An examination of court records and interviews reveals how a hacker's computer crime syndicate spanned several continents and funneled money around the globe — often without being detected.
(USA TODAY) -- In the Dark Web world of cyber hackers, "Slavik" achieved legendary stature years ago, then purportedly retired. Instead, authorities say he went on a dazzling crime spree that used more than 1 million infected computers to reach directly into U.S. banks and businesses to steal millions.
The details of Slavik's handiwork continued to spill out Tuesday after the FBI named him as a leader of a computer crime syndicate that spanned several continents and funneled money around the globe — often without being detected.
The FBI has identified Slavik as Evgeniy Mikhailovitch Bogachev, a Russian national whose whereabouts remain a mystery. Prosecutors say he is responsible for two of the most sophisticated and destructive forms of malicious software in existence — Gameover Zeus and CryptoLocker
His alleged bank heists topped $100 million, including nearly $7 million from a bank in North Florida, $374,000 from a PNC bank account belonging to a plastics company in Pennsylvania, and $190,800 from the bank account owned by an assisted-living facility in Pennsylvania, court papers say.
Bogachev allegedly controlled a vast worldwide network that included computers in Canada, Germany, France, Luxembourg, Iran, Kazakhstan, the Netherlands and the United Kingdom. But the backbone of the infrastructure resided in the Ukraine, according to a senior U.S. law enforcement official who was not authorized to speak publicly because of the pending court cases.
The operation to dismantle the network began on May 7 in Donetsk and Kiev, Ukraine, two cities convulsing with political violence. Ukrainian police seized and copied key computers in the network, prosecutors said. On Friday, the FBI, working with police around the world, kicked off a 72-hour operation to shut down every command-and-control computer in the Zeus network.
By Saturday, CryptoLocker had ceased working. By Monday, police had freed more than 300,000 computers from the Zeus network.
Bogachev, 30, who lives luxuriously in Anapa, Russia, a beautiful seaside resort town of 60,000 on the northern coast of the Black Sea, and often sails his yacht to various Black Sea ports, remains a fugitive.
HOW IT WORKS
Gameover Zeus or P2P Zeus, emerged in September 2011. The malicious software is designed to steal confidential banking credentials and passwords.
The heist begins with a phishing e-mail designed to entice a computer user to click on a link. The link launches the virus, which surreptitiously infects the computer. The malware includes a keylogger that can capture every keystroke made by the user and injects codes that can replace a legitimate banking site with a fake site that asks the user for confidential information, such as credit card and Social Security numbers, while still allowing it to communicate with the legitimate site.
The computer becomes part of a network of infected computers, called a "botnet," that can be controlled remotely by the criminals.
Computers in the "botnet" are infected with a code that directs it to communicate once a week with control websites located around the world. Those websites transmit orders to the various computers in the "botnet" and collect the confidential information. Zeus controlled more than 1 million computers.
On Oct. 18, 2011, Zeus infected Haysite Reinforced Plastics in Pennsylvania using a phishing e-mail purporting to be from a banking payment network. Instead, the e-mail delivered the malware that ultimately captured banking credentials for the company.
Two days later, the hackers' computers accessed the company's accounts at PNC Bank, created an electronic fund transfer and moved $198,234.93 to an account at SunTrust Bank in Atlanta. The next day, the hackers used another electronic transfer to move the money to accounts in Great Britain.
To draw attention away from the massive transfers, the hackers often created a diversion, such as a "denial of service" attack that would bombard the website with traffic in an attempt to shut it down, the law enforcement official said. While the business scrambled to protect its portal, the hackers would push the wire transfer through unnoticed for hours, the official said. By the time the bank realized the money was missing, the hackers had laundered it through so many accounts it became untraceable.
"Fraudulent wires in the amount of $1 million were very common," FBI Special Agent Elliott Peterson wrote in an affidavit.
Peterson's analysis of one U.S. bank's transaction logs found more than $8 million in Zeus-related losses over 13 months beginning in July 2012.
The syndicate also frequently targeted U.S. hospitals, taking control of the large payroll systems and redirecting direct deposits to hacker-controlled accounts, Peterson wrote.
The hackers also used the Zeus botnet to deploy CryptoLocker, the malware that encrypts a computer's data and locks it up unless a victim pays a ransom. The ransoms, which reached as high as $750, had to be paid in untraceable money cards or bitcoin. The FBI estimates CryptoLocker infected 230,000 computers, including 120,000 in the U.S.
The FBI and private computer security firms have disrupted "botnets" before. Most "botnets" rely on a small number of "command-and-control" servers operated by the hacker that issue orders to the infected computers. Law enforcement can disrupt network by capturing and shutting down the command servers. But the Gameover Zeus network was different.
Instead of a centralized command structure, Zeus made every infected computer part of the control structure, allowing them to traffic stolen data through any computer in the network. Other computers acted as relay points, sending the stolen data back to the hackers and disseminating orders for the network.
"Gameover Zeus is the grandchild of the original Zeus and it's much more sophisticated in every way," says Tom Kellermann, chief cyber security officer for Trend Micro, a computer security firm in Dallas, one of many firms that gave technical assistance to the FBI.
Bogachev "is a next generation hacker," Kellermann said. "He's one of the elite actors in cyberspace."
HOW THEY CRACKED THE CASE
A key break in the case came from a compromised computer server in the United Kingdom that FBI agents at first believed served as a communications hub for the hackers. British police secretly copied the contents of the server.
On the server, FBI agents found a password-protected site visitcoastweekend.com that included a detailed ledger of hundreds of financial transactions with dates, company names and amounts, court papers say. Among them was the Pennsylvania plastics company and an entry noting a $198,000 wire transfer stolen Oct. 20, 2011. Ultimately, agents found that every transaction matched bank fraud reports.
A confidential informant tipped the FBI off to the syndicate administrator's email address, court papers say. From the emails, obtained through a search warrant served on a U.S. online provider, FBI agents linked the address to Bogachev and the server logs that hosted the website where agents found the ledger.
"We had to back track the computer traffic from server to server, from country to country," says FBI Special Agent Tim Gallagher, special agent in charge of the cyber crime division at the Washington Field Office, which led the investigation into CryptoLocker. "As we unwound this case, we needed and enlisted the help of numerous foreign countries."
Gallagher said Russian authorities are cooperating on the case.
Once the FBI understood the network's structure, the cyber squad devised a massive technical plan to take it down. Analysis of the network found the hackers need just 24 hours to completely update their system and respond to private industry attempts to block them, court papers say.
In addition to severing the network's communication channels with the infected computers, the FBI also needed to dismantle a computer algorithm that generated more than 1,000 complicated web domain names every week. The network used the names, usually complicated, nonsensical combinations of letters ending in .com, .net or .biz, to create the check-in website for the infected computers to deliver their stolen credentials.
Private security researchers reverse engineered the algorithm so the FBI could accurately predict which names would be generated each week.
As part of the take down, the FBI seized the domain names so when the infected computers began their weekly check-in they were routed instead to a safe FBI-controlled computer.
"Blocking the malware isn't enough. That will just delay them for a day," says Shawn Henry, a former assistant executive director at the FBI and now chief security officer at CrowdStrike, which helped reverse decode the algorithm. "Disrupting the infrastructure is a big, big step."
When the take down began early Friday morning, the cyber criminals responded with countermeasures to regain control of the network, the senior law enforcement official said..