In a secret 72-hour blitz over the weekend, the FBI, several foreign governments and a host of security firms dismantled what officials say is the most sophisticated operation ever to commandeer private computers and siphon tens of millions of dollars from American bank accounts.
The operation’s alleged Russian ringleader has been indicted on charges of hacking, conspiracy and bank fraud, Justice Department officials said Monday.
Evgeniy Bogachev, 30, who also goes by the handle “lucky12345,” was the mastermind behind a “botnet,” or network of secretly infected computers whose owners were unaware their machines had been hijacked, officials said.
He also ran a “ransomware” scheme, in which he encrypted victims’ computer files and refused to unlock them until receiving payment, officials said.
Deputy Attorney General James M. Cole called the botnet, dubbed GameOver Zeus, “the most sophisticated and damaging . . . we have ever encountered.” Between 500,000 and 1 million computers worldwide were infected, and the losses exceeded $100 million to U.S. victims alone, he said.
Cole said officials had “some sense” of Bogachev’s location, but declined to elaborate. “Our goal right now is to find him and bring him into custody,” he said.
The unsealing of the indictment against Bogachev comes two weeks after Justice Department officials announced they had charged five Chinese military officials with hacking into U.S. companies’ computer systems and stealing intellectual property.
Beginning in 2011, Bogachev allegedly used “spearphishing” e-mails to infect computers with malware. When computer users clicked on links or attachments, the malicious code would burrow into their machines. The malware enabled Bogachev and others in his ring to watch from Russia as the malware “intercepted the bank account numbers and passwords that unwitting victims typed into computers” in the United States, said Leslie R. Caldwell, assistant attorney general for the Justice Department’s Criminal Division.
In a novel twist, officials said, Bogachev used the botnet to deliver another form of malicious software called Cryptolocker, which encrypted victims’ computer files. It then placed a message on their screens informing them that they could unlock their files only after paying a ransom, which ranged up to $700, officials said.
In the first two months of operation, Cole said, the Russian ring collected over $27 million in ransom payments. The ransoms often would be paid using the virtual currency known as Bitcoin.
The botnet takedown involved federal prosecutors, FBI agents, foreign law enforcement officials in more than 10 countries and at least a dozen commercial security firms that provided technical assistance.
“This is the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation,” said Robert Anderson Jr., the FBI’s executive assistant director of the Criminal, Cyber, Response, and Services Branch.
The groundwork for the operation involved coordination with Ukrainian authorities, who seized key servers in Kiev and Donetsk that were used by the hackers. On May 19, prosecutors brought sealed charges against Bogachev in Pittsburgh, the headquarters of the Western District of Pennsylvania, where some of the victims were located.
Last week, officials obtained civil court orders permitting them to reroute communications from the infected computers to a server set up by U.S. officials with court approval. At the same time, Caldwell said, foreign law enforcement partners seized other critical computer servers used to operate Cryptolocker, preventing the hackers from encrypting other targets’ files.
Beginning early Friday morning, authorities around the world began the coordinated seizure of the servers that formed the backbone of the botnet and Cryptolocker, Caldwell said. The seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and Britain.
Over the weekend, more than 300,000 computers were freed from the botnet, and the botnet itself was “effectively dismantled,” she said.
David J. Hickton, U.S. attorney for the Western District of Pennsylvania, said the investigation is still open and suggested more charges could be pending. “It is obvious that Bogachev did not act alone,” he said.
Though the United States has no extradition treaty with Russia, other Russian hackers have been convicted in the United States after being extradited by other countries.
“Bogachev is now the subject of an international manhunt,” said Steven Chabinsky, formerly the FBI’s top cyber lawyer and now an executive at CrowdStrike, one of the firms that took part in the takedown. “If any of our allies catch him, he could be extradited to the United States. In any case, it’s unlikely that he is working on building a new botnet at this moment.”