SlideShare a Scribd company logo

FBI takedown of Gameover Zeus (GOZ) Botnet --- Original complaint

David Sweigert
David Sweigert

Posted as a courtesy by: Dave Sweigert, M.Sci., Security+ , CISSP

Law
1 of 9
IN THE UNITED STATES DISTRICT COURT THE WESTERN DISTRICT OF UNITED STATES OF AMERICA ) Plaintiff, ) Civil Action No. v. ) FILED EX PARTE ) AND UNDER SEAL MIKHAILOVICH BOGACHEV ) a/k/a a/k/a "Pollingsoon" ) Lermontova Str. ) Anapa, Russian Federation ) "TEMP SPECIAL" ) "DED" ) 911" ) "MR. KYKYPYKY" ) Defendants. ) COMPLAINT Plaintiff, the United States of America, by and through its undersigned counsel, alleges the following: 1. This is a civil action brought under Title United States Code, Sections 1345 and and Federal Rule of Civil Procedure 65, to enjoin the Defendants from continuing to engage in wire fraud, bank fraud, and unauthorized interception of electronic communications in violation of Title 18, United States Code, Sections 1343, 1344, and by means of malicious computer software ("malware") known as Gameover Zeus ("GOZ") and 2. GOZ is malware that steals banking and other online credentials from infected computers and enlists those computers into a "botnet" - a network of other infected computers controlled by the Defendants. Individual infected computers, or "bots," are controlled remotely
through a decentralized command and control ("C&C") system in which (a) ordinary infected computers, or "peers," remain in contact with each other; (b) specially selected peers called "proxy nodes" transmit commands and other information from the Defendants to the peers; and (c) a Domain Generation Algorithm ("DGA") is used to generate a large number of Internet domain names with which the infected computers communicate at least once a week. Cryptolocker is a form of malware known as "ransomware," which infects computers, encrypts key files, and then demands a ransom of hundreds of dollars in order to return the encrypted files to a readable state. GOZ is one of the primary vehicles for infecting victim computers with Cryptolocker. 4. Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed million. Parties 5. Plaintiff is the United States of America. 6. Defendant Evgeniy Mikhailovich Bogachev is citizen of Russia residing at Lermontova Str. Anapa, Russian Federation. Bogachev is a leader of the criminal enterprise responsible for GOZ and Cryptolocker. 7. Defendants "Temp Special," "Ded," "Chingiz "Chingiz" and kykyprky" are individuals, believed to be located in either Russia or Ukraine, who assist in the administration of the GOZ botnet. 2
Jurisdiction and Venue 8. Subject matter jurisdiction lies pursuant to Title 18, United States Code, Sections 1345(a)(1) and 2521 and Title 28, United States Code, Sections and 1345. 9. • Defendants are subject to the personal jurisdiction of this Court, having infected computers, used infected computers in furtherance of their scheme to defraud, initiated fraudulent money transfers, and engaged in unauthorized wiretapping, all within the Western District of Pennsylvania. 10. Venue is proper in this District pursuant to 28 § 1391(b)(2). The GOZ Scheme to Defraud and Unauthorized Interception A botnet is a collection of compromised computers that are controlled, without the knowledge of the victims, by an unauthorized third party. A botnet can be used for many criminal including sending spam, stealing data, and committing financial fraud. The GOZ botnet has been used for, among other purposes, the commission of fraudulent financial activity. The principal purpose of GOZ is to capture banking credentials from infected computers. One means by which GOZ accomplishes this is through attacks, in which GOZ intercepts sensitive information victims transmit from their computers. To increase the effectiveness of such attacks, the Defendants use GOZ to inject additional code into victims' web browsers that changes the appearance of the websites victims are viewing. For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the defendants could seamlessly inject additional form fields into website displayed in the user's web browser that also request the user's social security number, credit card numbers, and other sensitive information. Because these additional 3
fields appear to be part of the legitimate website users elected to visit, users are often defrauded into supplying the requested information, which is promptly intercepted by GOZ and transmitted to the defendants. The Defendants use the intercepted credentials for fraudulent purposes, such as initiating or re-directing wire transfers from victims' accounts to accounts controlled by the GOZ organization overseas. Victims of the GOZ scheme to defraud and unauthorized interception include, among others: a. A composite materials company in the Western District of Pennsylvania, which lost more than after an unauthorized wire transfer was initiated its bank account using credentials stolen by the Defendants through the use of GOZ; b. An Indian tribe in Washington which lost more than $277,000 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; c. A corporation operating assisted living facilities in Eastern Pennsylvania, which lost more than after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; d. A regional bank in Northern Florida, which lost nearly seven million dollars after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ. Since GOZ first emerged in September total losses attributable to GOZ exceed million. 4
The Cryptolocker Scheme to Defraud Cryptolocker is a malicious program designed to extract ransom payments from victims. After infecting a computer, Cryptolocker encrypts files on the infected computer's hard drive. Once the victim's files have been encrypted, Cryptolocker displays a notice on the victim's computer that demands payment of a ransom in exchange for the key that can decrypt the victim's files. The ransom varies in amount, but can reach up to $750 or more. Victims who refuse to pay the ransom face significant data loss, since the encryption algorithm used by the defendants is effectively unbreakable. Cryptolocker first emerged in mid-to-late and has infected more than computers in the ensuing months, including more than victims in the United States. 20. GOZ includes code that permits the defendants to install additional malicious software onto computers infected with GOZ. The defendants and their co-conspirators have used this capability to install Cryptolocker onto numerous computers within the GOZ botnet. Cryptolocker is thus a second prong of the GOZ scheme to defraud. The Defendants also defraud victims of Cryptolocker by falsely informing them that (1) the private key needed to unlock their computers will be destroyed in 72 hours if they fail to pay the Cryptolocker ransom, and (2) that any attempt to remove Cryptolocker from the computer will result in the destruction of the private key. 22. The victims of Cryptolocker fraud scheme described above include: a. An insurance company in Pittsburgh, Pennsylvania had critical business files encrypted by Cryptolocker. The company was able to repair the damage by using backup files, but was forced to send employees home while the repair work was completed. The company estimates its total loss at $70,000.
b. A restaurant operator in Florida had over files encrypted by Cryptolocker, including the contents of the company's team training, franchise, and recipe folders. The company estimates that remediating the Cryptolocker infection has cost the company $30,000. c. A local police department in Massachusetts had its main file server, including administrative documents, investigative materials, and digital photo mug shots, encrypted by Cryptolocker. To recover these critical fdes, the SPD was forced to pay the $750 ransom demanded by Cryptolocker. d. pest control company in North Carolina had its most critical fdes, including its customer database and schedule of appointments, as well as its backup server, encrypted by Cryptolocker. The company estimates that the Cryptolocker infection has cost the company approximately $80,000 to date. (Injunctive Relief under 18 § 1345) 23. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. 24. The Defendants are engaging in wire fraud, in violation of Title United States Code, Section 1343, in that the defendants, having devised a scheme or artifice to'defraud and for obtaining money by means of false or fraudulent pretenses, are transmitting and causing to be transmitted, by means of wire communication in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice. 25. Pursuant to Title United States Code, Section and (b), the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the Defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet and of computers infected with Cryptolocker. 6
COUNT II (Injunctive Relief under 18 U.S.C. § 1345) 26. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. 27. The Defendants are engaging in bank fraud, in violation of Title United States Code, Section in that the Defendants are knowingly executing a scheme or artifice to defraud financial institutions insured by the Federal Deposit Insurance Corporation and to obtain moneys the custody and control of these institutions by means of false and fraudulent pretenses and representations. 28. Pursuant to Title 18, United States Code, Section 1345(a) and (b), the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the Defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet. COUNT III (Injunctive Relief under 18 U.S.C. § 2521) 29. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. The Defendants are engaging in the unauthorized interception of electronic communications, in violation of Title United States Code, Section in that the defendants are intentionally intercepting electronic communications, and are intentionally using and endeavoring to use the contents of electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications. 7
Pursuant to Title United States Code, Section the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet. PRAYER FOR RELIEF WHEREFORE, the United States of America prays that the Court: A. Enter judgment in favor of the Government and against the Defendants; B. Pursuant to Title 18, United States Code, Sections 1345(b) and 2521, enter a preliminary injunction and and permanent injunction against the Defendants and their agents, servants, employees, and all persons and entities in active concert or participation with them from engaging in any of the activity complained of herein or from causing any of the injury complained of herein and from assisting, aiding or abetting any other person or business entity from engaging in or performing any of the activity complained of herein or from causing any of the injury complained of herein; C. Pursuant to Title 18, United States Code, Sections 1345(b) and 2521, enter a preliminary injunction and permanent injunction authorizing the Government to continue the malware disruption plan specified in the Memorandum of Law in Support of Motion for Temporary Restraining Order, Order to Show Cause, and Other Ancillary Relief for a period of six months, and requiring the entities specified in the Temporary Restraining Order to continue take the actions specified in the Temporary Restraining Order for a period of six months. 8
D. Order such other relief that the Court deems and proper. Dated: 2014 Respectfully submitted, DAVID J. HICKTON LESLIE R. CALDWELL United States Attorney Assistant Attorney General By: /s/ Michael A. Comber MICHAEL COMBER Assistant U.S. Attorney Western District of PA U.S. Post Office & Courthouse 700 Grant Street, Suite 4000 Pittsburgh, PA (412) 894-7485 Phone 644-6995 Fax No. 81951 /s/ Ethan ETHAN ARENSON DAVID AARON Trial Attorneys Computer Crime and Intellectual Property Section 1301 New York Avenue, NW Washington, DC 20530 (202)514-1026 Phone (202) 514-6113 Fax DC No. 473296 (Arenson) No. 3949955 (Aaron) Ethan. David. gov 9

Recommended

cyber crime midterm paper--nosal
cyber crime midterm paper--nosalcyber crime midterm paper--nosal
cyber crime midterm paper--nosalSHIH-LAN(Allison) CHEN
 
CFAA & Fourth Amendment Writing Sample
CFAA & Fourth Amendment Writing SampleCFAA & Fourth Amendment Writing Sample
CFAA & Fourth Amendment Writing SampleAndre Craig Jr
 
На Yahoo подали в суд из-за кражи 450 тыс. паролей
На Yahoo подали в суд из-за кражи 450 тыс. паролейНа Yahoo подали в суд из-за кражи 450 тыс. паролей
На Yahoo подали в суд из-за кражи 450 тыс. паролейAnatol Alizar
 
06-30-2005 DOJ Press Release 1
06-30-2005 DOJ Press Release 106-30-2005 DOJ Press Release 1
06-30-2005 DOJ Press Release 1Keith Mathews
 
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPScott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPDavid Sweigert
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyNick Bilogorskiy
 
Adigyuzelov, kasum complaint
Adigyuzelov, kasum complaintAdigyuzelov, kasum complaint
Adigyuzelov, kasum complaintosint
 
Tsygankov, Artem Et Al Complaint
Tsygankov, Artem Et Al ComplaintTsygankov, Artem Et Al Complaint
Tsygankov, Artem Et Al Complaintosint
 

Recommended

cyber crime midterm paper--nosal
cyber crime midterm paper--nosalcyber crime midterm paper--nosal
cyber crime midterm paper--nosalSHIH-LAN(Allison) CHEN
 
CFAA & Fourth Amendment Writing Sample
CFAA & Fourth Amendment Writing SampleCFAA & Fourth Amendment Writing Sample
CFAA & Fourth Amendment Writing SampleAndre Craig Jr
 
На Yahoo подали в суд из-за кражи 450 тыс. паролей
На Yahoo подали в суд из-за кражи 450 тыс. паролейНа Yahoo подали в суд из-за кражи 450 тыс. паролей
На Yahoo подали в суд из-за кражи 450 тыс. паролейAnatol Alizar
 
06-30-2005 DOJ Press Release 1
06-30-2005 DOJ Press Release 106-30-2005 DOJ Press Release 1
06-30-2005 DOJ Press Release 1Keith Mathews
 
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPScott Moulton scanning case RE: U.S.D.C. Georgia NMAP
Scott Moulton scanning case RE: U.S.D.C. Georgia NMAPDavid Sweigert
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyNick Bilogorskiy
 
Adigyuzelov, kasum complaint
Adigyuzelov, kasum complaintAdigyuzelov, kasum complaint
Adigyuzelov, kasum complaintosint
 
Tsygankov, Artem Et Al Complaint
Tsygankov, Artem Et Al ComplaintTsygankov, Artem Et Al Complaint
Tsygankov, Artem Et Al Complaintosint
 
Phish phry operation
Phish phry operationPhish phry operation
Phish phry operationMohamed Zahran
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSSDavid Sweigert
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxCase in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxcowinhelen
 
SOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORKSOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORKFinance Magnates
 
Cyber crime lecture one definition and nature
Cyber crime lecture one definition and natureCyber crime lecture one definition and nature
Cyber crime lecture one definition and natureDr. Arun Verma
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxbkbk37
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxwrite12
 
It law ecommerce
It law ecommerceIt law ecommerce
It law ecommercesonali talkar
 
Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)Hindenburg Research
 
rajat_ppt
rajat_pptrajat_ppt
rajat_pptRajat Guta
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
English in written
English in writtenEnglish in written
English in writtenazhar manap
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0Hindenburg Research
 
International-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxInternational-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxchrixymae
 
Cybercrime
CybercrimeCybercrime
Cybercrimenayakslideshare
 
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
 
SEC vs. McAfee
SEC vs. McAfeeSEC vs. McAfee
SEC vs. McAfeeHindenburg Research
 
Ch 9 White Collar and Organized Crime
Ch 9 White Collar and Organized CrimeCh 9 White Collar and Organized Crime
Ch 9 White Collar and Organized Crimerharrisonaz
 
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 

More Related Content

Similar to FBI takedown of Gameover Zeus (GOZ) Botnet --- Original complaint

New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSSDavid Sweigert
 
L Scope
L ScopeL Scope
L ScopeCTIN
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxCase in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxcowinhelen
 
SOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORKSOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORKFinance Magnates
 
Cyber crime lecture one definition and nature
Cyber crime lecture one definition and natureCyber crime lecture one definition and nature
Cyber crime lecture one definition and natureDr. Arun Verma
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxbkbk37
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxwrite12
 
Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)Hindenburg Research
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharksNalneesh Gaur
 
English in written
English in writtenEnglish in written
English in writtenazhar manap
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0Hindenburg Research
 
International-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxInternational-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxchrixymae
 
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Shawn Tuma
 
Ch 9 White Collar and Organized Crime
Ch 9 White Collar and Organized CrimeCh 9 White Collar and Organized Crime
Ch 9 White Collar and Organized Crimerharrisonaz
 

Similar to FBI takedown of Gameover Zeus (GOZ) Botnet --- Original complaint (20)

Phish phry operation
Phish phry operationPhish phry operation
Phish phry operation
 
New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS New Kmart Data Breach lawsuit spotlights PCI DSS
New Kmart Data Breach lawsuit spotlights PCI DSS
 
L Scope
L ScopeL Scope
L Scope
 
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docxCase in PointInaction Caused Costly Hacking At Large Retailer.docx
Case in PointInaction Caused Costly Hacking At Large Retailer.docx
 
SOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORKSOUTHERN DISTRICT OF NEW YORK
SOUTHERN DISTRICT OF NEW YORK
 
Cyber crime lecture one definition and nature
Cyber crime lecture one definition and natureCyber crime lecture one definition and nature
Cyber crime lecture one definition and nature
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 
Discuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docxDiscuss similarities and differences between and Trojan.docx
Discuss similarities and differences between and Trojan.docx
 
It law ecommerce
It law ecommerceIt law ecommerce
It law ecommerce
 
Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)Riot blockchain, inc. complaint (d. colo.)
Riot blockchain, inc. complaint (d. colo.)
 
rajat_ppt
rajat_pptrajat_ppt
rajat_ppt
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
 
English in written
English in writtenEnglish in written
English in written
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
United states securities_and_exchange_v_middleton_et_al__nyedce-19-04625__0001.0
 
International-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxInternational-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptx
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
Overview and Update on the Computer Fraud and Abuse Act (CFAA) for the Data ...
 
SEC vs. McAfee
SEC vs. McAfeeSEC vs. McAfee
SEC vs. McAfee
 
Ch 9 White Collar and Organized Crime
Ch 9 White Collar and Organized CrimeCh 9 White Collar and Organized Crime
Ch 9 White Collar and Organized Crime
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

A Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxA Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxPKrishna18
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书srst S
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx2020000445musaib
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝soniya singh
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书FS LS
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...James Watkins, III JD CFP®
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfMilind Agarwal
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书Fir sss
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 
Understanding Social Media Bullying: Legal Implications and Challenges
Understanding Social Media Bullying: Legal Implications and ChallengesUnderstanding Social Media Bullying: Legal Implications and Challenges
Understanding Social Media Bullying: Legal Implications and ChallengesFinlaw Associates
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 

Recently uploaded (20)

A Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptxA Short-ppt on new gst laws in india.pptx
A Short-ppt on new gst laws in india.pptx
 
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
 
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
如何办理(UoM毕业证书)曼彻斯特大学毕业证学位证书
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Haqiqat Nagar Delhi reach out to us at 🔝8264348440🔝
 
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
如何办理伦敦南岸大学毕业证(本硕)LSBU学位证书
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书 如何办理威斯康星大学密尔沃基分校毕业证学位证书
如何办理威斯康星大学密尔沃基分校毕业证学位证书
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
Understanding Social Media Bullying: Legal Implications and Challenges
Understanding Social Media Bullying: Legal Implications and ChallengesUnderstanding Social Media Bullying: Legal Implications and Challenges
Understanding Social Media Bullying: Legal Implications and Challenges
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 

FBI takedown of Gameover Zeus (GOZ) Botnet --- Original complaint

  • 1. IN THE UNITED STATES DISTRICT COURT THE WESTERN DISTRICT OF UNITED STATES OF AMERICA ) Plaintiff, ) Civil Action No. v. ) FILED EX PARTE ) AND UNDER SEAL MIKHAILOVICH BOGACHEV ) a/k/a a/k/a "Pollingsoon" ) Lermontova Str. ) Anapa, Russian Federation ) "TEMP SPECIAL" ) "DED" ) 911" ) "MR. KYKYPYKY" ) Defendants. ) COMPLAINT Plaintiff, the United States of America, by and through its undersigned counsel, alleges the following: 1. This is a civil action brought under Title United States Code, Sections 1345 and and Federal Rule of Civil Procedure 65, to enjoin the Defendants from continuing to engage in wire fraud, bank fraud, and unauthorized interception of electronic communications in violation of Title 18, United States Code, Sections 1343, 1344, and by means of malicious computer software ("malware") known as Gameover Zeus ("GOZ") and 2. GOZ is malware that steals banking and other online credentials from infected computers and enlists those computers into a "botnet" - a network of other infected computers controlled by the Defendants. Individual infected computers, or "bots," are controlled remotely
  • 2. through a decentralized command and control ("C&C") system in which (a) ordinary infected computers, or "peers," remain in contact with each other; (b) specially selected peers called "proxy nodes" transmit commands and other information from the Defendants to the peers; and (c) a Domain Generation Algorithm ("DGA") is used to generate a large number of Internet domain names with which the infected computers communicate at least once a week. Cryptolocker is a form of malware known as "ransomware," which infects computers, encrypts key files, and then demands a ransom of hundreds of dollars in order to return the encrypted files to a readable state. GOZ is one of the primary vehicles for infecting victim computers with Cryptolocker. 4. Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed million. Parties 5. Plaintiff is the United States of America. 6. Defendant Evgeniy Mikhailovich Bogachev is citizen of Russia residing at Lermontova Str. Anapa, Russian Federation. Bogachev is a leader of the criminal enterprise responsible for GOZ and Cryptolocker. 7. Defendants "Temp Special," "Ded," "Chingiz "Chingiz" and kykyprky" are individuals, believed to be located in either Russia or Ukraine, who assist in the administration of the GOZ botnet. 2
  • 3. Jurisdiction and Venue 8. Subject matter jurisdiction lies pursuant to Title 18, United States Code, Sections 1345(a)(1) and 2521 and Title 28, United States Code, Sections and 1345. 9. • Defendants are subject to the personal jurisdiction of this Court, having infected computers, used infected computers in furtherance of their scheme to defraud, initiated fraudulent money transfers, and engaged in unauthorized wiretapping, all within the Western District of Pennsylvania. 10. Venue is proper in this District pursuant to 28 § 1391(b)(2). The GOZ Scheme to Defraud and Unauthorized Interception A botnet is a collection of compromised computers that are controlled, without the knowledge of the victims, by an unauthorized third party. A botnet can be used for many criminal including sending spam, stealing data, and committing financial fraud. The GOZ botnet has been used for, among other purposes, the commission of fraudulent financial activity. The principal purpose of GOZ is to capture banking credentials from infected computers. One means by which GOZ accomplishes this is through attacks, in which GOZ intercepts sensitive information victims transmit from their computers. To increase the effectiveness of such attacks, the Defendants use GOZ to inject additional code into victims' web browsers that changes the appearance of the websites victims are viewing. For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the defendants could seamlessly inject additional form fields into website displayed in the user's web browser that also request the user's social security number, credit card numbers, and other sensitive information. Because these additional 3
  • 4. fields appear to be part of the legitimate website users elected to visit, users are often defrauded into supplying the requested information, which is promptly intercepted by GOZ and transmitted to the defendants. The Defendants use the intercepted credentials for fraudulent purposes, such as initiating or re-directing wire transfers from victims' accounts to accounts controlled by the GOZ organization overseas. Victims of the GOZ scheme to defraud and unauthorized interception include, among others: a. A composite materials company in the Western District of Pennsylvania, which lost more than after an unauthorized wire transfer was initiated its bank account using credentials stolen by the Defendants through the use of GOZ; b. An Indian tribe in Washington which lost more than $277,000 after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; c. A corporation operating assisted living facilities in Eastern Pennsylvania, which lost more than after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ; d. A regional bank in Northern Florida, which lost nearly seven million dollars after an unauthorized wire transfer was initiated from its bank account using credentials stolen by the Defendants through the use of GOZ. Since GOZ first emerged in September total losses attributable to GOZ exceed million. 4
  • 5. The Cryptolocker Scheme to Defraud Cryptolocker is a malicious program designed to extract ransom payments from victims. After infecting a computer, Cryptolocker encrypts files on the infected computer's hard drive. Once the victim's files have been encrypted, Cryptolocker displays a notice on the victim's computer that demands payment of a ransom in exchange for the key that can decrypt the victim's files. The ransom varies in amount, but can reach up to $750 or more. Victims who refuse to pay the ransom face significant data loss, since the encryption algorithm used by the defendants is effectively unbreakable. Cryptolocker first emerged in mid-to-late and has infected more than computers in the ensuing months, including more than victims in the United States. 20. GOZ includes code that permits the defendants to install additional malicious software onto computers infected with GOZ. The defendants and their co-conspirators have used this capability to install Cryptolocker onto numerous computers within the GOZ botnet. Cryptolocker is thus a second prong of the GOZ scheme to defraud. The Defendants also defraud victims of Cryptolocker by falsely informing them that (1) the private key needed to unlock their computers will be destroyed in 72 hours if they fail to pay the Cryptolocker ransom, and (2) that any attempt to remove Cryptolocker from the computer will result in the destruction of the private key. 22. The victims of Cryptolocker fraud scheme described above include: a. An insurance company in Pittsburgh, Pennsylvania had critical business files encrypted by Cryptolocker. The company was able to repair the damage by using backup files, but was forced to send employees home while the repair work was completed. The company estimates its total loss at $70,000.
  • 6. b. A restaurant operator in Florida had over files encrypted by Cryptolocker, including the contents of the company's team training, franchise, and recipe folders. The company estimates that remediating the Cryptolocker infection has cost the company $30,000. c. A local police department in Massachusetts had its main file server, including administrative documents, investigative materials, and digital photo mug shots, encrypted by Cryptolocker. To recover these critical fdes, the SPD was forced to pay the $750 ransom demanded by Cryptolocker. d. pest control company in North Carolina had its most critical fdes, including its customer database and schedule of appointments, as well as its backup server, encrypted by Cryptolocker. The company estimates that the Cryptolocker infection has cost the company approximately $80,000 to date. (Injunctive Relief under 18 § 1345) 23. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. 24. The Defendants are engaging in wire fraud, in violation of Title United States Code, Section 1343, in that the defendants, having devised a scheme or artifice to'defraud and for obtaining money by means of false or fraudulent pretenses, are transmitting and causing to be transmitted, by means of wire communication in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice. 25. Pursuant to Title United States Code, Section and (b), the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the Defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet and of computers infected with Cryptolocker. 6
  • 7. COUNT II (Injunctive Relief under 18 U.S.C. § 1345) 26. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. 27. The Defendants are engaging in bank fraud, in violation of Title United States Code, Section in that the Defendants are knowingly executing a scheme or artifice to defraud financial institutions insured by the Federal Deposit Insurance Corporation and to obtain moneys the custody and control of these institutions by means of false and fraudulent pretenses and representations. 28. Pursuant to Title 18, United States Code, Section 1345(a) and (b), the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the Defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet. COUNT III (Injunctive Relief under 18 U.S.C. § 2521) 29. The United States of America alleges and incorporates by reference the preceding paragraphs of this Complaint as if fully set forth herein. The Defendants are engaging in the unauthorized interception of electronic communications, in violation of Title United States Code, Section in that the defendants are intentionally intercepting electronic communications, and are intentionally using and endeavoring to use the contents of electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications. 7
  • 8. Pursuant to Title United States Code, Section the United States of America requests the issuance of a temporary restraining order, preliminary injunction, and permanent injunction against the defendants and their agents in order to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers in the GOZ botnet. PRAYER FOR RELIEF WHEREFORE, the United States of America prays that the Court: A. Enter judgment in favor of the Government and against the Defendants; B. Pursuant to Title 18, United States Code, Sections 1345(b) and 2521, enter a preliminary injunction and and permanent injunction against the Defendants and their agents, servants, employees, and all persons and entities in active concert or participation with them from engaging in any of the activity complained of herein or from causing any of the injury complained of herein and from assisting, aiding or abetting any other person or business entity from engaging in or performing any of the activity complained of herein or from causing any of the injury complained of herein; C. Pursuant to Title 18, United States Code, Sections 1345(b) and 2521, enter a preliminary injunction and permanent injunction authorizing the Government to continue the malware disruption plan specified in the Memorandum of Law in Support of Motion for Temporary Restraining Order, Order to Show Cause, and Other Ancillary Relief for a period of six months, and requiring the entities specified in the Temporary Restraining Order to continue take the actions specified in the Temporary Restraining Order for a period of six months. 8
  • 9. D. Order such other relief that the Court deems and proper. Dated: 2014 Respectfully submitted, DAVID J. HICKTON LESLIE R. CALDWELL United States Attorney Assistant Attorney General By: /s/ Michael A. Comber MICHAEL COMBER Assistant U.S. Attorney Western District of PA U.S. Post Office & Courthouse 700 Grant Street, Suite 4000 Pittsburgh, PA (412) 894-7485 Phone 644-6995 Fax No. 81951 /s/ Ethan ETHAN ARENSON DAVID AARON Trial Attorneys Computer Crime and Intellectual Property Section 1301 New York Avenue, NW Washington, DC 20530 (202)514-1026 Phone (202) 514-6113 Fax DC No. 473296 (Arenson) No. 3949955 (Aaron) Ethan. David. gov 9