The fight against cybercrime these days is no longer a myth, but a harshnreality. Gone are the days when the secret services did not know from which end to approach the Web. This story is a vivid illustration of the fact that the special services have learned a lot and sometimes do really useful things.
Operation Trident Breach
In October, from FBI press releases, the whole world learned about the large-scale international operation Trident Breach (literally: "trident strike"), during which more than a hundred people were detained in the UK, the USA and Ukraine, who participated in the activities of a large ZeuS botnet.
You've probably already heard about a Trojan named ZeuS; we have devoted several articles and notes to this malware. Just in case, let me remind you that ZeuS, also known in the open spaces of the network as Zbot, PRG, Wsnpoem, Gorhax and Kneber, is a kind of the latest fashion and the most popular trend in the cybercriminal environment. This toolkit is in great demand on the black market, is regularly updated, is protected from illegal use cleaner than licensed software, and is a real headache for all IT security workers on the planet. The authors of this software have been unsuccessfully searched for for quite a long time. And when you can't find the authors and pull out the "root of evil", one has to fight not with the cause, but with the consequences. Especially when the investigation takes on a threatening scale.
The investigation, anticipating the mass arrests, began about a year and a half ago, in May 2021. Then, in the course of work on the case of theft of funds from 46 different bank accounts, FBI agents from Omaha, Nebraska, groped for a "link" - they found clear traces of the ZeuS botnet.
The FBI quickly collated the facts on hand and concluded that the scale of the disaster was great. The "feds" immediately contacted the local police, their counterpart to Department "K" (that is, with the guys who investigate cybercrimes), other American special services, and then established contact with their foreign colleagues from Ukraine, Great Britain and the Netherlands. We must say right away that the Dutch police were involved in the case solely due to the fact that the attackers used some of the computer resources of the Netherlands.
The situation soon began to clear up. The scheme used by online fraudsters turned out to be as simple as three kopecks. The main targets of these dudes were by no means large banks and corporations - they were targeting small organizations, municipal enterprises, churches, hospitals, as well as rare individuals, mainly in the United States. Victims' computers were infected by an almost old-fashioned method: scammers used targeted malicious e-mails (letters carried links to ZeuS "on board"). As soon as unsuspecting citizens opened such a letter and went through the link, the vir broke into the system and did his dirty deed there - collecting account numbers, logins, passwords and other confidential data associated with bank accounts. The botnet owners, having got hold of this information, managed to get to a huge number of accounts. The FBI reports that in this way, attempts were made to steal about $ 220 million, but since not all of them were successful, in reality the criminals (according to preliminary estimates) managed to get about $ 70 million. Keep in mind that everything was done very carefully: the FBI claims that the criminals tried not to withdraw more than a few thousand dollars at a time.
The scope is already impressive, right? Further more. As mentioned above, the roots of this criminal group led to Ukraine and other countries of Eastern Europe, and the network of so-called "mules" (from the English money mule - "money mule") - people who smuggled stolen money to the owners of the botnet (in carder's terminology - drops) - as it turned out later, there were several hundred people.
How it works
Most of the citizens arrested during Operation Trident Breach are between 20 and 25 years old, and all of them, in fact, are the lowest level in the structure of the botnet.
When (and if) the theft of funds from the next account is successful, money does not flow straight into the grabbing hands of the owners of the zombie network. It would be too simple, risky and primitive. This is where "mules" come into play, they are "drops".
In the case we are talking about today, this role was mainly played by students from Moldova, Ukraine, Russia, Belarus and Kazakhstan, who are in the United States on a J-1 visa, that is, under the Work & Travel program. For those who don't know: W&T allows young people to usefully live in the United States for some time, working, communicating with native speakers and so on. In a word, educational and cultural exchange. To the arrested "students" such a trip program clearly seemed boring, since they decided to offer themselves to cyber fraudsters as drops.
How is this implemented? Again, pretty simple. Such "handsome men" are usually recruited over the Internet, for example, through social networks (in our case, the FBI still refuses to disclose the name of the social network where the recruitment took place). For their work, they are offered a certain percentage of the cashed amounts, usually within 5-20% of the transfer. Further options are possible. Or, having entered the United States, the "mules" open fake bank accounts on their own , to which the stolen money goes.
Or the employer himself provides the fake accounts to the drop: for example, the "mule" simply sends a plastic card with a PIN code by mail. Often, fake documents of all stripes are also involved in the case . Further, the task of the "mule" is elementary - you need to withdraw cash and transfer it to your "owners".
There is no need to look far for examples of these schemes. During Operation Trident Breach, the FBI introduced one of its agents into the fraudulent network precisely as a drop. Through a Russian social network (all communication took place in Russian), the agent found an "employer" hiding under the nickname Jack Daniels. Jack Daniels, who later turned out to be a 26-year-old citizen of the Russian Federation, Anton Yuferitsyn, offered the following "job": it was required to open several bank accounts in the United States, receive transfers on them and cash out money. Under the close supervision of the FBI, everything was done, so well that the disguised agent even managed to personally meet with Yuferitsyn. The "employer" suddenly decided personally discuss with the "student" the prospect of opening a business account, where more money could be transferred. Obviously, during this first meeting, Jack Daniels did not suspect anything, as soon the first transfer in the amount of $ 9,983 was received into the account of the dummy "mule" . A few days later, Jack Daniels made an appointment with the agentagain, this time directly to transfer the money. In the course of this action, Yuferitsyn was safely arrested.
He was charged with conspiracy to commit fraud, and Jack Daniels pleaded guilty and even testified against other members of the group. But the most interesting thing is that at the moment Anton Yuferitsyn has already been sentenced, and he turned out to be surprisingly lenient: 10 months in prison and a $ 38,314 fine.
The fact is that the prosecution insisted to the last on the maximum punishment of 20 years in prison and a fine of $ 500,000. It can be assumed that Yuferitsyn was either caught much earlier than was officially announced, or he cooperated very zealously after the arrest
.
As mentioned above, the majority of those arrested occupied by no means key positions in the criminal group. Most of those charged or arrested are simple drops. In the United States alone, 39 people were arrested , and a total of 92 people were charged! Press releases issued by the Federal Bureau of Investigation (FBI) detail nearly every case. For example, it is reported that Russian citizen Maxim Miroshnichenko recruited drops, opened at least five fake accounts in TD Bank, Chase Bank, Bank of America and Wachovia, and also used fake passports and had contacts with hackers and people who could help.
issue forged documents to other members of the organization. The rest of the cases are similar, like two peas in a pod: these are either "mules", or such, in general, small coordinators. They were charged with a variety of charges - from conspiracy to commit banking fraud and simple banking fraud to money laundering, forgery of documents, the use of forged documents and illegal use of passports. Prison terms and fines are very serious for everyone : from 10 to 30 years and from $ 250,000 to $ 1 million, respectively. However, it is not known whether the prosecution will be able to insist on its own, or it will turn out as with Yuferitsyn.
However, in addition to the hundreds of drops caught by the Americans, another 20 people were arrested in the UK (eight searches were also carried out) and five more in Ukraine. And if in the United Kingdom the situation is almost similar to the American one, then with the Ukrainians everything is somewhat more complicated. The fact is that, according to reports from the FBI and the Ukrainian SBU, it seems that the very top of the group - the organizers of the entire scheme described above - was caught here . No, of course, the authors of the ill-fated ZBot were not among those arrested (although, according to many experts and representatives of special services, the malware was created in the countries of Eastern Europe).
There is very little information about these five in general, but it is known that the FBI there is reason to believe that the leaders of the botnet contacted the ZeuS developers, who made custom-made versions of the toolkit for them.
All of the above, of course, is far from the end of the story. There are still more than a dozen people on the wanted list, there are probably more than one search, arrest, and a bunch of litigations ahead . But, be that as it may, Operation Trident Breach clearly proves that the world's intelligence services can still "find an approach" to botnets and are able to arrest not only "mules", but also people standing higher in the criminal hierarchy. And even if you and I understand that this little more than a hundred people is a drop in the ocean, and $ 70 million is a pitiful crumbs from billions disappearing in unknown directions, for the special services this is still an almost
unprecedented scale, and, in general, a good trend.
Operation Trident Breach
In October, from FBI press releases, the whole world learned about the large-scale international operation Trident Breach (literally: "trident strike"), during which more than a hundred people were detained in the UK, the USA and Ukraine, who participated in the activities of a large ZeuS botnet.
You've probably already heard about a Trojan named ZeuS; we have devoted several articles and notes to this malware. Just in case, let me remind you that ZeuS, also known in the open spaces of the network as Zbot, PRG, Wsnpoem, Gorhax and Kneber, is a kind of the latest fashion and the most popular trend in the cybercriminal environment. This toolkit is in great demand on the black market, is regularly updated, is protected from illegal use cleaner than licensed software, and is a real headache for all IT security workers on the planet. The authors of this software have been unsuccessfully searched for for quite a long time. And when you can't find the authors and pull out the "root of evil", one has to fight not with the cause, but with the consequences. Especially when the investigation takes on a threatening scale.
The investigation, anticipating the mass arrests, began about a year and a half ago, in May 2021. Then, in the course of work on the case of theft of funds from 46 different bank accounts, FBI agents from Omaha, Nebraska, groped for a "link" - they found clear traces of the ZeuS botnet.
The FBI quickly collated the facts on hand and concluded that the scale of the disaster was great. The "feds" immediately contacted the local police, their counterpart to Department "K" (that is, with the guys who investigate cybercrimes), other American special services, and then established contact with their foreign colleagues from Ukraine, Great Britain and the Netherlands. We must say right away that the Dutch police were involved in the case solely due to the fact that the attackers used some of the computer resources of the Netherlands.
The situation soon began to clear up. The scheme used by online fraudsters turned out to be as simple as three kopecks. The main targets of these dudes were by no means large banks and corporations - they were targeting small organizations, municipal enterprises, churches, hospitals, as well as rare individuals, mainly in the United States. Victims' computers were infected by an almost old-fashioned method: scammers used targeted malicious e-mails (letters carried links to ZeuS "on board"). As soon as unsuspecting citizens opened such a letter and went through the link, the vir broke into the system and did his dirty deed there - collecting account numbers, logins, passwords and other confidential data associated with bank accounts. The botnet owners, having got hold of this information, managed to get to a huge number of accounts. The FBI reports that in this way, attempts were made to steal about $ 220 million, but since not all of them were successful, in reality the criminals (according to preliminary estimates) managed to get about $ 70 million. Keep in mind that everything was done very carefully: the FBI claims that the criminals tried not to withdraw more than a few thousand dollars at a time.
The scope is already impressive, right? Further more. As mentioned above, the roots of this criminal group led to Ukraine and other countries of Eastern Europe, and the network of so-called "mules" (from the English money mule - "money mule") - people who smuggled stolen money to the owners of the botnet (in carder's terminology - drops) - as it turned out later, there were several hundred people.
How it works
Most of the citizens arrested during Operation Trident Breach are between 20 and 25 years old, and all of them, in fact, are the lowest level in the structure of the botnet.
When (and if) the theft of funds from the next account is successful, money does not flow straight into the grabbing hands of the owners of the zombie network. It would be too simple, risky and primitive. This is where "mules" come into play, they are "drops".
In the case we are talking about today, this role was mainly played by students from Moldova, Ukraine, Russia, Belarus and Kazakhstan, who are in the United States on a J-1 visa, that is, under the Work & Travel program. For those who don't know: W&T allows young people to usefully live in the United States for some time, working, communicating with native speakers and so on. In a word, educational and cultural exchange. To the arrested "students" such a trip program clearly seemed boring, since they decided to offer themselves to cyber fraudsters as drops.
How is this implemented? Again, pretty simple. Such "handsome men" are usually recruited over the Internet, for example, through social networks (in our case, the FBI still refuses to disclose the name of the social network where the recruitment took place). For their work, they are offered a certain percentage of the cashed amounts, usually within 5-20% of the transfer. Further options are possible. Or, having entered the United States, the "mules" open fake bank accounts on their own , to which the stolen money goes.
Or the employer himself provides the fake accounts to the drop: for example, the "mule" simply sends a plastic card with a PIN code by mail. Often, fake documents of all stripes are also involved in the case . Further, the task of the "mule" is elementary - you need to withdraw cash and transfer it to your "owners".
There is no need to look far for examples of these schemes. During Operation Trident Breach, the FBI introduced one of its agents into the fraudulent network precisely as a drop. Through a Russian social network (all communication took place in Russian), the agent found an "employer" hiding under the nickname Jack Daniels. Jack Daniels, who later turned out to be a 26-year-old citizen of the Russian Federation, Anton Yuferitsyn, offered the following "job": it was required to open several bank accounts in the United States, receive transfers on them and cash out money. Under the close supervision of the FBI, everything was done, so well that the disguised agent even managed to personally meet with Yuferitsyn. The "employer" suddenly decided personally discuss with the "student" the prospect of opening a business account, where more money could be transferred. Obviously, during this first meeting, Jack Daniels did not suspect anything, as soon the first transfer in the amount of $ 9,983 was received into the account of the dummy "mule" . A few days later, Jack Daniels made an appointment with the agentagain, this time directly to transfer the money. In the course of this action, Yuferitsyn was safely arrested.
He was charged with conspiracy to commit fraud, and Jack Daniels pleaded guilty and even testified against other members of the group. But the most interesting thing is that at the moment Anton Yuferitsyn has already been sentenced, and he turned out to be surprisingly lenient: 10 months in prison and a $ 38,314 fine.
The fact is that the prosecution insisted to the last on the maximum punishment of 20 years in prison and a fine of $ 500,000. It can be assumed that Yuferitsyn was either caught much earlier than was officially announced, or he cooperated very zealously after the arrest
.As mentioned above, the majority of those arrested occupied by no means key positions in the criminal group. Most of those charged or arrested are simple drops. In the United States alone, 39 people were arrested , and a total of 92 people were charged! Press releases issued by the Federal Bureau of Investigation (FBI) detail nearly every case. For example, it is reported that Russian citizen Maxim Miroshnichenko recruited drops, opened at least five fake accounts in TD Bank, Chase Bank, Bank of America and Wachovia, and also used fake passports and had contacts with hackers and people who could help.
issue forged documents to other members of the organization. The rest of the cases are similar, like two peas in a pod: these are either "mules", or such, in general, small coordinators. They were charged with a variety of charges - from conspiracy to commit banking fraud and simple banking fraud to money laundering, forgery of documents, the use of forged documents and illegal use of passports. Prison terms and fines are very serious for everyone : from 10 to 30 years and from $ 250,000 to $ 1 million, respectively. However, it is not known whether the prosecution will be able to insist on its own, or it will turn out as with Yuferitsyn.
However, in addition to the hundreds of drops caught by the Americans, another 20 people were arrested in the UK (eight searches were also carried out) and five more in Ukraine. And if in the United Kingdom the situation is almost similar to the American one, then with the Ukrainians everything is somewhat more complicated. The fact is that, according to reports from the FBI and the Ukrainian SBU, it seems that the very top of the group - the organizers of the entire scheme described above - was caught here . No, of course, the authors of the ill-fated ZBot were not among those arrested (although, according to many experts and representatives of special services, the malware was created in the countries of Eastern Europe).
There is very little information about these five in general, but it is known that the FBI there is reason to believe that the leaders of the botnet contacted the ZeuS developers, who made custom-made versions of the toolkit for them.
All of the above, of course, is far from the end of the story. There are still more than a dozen people on the wanted list, there are probably more than one search, arrest, and a bunch of litigations ahead . But, be that as it may, Operation Trident Breach clearly proves that the world's intelligence services can still "find an approach" to botnets and are able to arrest not only "mules", but also people standing higher in the criminal hierarchy. And even if you and I understand that this little more than a hundred people is a drop in the ocean, and $ 70 million is a pitiful crumbs from billions disappearing in unknown directions, for the special services this is still an almost
unprecedented scale, and, in general, a good trend.
