{
	"id": "284ca42e-c315-460b-bb82-24d80ce5009c",
	"created_at": "2026-04-06T00:09:29.589715Z",
	"updated_at": "2026-04-10T03:35:59.540147Z",
	"deleted_at": null,
	"sha1_hash": "6dc1f4e46c900375ff1dcd48dd315ce303a778ef",
	"title": "GOZNYM MALWARE: CYBERCRIMINAL NETWORK DISMANTLED IN INTERNATIONAL OPERATION",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43974,
	"plain_text": "GOZNYM MALWARE: CYBERCRIMINAL NETWORK\r\nDISMANTLED IN INTERNATIONAL OPERATION\r\nBy Europol\r\nPublished: 2019-05-16 · Archived: 2026-04-05 14:06:08 UTC\r\nAn unprecedented, international law enforcement operation has dismantled a complex, globally operating and\r\norganised cybercrime network. The criminal network used GozNym malware in an attempt to steal an estimated\r\n$100 million from more than 41 000 victims, primarily businesses and their financial institutions.\r\nA criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym\r\ncriminal network with conspiracy to commit the following:\r\ninfecting victims’ computers with GozNym malware designed to capture victims’ online banking login\r\ncredentials;\r\nusing the captured login credentials to fraudulently gain unauthorised access to victims’ online bank\r\naccounts;\r\nstealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary\r\nbank accounts controlled by the defendants.    \r\nOver the course of the international operation, searches were conducted in Bulgaria, Georgia, Moldova and\r\nUkraine. Criminal prosecutions have been initiated in Georgia, Moldova, Ukraine and the United States.\r\nThis operational success is a result of the international law enforcement cooperation between participating EU\r\nMember States (Bulgaria and Germany) as well as Georgia, Moldova, Ukraine and the United States (in\r\nalphabetical order). Europol, the European Agency for Law Enforcement Cooperation as well as Eurojust, the\r\nEuropean Union's Judicial Cooperation Unit supported the case. This operation showcases how an international\r\neffort to share evidence and initiate criminal prosecutions can lead to successful operations in multiple countries.\r\nCybercrime as a service\r\nThe GozNym network exemplified the concept of “cybercrime as a service,” with different criminal services such\r\nas bulletproof hosters, money mules networks, crypters, spammers, coders, organizers, and technical support.\r\nThe defendants advertised their specialised technical skills and services on underground, Russian-speaking online\r\ncriminal forums.  The GozNym network was formed when these individuals were recruited from the online\r\nforums by the GozNym leader who controlled more than 41 000 victim computers infected with GozNym\r\nmalware. The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in\r\nGeorgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.\r\nSee the infographic\r\nhttps://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation\r\nPage 1 of 3\n\nHighly Specialised and International Criminal Network\r\nA member of the network who encrypted GozNym malware to enable it to avoid detection by anti-virus\r\ntools and protective software on victims’ computers is being prosecuted in Moldova by the Prosecutor\r\nGeneral of the Republic of Moldova and the General Police Inspectorate of the Republic of Moldova.\r\nAnother member from Bulgaria was already arrested by the Bulgarian authorities and extradited to the\r\nUnited States in December 2016 to face prosecution in Pittsburgh.  His primary role in the conspiracy was\r\nthat of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials\r\ncaptured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money.\r\nSeveral members of the network provided money-laundering services and were known as “cash-outs” or\r\n“drop masters.”  These individuals, including two from Russia and one from Ukraine, provided fellow\r\nmembers of the conspiracy with access to bank accounts they controlled that were designated to receive\r\nstolen funds from GozNym victims’ online bank accounts.\r\nThe five Russian nationals charged in the Indictment remain on the run.  In addition to the two “drop\r\nmasters” referenced above, these defendants include the developer of GozNym malware who oversaw its\r\ncreation, development, management and leasing to other cybercriminals. \r\nAnother Russian GozNym member conducted spamming operations on behalf of the conspiracy.  The\r\nspamming operations involved the mass distribution of GozNym malware through “phishing” emails.  The\r\nphishing emails were designed to appear legitimate to entice the victim recipients into opening them and\r\nclicking on a malicious link or attachment which facilitated the downloading of GozNym onto the victims’\r\ncomputers. \r\nAnother Russian-born member of the network was a “casher” or “account takeover specialist.”  Like the\r\nBulgarian defendant, he used victims’ stolen online banking credentials captured by GozNym malware to\r\naccess victims’ online bank accounts and attempt to steal victims’ money through electronic funds transfers\r\ninto bank accounts controlled by fellow conspirators.\r\n Avalanche Network\r\nBulletproof hosting services were provided to the GozNym criminal network by an administrator of the\r\n“Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted\r\nmore than twenty different malware campaigns, including GozNym.  The administrator’s apartment in Poltava,\r\nUkraine, was searched in November 2016 during a German-led operation to dismantle the network’s servers and\r\nother infrastructure.  Through the coordinated efforts being announced today, this alleged cybercriminal is now\r\nfacing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal\r\nnetwork.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National\r\nPolice of Ukraine.\r\nThe whole operation was conducted by the United States Attorney’s Office for the Western District of\r\nPennsylvania, the FBI’s Pittsburgh Field Office, the Public Prosecutor’s Office Verden (Germany), the\r\nProsecutor’s Office of Georgia, Prosecutor General’s Office of Ukraine, Office of the Prosecutor General of the\r\nRepublic of Moldova, Office of the General Prosecutor of Bulgaria, the Luneburg Police of Germany, Ministry of\r\nInternal Affairs of Georgia, National Police of Ukraine, General Police Inspectorate of the Republic of Moldova,\r\nand Bulgaria’s General Directorate for Combatting Organized Crime.  Europol and Eurojust played critical roles\r\nhttps://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation\r\nPage 2 of 3\n\nin supporting this coordinated law enforcement operation. The U.S. Department of Justice’s Office of International\r\nAffairs also provided significant assistance.\r\nSource: https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation\r\nhttps://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation"
	],
	"report_names": [
		"goznym-malware-cybercriminal-network-dismantled-in-international-operation"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434169,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6dc1f4e46c900375ff1dcd48dd315ce303a778ef.pdf",
		"text": "https://archive.orkl.eu/6dc1f4e46c900375ff1dcd48dd315ce303a778ef.txt",
		"img": "https://archive.orkl.eu/6dc1f4e46c900375ff1dcd48dd315ce303a778ef.jpg"
	}
}