{ "id": "970ac823-c8fa-4fdc-a386-89a765c51b49", "created_at": "2026-04-06T01:28:52.429426Z", "updated_at": "2026-04-10T03:35:59.522365Z", "deleted_at": null, "sha1_hash": "82433ee5b5e3c67434f3bd202dffdd68653b8e98", "title": "GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50162, "plain_text": "GozNym Cyber-Criminal Network Operating out of Europe\r\nTargeting American Entities Dismantled in International\r\nOperation\r\nPublished: 2019-05-16 · Archived: 2026-04-06 01:15:54 UTC\r\nA complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an\r\nestimated $100 million from unsuspecting victims in the United States and around the world has been dismantled\r\nas part of an international law enforcement operation.  GozNym infected tens of thousands of victim computers\r\nworldwide, primarily in the United States and Europe.  The operation was highlighted by the unprecedented\r\ninitiation of criminal prosecutions against members of the network in four different countries as a result of\r\ncooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust. \r\nUnited States Attorney Scott W. Brady of the Western District of Pennsylvania made the announcement at\r\nEuropol, located in The Hague, Netherlands, along with his international partners. \r\nThe operation was conducted by the United States Attorney’s Office for the Western District of Pennsylvania and\r\nthe FBI’s Pittsburgh Field Office, along with the Office of the Prosecutor General of Georgia, Prosecutor\r\nGeneral’s Office of Ukraine, Office of the Prosecutor General of the Republic of Moldova, Public Prosecutor’s\r\nOffice Verden (Germany), the Supreme Prosecutor’s Office of Cassation of the Republic of Bulgaria, Ministry of\r\nInternal Affairs of Georgia, National Police of Ukraine, General Police Inspectorate of the Republic of Moldova,\r\nthe Luneburg Police of Germany and the Republic of Bulgaria’s General Directorate for Combatting Organized\r\nCrime with the significant assistance of Europol and Eurojust.\r\n“International law enforcement has recognized that the only way to truly disrupt and defeat transnational,\r\nanonymized networks is to do so in partnership,” said U.S. Attorney Brady.  “The collaborative and simultaneous\r\nprosecution of the members of the GozNym criminal conspiracy in four countries represents a paradigm shift in\r\nhow we investigate and prosecute cybercrime.  Cybercrime victimizes people all over the world.  This prosecution\r\nrepresents an international cooperative effort to bring cybercriminals to justice.”  \r\nEarlier today, the U.S. Attorney’s Office for the Western District of Pennsylvania unsealed an Indictment returned\r\nby a federal grand jury in Pittsburgh charging 10 members of the GozNym criminal network with conspiracy to\r\ncommit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money\r\nlaundering.  An eleventh member of the conspiracy was previously charged in a related Indictment.  The victims\r\nof these crimes were primarily U.S. businesses and their financial institutions, including a number of victims\r\nlocated in the Western District of Pennsylvania. \r\n“This takedown highlights the importance of collaborating with our international law enforcement partners against\r\nthis evolution of organized cybercrime,” said FBI Pittsburgh Special Agent in Charge Robert Jones.  “Successful\r\ninvestigation and prosecution is only possible by sharing intelligence, credit and responsibility.  Our adversaries\r\nknow that we are weakest along the seams and this case is a fantastic example of what we can accomplish\r\ncollectively.\"\r\nhttps://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled\r\nPage 1 of 4\n\nAccording to the Indictment, the defendants conspired to:\r\ninfect victims’ computers with GozNym malware designed to capture victims’ online banking login\r\ncredentials;\r\nuse the captured login credentials to fraudulently gain unauthorized access to victims’ online bank\r\naccounts; and,\r\nsteal money from victims’ bank accounts and launder those funds using U.S. and foreign beneficiary bank\r\naccounts controlled by the defendants.    \r\nThe defendants reside in Russia, Georgia, Ukraine, Moldova and Bulgaria.  The operation was an unprecedented\r\ninternational effort to share evidence and initiate criminal prosecutions against members of the same criminal\r\nnetwork in multiple countries.    \r\nAt the request of the United States, Krasimir Nikolov, aka “pablopicasso,” “salvadordali,” and “karlo,” of Varna,\r\nBulgaria, was searched and arrested by Bulgarian authorities and extradited to the United States in December\r\n2016 to face prosecution in the Western District of Pennsylvania.  Nikolov’s primary role in the conspiracy was\r\nthat of a “casher” or “account takeover specialist” who used victims’ stolen online banking credentials captured by\r\nGozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic\r\nfunds transfers into bank accounts controlled by fellow conspirators.  Nikolov is named as a GozNym conspirator\r\nin the newly unsealed indictment, although he is charged in a related Indictment filed in the Western District of\r\nPennsylvania.  Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation\r\nin the GozNym conspiracy on April 10, 2019.  He is scheduled to be sentenced on Aug. 30, 2019. \r\nFive of the named defendants reside in Russia and remain fugitives from justice.  However, to overcome the\r\ninability to extradite the remaining defendants to the United States for prosecution, an unprecedented effort was\r\nundertaken to share evidence and build prosecutions against defendants in the remaining countries where they\r\nreside, including Georgia, Ukraine and Moldova.  The prosecutions are based on shared evidence acquired\r\nthrough coordinated searches for evidence in Georgia, Ukraine, Moldova and Bulgaria, as well as from evidence\r\nshared by the United States and Germany from their respective investigations.   \r\nThe GozNym network exemplified the concept of “cybercrime as a service.”  According to the Indictment, the\r\ndefendants advertised their specialized technical skills and services on underground, Russian-language, online\r\ncriminal forums.  The GozNym network was formed when these individuals were recruited from the online\r\nforums and came together to use their specialized technical skills and services in furtherance of the conspiracy.\r\nAccording to the Indictment, Alexander Konovolov, aka “NoNe,” and “none_1,” age 35, of Tbilisi, Georgia, was\r\nthe primary organizer and leader of the GozNym network who controlled more than 41,000 victim computers\r\ninfected with GozNym malware.  Konovolov assembled the team of cybercriminals charged in the Indictment, in\r\npart by recruiting them through the underground online criminal forums.  Marat Kazandjian, aka “phant0m,” age\r\n31, of Kazakhstan and Tbilisi, Georgia, was allegedly Konovolov’s primary assistant and technical administrator. \r\nKonovolov and Kazandjian are being prosecuted in Georgia for their respective roles in the GozNym criminal\r\nnetwork. \r\nGennady Kapkanov, aka “Hennadiy Kapkanov,” “flux,” “ffhost,” “firestarter,” and “User 41,” age 36, of Poltava,\r\nUkraine, was an administrator of a bulletproof hosting service known by law enforcement and computer security\r\nhttps://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled\r\nPage 2 of 4\n\nresearchers as the “Avalanche” network\r\n.  This network provided services to more than 200 cybercriminals, including Konovolov and Kazandjian, and it\r\nhosted more than 20 different malware campaigns, including GozNym.  Kapkanov’s apartment in Poltava,\r\nUkraine was searched in November 2016 during a German-led operation to dismantle the network’s servers and\r\nother infrastructure.  Kapkanov was arrested for shooting an assault rifle through the door of his apartment at\r\nUkrainian law enforcement officers conducting the search.  Through the coordinated efforts being announced\r\ntoday, Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the\r\nGozNym criminal network.\r\nAlexander Van Hoof, aka “al666,” age 45, of Nikolaev, Ukraine, was a “cash-out” or “drop master” who provided\r\nfellow members of the conspiracy with access to bank accounts he controlled that were designated to receive\r\nstolen funds from GozNym victims’ online bank accounts.              \r\nEduard Malanici, aka “JekaProf,” and “procryptgroup, age 32, of Balti, Moldova, provided crypting services to\r\ncybercriminals.  Malanici crypted GozNym malware in furtherance of the conspiracy to enable the malware to\r\navoid detection by anti-virus tools and protective software on victims’ computers.  Malanici, along with two\r\nassociates, is being prosecuted in Moldova.\r\nVictims of the GozNym malware attacks include:\r\nAn asphalt and paving business located in New Castle, Pennsylvania;\r\nA law firm located in Washington, DC;\r\nA church located in Southlake, Texas;\r\nAn association dedicated to providing recreation programs and other services to persons with disabilities\r\nlocated in Downers Grove, Illinois;\r\nA distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S.\r\nsubsidiary in Cape Coral, Florida;\r\nA furniture business located in Chula Vista, California;\r\nA provider of electrical safety devices located in Cumberland, Rhode Island;\r\nhttps://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled\r\nPage 3 of 4\n\nA contracting business located in Warren, Michigan;\r\nA casino located in Gulfport, Mississippi;\r\nA stud farm located in Midway, Kentucky; and\r\nA law office located in Wellesley, Massachusetts;\r\nFive Russian nationals charged in the Indictment who remain fugitives from justice include:\r\nVladimir Gorin, aka “Voland,”  “mrv,” and “riddler,” of Orenburg, Russia.  Gorin was a malware developer who\r\noversaw the creation, development, management, and leasing of GozNym malware, including to Alexander\r\nKonovolov. \r\nKonstantin Volchkov, aka “elvi,” age 28, of Moscow, Russia, provided spamming services to cybercriminals. \r\nVolchkov conducted spamming operations of GozNym malware on behalf of the conspiracy.  The spamming\r\noperations involved the mass distribution of GozNym malware through “phishing” emails.  The phishing emails\r\nwere designed to appear legitimate to entice the victim recipients into opening the emails and clicking on a\r\nmalicious link or attachment, which facilitated the downloading of GozNym onto the victims’ computers. \r\nRuslan Katirkin, aka “stratos,” and “xen,” age 31, of Kazan, Russia, resided in Khmelnytskyi, Ukraine, during the\r\ntime frame of the charged conspiracy.  Katirkin, like Krasimir Nikolov, was a “casher” or “account takeover\r\nspecialist” who used victims’ stolen online banking credentials captured by GozNym malware to access victims’\r\nonline bank accounts and attempt to steal victims’ money through electronic funds transfers into bank accounts\r\ncontrolled by fellow conspirators. \r\nViktor Vladimirovich Eremenko, aka “nfcorpi,” age 30, of Stavropol, Russia, and Farkhad Rauf Ogly Manokhin,\r\naka “frusa,” of Volgograd, Russia, were “cash-outs” or “drop masters” on behalf of the GozNym criminal\r\nnetwork.  Like Alexander Van Hoof, Eremenko and Manokhin provided fellow members of the conspiracy with\r\naccess to bank accounts they controlled that were designated to receive stolen funds from GozNym victims’ online\r\nbank accounts.  Manokhin was arrested at the request of the United States while visiting Sri Lanka in February\r\n2017.  Following his arrest, Manokhin was released on bail but was required to remain in Sri Lanka pending the\r\noutcome of his extradition proceedings to the United States.  In December 2017, Manokhin unlawfully absconded\r\nfrom Sri Lanka and successfully fled back to Russia prior to the conclusion of the extradition proceedings.     \r\nOther agencies and organizations partnering in this effort include the United States Secret Service, the National\r\nCyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation.  The Justice\r\nDepartment’s Office of International Affairs provided significant assistance throughout the investigation and\r\nspearheaded the efforts to enable the United States to request searches, arrests, and extraditions in the foreign\r\ncountries as well as the sharing of evidence with those countries through Mutual Legal Assistance Treaty\r\nrequests.  \r\nThe case is being prosecuted by Assistant U.S. Attorney Charles A. “Tod” Eberle, Chief of National Security and\r\nCybercrime for the Western District of Pennsylvania.   \r\nSource: https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled\r\nhttps://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled" ], "report_names": [ "goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled" ], "threat_actors": [ { "id": "b753c6a8-a83d-47bc-829d-45e56136eb7d", "created_at": "2023-01-06T13:46:38.97802Z", "updated_at": "2026-04-10T02:00:03.169611Z", "deleted_at": null, "main_name": "GozNym", "aliases": [], "source_name": "MISPGALAXY:GozNym", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "bc289ba8-bc61-474c-8462-a3f7179d97bb", "created_at": "2022-10-25T16:07:24.450609Z", "updated_at": "2026-04-10T02:00:04.996582Z", "deleted_at": null, "main_name": "Avalanche", "aliases": [], "source_name": "ETDA:Avalanche", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438932, "ts_updated_at": 1775792159, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82433ee5b5e3c67434f3bd202dffdd68653b8e98.pdf", "text": "https://archive.orkl.eu/82433ee5b5e3c67434f3bd202dffdd68653b8e98.txt", "img": "https://archive.orkl.eu/82433ee5b5e3c67434f3bd202dffdd68653b8e98.jpg" } }