{
	"id": "0f6cd562-1440-4c06-a65a-7753cf6997d3",
	"created_at": "2026-04-06T00:22:27.485631Z",
	"updated_at": "2026-04-10T13:12:20.567563Z",
	"deleted_at": null,
	"sha1_hash": "fc910aaa3831e6e8909af114ea81fd520c62a5b2",
	"title": "Goznym Indictments – action following on from successful Avalanche Operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 666561,
	"plain_text": "Goznym Indictments – action following on from successful\r\nAvalanche Operations\r\nArchived: 2026-04-05 21:30:34 UTC\r\nWe have previously reported on multiple phases of the operations against the Avalanche platform, in late\r\nNovember 2016, 2017 and 2018. To recap: Avalanche was a long running criminal malware delivery platform\r\nthat was used to provide difficult to disrupt, fast flux botnet command and control (C2) capabilities, to over 20\r\ndifferent malware strains. During the past 3 years, the Shadowserver Foundation has been supporting multiple\r\ninternational Law Enforcement Agencies in helping to keep roughly 2 million unique IP addresses of the victims\r\nof one or more of these strains protected from cybercrime every day, through court ordered and voluntary\r\nsinkholing of malicious C2 domains and victims remediation via our free daily network reporting,\r\nAs part of ongoing investigations into the operators and customers of the Avalanche platform, the US Department\r\nof Justice (DoJ) and Federal Bureau of Investigations (FBI), together with Europol, Eurojust and many Law\r\nEnforcement partners in Germany, Georgia, Ukraine, Moldova and Bulgaria, today announced a significant new\r\ncase development. The malware known as Goznym was one of the malware strains being controlled through the\r\nAvalanche platform at the time of the takedown. The Pittsburgh FBI Field Office and LE partners have now\r\nreached a point in their investigation into Goznym where they can reveal their work to the world. The Goznym\r\nmalware and the criminal actors behind it were allegedly responsible for over 41,000 infected computers used in\r\n$100 million USD of attempted fraud. So far 10 suspects have been indicted, with 5 arrested internationally and 5\r\nstill at large.\r\nYou can view a helpful DoJ/Europol infographic explaining the alleged Avalanche Goznym crimes here, as well as\r\na map showing the location of the indicted defendants. The defendants join the FBI’s wanted list. You can view\r\nthe full DoJ indictment here\r\nThe graph below shows the number of unique IP addresses connecting each day to the Avalanche sinkhole for\r\nactive Goznym infections:\r\nSeen from year two onwards:\r\nhttps://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/\r\nPage 1 of 4\n\nAnd focusing on the top three countries with victims – Germany, Poland and the United States from year two\r\nonwards:\r\nThe treemaps below show the relative distributions of victim populations globally on various dates:\r\n20161131 – Year One, initial operation\r\n20171201 – Year Two, first anniversary\r\nhttps://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/\r\nPage 2 of 4\n\n20190515 – Point of Goznym Indictment\r\nThe animation below shows the changing international locations of Goznym victims globally each month since\r\nthe November 2016 initial Avalanche takedown to the May 2019 US DoJ/FBI indictments:\r\nhttps://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/\r\nPage 3 of 4\n\nWe often find that major cybercrime investigations require effective collaboration and partnerships on a truly\r\ninternational scale. Whilst the Internet spans international borders as if they were irrelevant, Law Enforcement\r\nAgencies still have to work within nation-state legal frameworks. These factors provide considerable logistical\r\nand legal challenges. So congratulations to all involved in this case for using all of the available tools to best\r\neffect. No one should underestimate the scale of the achievement here.\r\nWe can’t say it any better than the FBI Pittsburgh Field Office Special Agent in Charge – Robert Jones:\r\n“Successful investigation and prosecution is only possible by sharing intelligence, credit and responsibility.  Our\r\nadversaries know that we are weakest along the seams and this case is a fantastic example of what we can\r\naccomplish collectively.” We salute the work in this case and we’re happy to have been able to support this\r\ninvestigation.\r\nIn turn, we would also like to thank all those who support the work of the The Shadowserver Foundation. Your\r\ncontinued support means we can quietly provide Law Enforcement with impartial, free specialist advice and\r\nassistance to help them achieve these major successes and reduce the exposure to risk faced by Internet users.\r\nSource: https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/\r\nhttps://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/"
	],
	"report_names": [
		"goznym-indictments-action-following-on-from-successful-avalanche-operations"
	],
	"threat_actors": [
		{
			"id": "b753c6a8-a83d-47bc-829d-45e56136eb7d",
			"created_at": "2023-01-06T13:46:38.97802Z",
			"updated_at": "2026-04-10T02:00:03.169611Z",
			"deleted_at": null,
			"main_name": "GozNym",
			"aliases": [],
			"source_name": "MISPGALAXY:GozNym",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434947,
	"ts_updated_at": 1775826740,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc910aaa3831e6e8909af114ea81fd520c62a5b2.pdf",
		"text": "https://archive.orkl.eu/fc910aaa3831e6e8909af114ea81fd520c62a5b2.txt",
		"img": "https://archive.orkl.eu/fc910aaa3831e6e8909af114ea81fd520c62a5b2.jpg"
	}
}