The Wall Street Journal
More than 100 people have been arrested or charged in the U.S. and the U.K. as part of an alleged global cybercrime ring using computer viruses to steal bank-account information and loot money from unsuspecting victims.
At least $3 million was stolen from U.S. accounts from about May of last year to this September, federal and state prosecutors said in New York Thursday as they unveiled indictments. The investigation is in its early stages and could result in law-enforcement actions in other countries, authorities said.
In an action American officials say is related, 19 people were arrested Tuesday in London as part of an investigation of a group alleged to have stolen at least £6 million, or $9.5 million, from U.K. bank accounts. Police announced a 20th arrest Thursday. Those arrested in the U.K. included men and women from Ukraine, Latvia, Estonia, Belarus and Georgia.
The U.S. investigation, in progress for over a year, has focused mostly on a network of "mules," or people recruited to open bank accounts using false names and fake passports and transfer stolen funds back to handlers in Eastern Europe, according to prosecutors.
The prosecutors alleged a scheme in which hackers used malicious computer software known as Zeus Trojan, disguised in seemingly benign email. When the email recipient clicks on a link or attachment in the email, the virus monitors the victim's computer activity to grab user names and passwords.
The hackers, according to U.S. prosecutors, would use the stolen data to move money from victims' accounts to accounts held by the mules, who would either wire it overseas or take it out in cash.
The scheme allegedly defrauded five banks and dozens of individuals and corporate defendants. Some banks were victims and some were used by the mules, authorities said.
The banks that were victimized by the scheme included units of J.P. Morgan Chase & Co., Ally Financial Inc. and PNC Financial Services Group Inc. In addition, mules used units of Bank of America Corp. and TD Bank Financial Group to open accounts into which to siphon money, according to federal court documents.
Chase and Ally declined to comment. PNC said it would defer to law enforcement. B of A said it has fully cooperated with the probe. TD Bank said it takes the matter seriously and is working with authorities.
The documents said money was typically withdrawn in amounts of around $10,000, with the mules often keeping about 8% to 10%.
Many of the mules were recruited through ads in a Russian-language newspaper or social-networking site, said Manhattan District Attorney Cyrus Vance Jr. Those charged included citizens of Russia, Moldova, Ukraine, Kazakhstan and Belarus.
"The Internet is the crime scene of the 21st Century," Mr. Vance said.
In all, more than 80 people have been charged in the U.S. by state and federal prosecutors, of whom 10 were arrested Thursday and 29 previously, though officials wouldn't specify when. Four of those charged acted as managers of the mule network, said Preet Bharara, the U.S. Attorney in Manhattan. A number of those charged are at large and believed to have left the U.S.
The federal charges include conspiracy to commit bank and wire fraud, to possess false identification documents, to commit money laundering and false use of a passport. The state charges include grand larceny and identity theft.
U.K. police said they have charged 11 individuals with conspiracy to defraud and money laundering, among other things, while nine other individuals were on bail, pending further inquiries.
The Zeus software program is one antivirus specialists became aware of several years ago. They believe it was developed by an individual or group out of Russia, said Mikko Hypponen, chief research officer at computer-security firm F-Secure Corp.
In its early form, the Zeus code would harvest data such as basic bank log-in information as users of infected computers accessed their financial accounts online, sending the information to criminals who would then either use it or sell it.
Over the past year, the code has become more sophisticated, antivirus experts say, enabling criminals to take over someone's connection with a financial institution to siphon money directly to mule accounts. By piggybacking on the legitimate user's access to an account, the virus bypasses additional password protection financial firms have put in place.
Zeus is so popular that bootleg versions have emerged on the cyber black market from a hacker known by the online handle Bishop. Zeus isn't just used to steal bank data but also log-in information to government and military sites.
There are a handful of large cybercrime operations known for their success with multimillion-dollar heists using Zeus, and the group of people arrested Thursday is part of one of those operations, said Don Jackson, who is director of threat intelligence at the information security firm SecureWorks and has provided information on Zeus operations to federal law enforcement.
"The mules they have arrested in the U.S. are affiliated with one of the largest if not the largest Zeus operations in the world," he said. "This could potentially be a major turning point in Zeus history."
Security firm M86 Security, of Orange, Calif., says that in July it identified Zeus-infected computers of customers of one U.K. bank, where $1 million was stolen. Bradley Anstis, a vice president at the security firm, said it tracked the servers to Estonia, where it found log files showing that details of about 3,000 customers at one bank had been stolen. The data included account numbers, dates of birth and other details.
"The modern high-tech bank heist, does not require a gun," said Mr. Bharara, the Manhattan U.S. attorney. "It requires only the Internet and ingenuity."
At least $3 million was stolen from U.S. accounts from about May of last year to this September, federal and state prosecutors said in New York Thursday as they unveiled indictments. The investigation is in its early stages and could result in law-enforcement actions in other countries, authorities said.
In an action American officials say is related, 19 people were arrested Tuesday in London as part of an investigation of a group alleged to have stolen at least £6 million, or $9.5 million, from U.K. bank accounts. Police announced a 20th arrest Thursday. Those arrested in the U.K. included men and women from Ukraine, Latvia, Estonia, Belarus and Georgia.
The U.S. investigation, in progress for over a year, has focused mostly on a network of "mules," or people recruited to open bank accounts using false names and fake passports and transfer stolen funds back to handlers in Eastern Europe, according to prosecutors.
The prosecutors alleged a scheme in which hackers used malicious computer software known as Zeus Trojan, disguised in seemingly benign email. When the email recipient clicks on a link or attachment in the email, the virus monitors the victim's computer activity to grab user names and passwords.
The hackers, according to U.S. prosecutors, would use the stolen data to move money from victims' accounts to accounts held by the mules, who would either wire it overseas or take it out in cash.
The scheme allegedly defrauded five banks and dozens of individuals and corporate defendants. Some banks were victims and some were used by the mules, authorities said.
The banks that were victimized by the scheme included units of J.P. Morgan Chase & Co., Ally Financial Inc. and PNC Financial Services Group Inc. In addition, mules used units of Bank of America Corp. and TD Bank Financial Group to open accounts into which to siphon money, according to federal court documents.
Chase and Ally declined to comment. PNC said it would defer to law enforcement. B of A said it has fully cooperated with the probe. TD Bank said it takes the matter seriously and is working with authorities.
The documents said money was typically withdrawn in amounts of around $10,000, with the mules often keeping about 8% to 10%.
Many of the mules were recruited through ads in a Russian-language newspaper or social-networking site, said Manhattan District Attorney Cyrus Vance Jr. Those charged included citizens of Russia, Moldova, Ukraine, Kazakhstan and Belarus.
"The Internet is the crime scene of the 21st Century," Mr. Vance said.
In all, more than 80 people have been charged in the U.S. by state and federal prosecutors, of whom 10 were arrested Thursday and 29 previously, though officials wouldn't specify when. Four of those charged acted as managers of the mule network, said Preet Bharara, the U.S. Attorney in Manhattan. A number of those charged are at large and believed to have left the U.S.
The federal charges include conspiracy to commit bank and wire fraud, to possess false identification documents, to commit money laundering and false use of a passport. The state charges include grand larceny and identity theft.
U.K. police said they have charged 11 individuals with conspiracy to defraud and money laundering, among other things, while nine other individuals were on bail, pending further inquiries.
The Zeus software program is one antivirus specialists became aware of several years ago. They believe it was developed by an individual or group out of Russia, said Mikko Hypponen, chief research officer at computer-security firm F-Secure Corp.
In its early form, the Zeus code would harvest data such as basic bank log-in information as users of infected computers accessed their financial accounts online, sending the information to criminals who would then either use it or sell it.
Over the past year, the code has become more sophisticated, antivirus experts say, enabling criminals to take over someone's connection with a financial institution to siphon money directly to mule accounts. By piggybacking on the legitimate user's access to an account, the virus bypasses additional password protection financial firms have put in place.
Zeus is so popular that bootleg versions have emerged on the cyber black market from a hacker known by the online handle Bishop. Zeus isn't just used to steal bank data but also log-in information to government and military sites.
There are a handful of large cybercrime operations known for their success with multimillion-dollar heists using Zeus, and the group of people arrested Thursday is part of one of those operations, said Don Jackson, who is director of threat intelligence at the information security firm SecureWorks and has provided information on Zeus operations to federal law enforcement.
"The mules they have arrested in the U.S. are affiliated with one of the largest if not the largest Zeus operations in the world," he said. "This could potentially be a major turning point in Zeus history."
Security firm M86 Security, of Orange, Calif., says that in July it identified Zeus-infected computers of customers of one U.K. bank, where $1 million was stolen. Bradley Anstis, a vice president at the security firm, said it tracked the servers to Estonia, where it found log files showing that details of about 3,000 customers at one bank had been stolen. The data included account numbers, dates of birth and other details.
"The modern high-tech bank heist, does not require a gun," said Mr. Bharara, the Manhattan U.S. attorney. "It requires only the Internet and ingenuity."
