole, the Business Club has been linked to Kremlin-backed spy operations too. In\r\n2015, Forbes revealed Bogachev was also tied by security firms SecureWorks and CrowdStrike to Russian\r\ncyberespionage on foreign targets, including some in the U.S. The Russian government has previously denied any\r\ninvolvement in recruiting criminals to carry out cyberespionage.\r\nKremlin-backed cybercrime?\r\nIf, as sources say, some of the key Dyre operators are continuing to profit from cybercrime, even after the initial\r\narrests, Western experts fear Russian agencies are backing hackers who target the U.S. and other nations, without\r\nstealing from the homeland. Bogachev is living freely in a city on the Red Sea, despite the accusations levelled at\r\nhim, and is yet to stand trial anywhere. And alleged Yahoo hacker Alexsey Belan, who was accused by the U.S. of\r\nattacking other U.S.-based companies including Amazon and Evernote, was said by American prosecutors to have\r\nbeen encouraged by FSB agents. Neither Bogachev nor Belan could be contacted for comment.\r\nIt's this kind of alleged collusion that political and cyber experts have long suspected, but without any official\r\nclaims until the Yahoo breach indictments hit in February, two months after both Belan and Bogachev appeared on\r\nthe White House’s sanctions on Russian entities in response to the cyberattacks on the 2016 election.\r\nNeither of the two men could be reached for comment. The Kremlin, for its part, has denied any involvement in\r\neither the Yahoo or the election attacks.\r\nBut James Lewis, an intelligence and security specialist at the Center for Strategic and International Studies, said\r\nany digital thief residing in Russia simply has to follow some simple rules if they want to live a life of crime and\r\nremain free. \"You can't operate in Russia unless you do what the government asks. There are three rules for\r\nRussian cybercriminals. Number one, don't hack in Russia - I'm now told it's don't hack Cyrillic language targets.\r\nNumber two, share the wealth with the local FSB. Number three, if they ask you to do a favor, do it - e.g. act as a\r\nproxy force for the Russian state.\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nPage 4 of 5\n\n\"Follow these and you'll never go to jail.\"\r\nSource: https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates"
	],
	"report_names": [
		"dyre-hackers-stealing-millions-from-american-coporates"
	],
	"threat_actors": [
		{
			"id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5",
			"created_at": "2022-10-25T16:47:55.740817Z",
			"updated_at": "2026-04-29T10:39:54.702955Z",
			"deleted_at": null,
			"main_name": "GOLD EVERGREEN",
			"aliases": [
				"The Business Club"
			],
			"source_name": "Secureworks:GOLD EVERGREEN",
			"tools": [
				"CryptoLocker",
				"JabberZeus",
				"Pony",
				"Zeus"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1777450932,
	"ts_updated_at": 1777459351,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e3a8ed821dd146a5650d6e234e2ec000e318cf0.pdf",
		"text": "https://archive.orkl.eu/2e3a8ed821dd146a5650d6e234e2ec000e318cf0.txt",
		"img": "https://archive.orkl.eu/2e3a8ed821dd146a5650d6e234e2ec000e318cf0.jpg"
	}
}