DOJ Charges 14 Members of QQAAZZ in International Cybercrime Conspiracy
The latest international law enforcement takedown involves a money laundering ring responsible for doing the dirty work of cybercriminals.
Members of a massive cybercriminal money laundering network, QQAAZZ, were charged late last week; the U.S. Department of Justice said the group helped facilitate an international operation that’s aided hackers since 2016.
Fourteen members of the group were charged by a federal grand jury in Pennslyvania in an indictment last Thursday. According to officials working for the U.S. Department of Justice’s Criminal Division and the Western District of Pennsylvania, the group laundered tens of millions of dollars’ worth of money, stolen from cybercrimes involving malware campaigns like Dridex, Trickbot, and GozNym to name a few.
The crackdown was a worldwide effort; in addition to FBI's Pittsburgh office and the non-profit National Cyber-Forensics and Training Alliance (NCFTA), Europol’s European Cybercrime Centre, along with partners in Spain, the United Kingdom, Latvia, Bulgaria, Georgia, Italy, Switzerland, Poland, Czech Republic, Australia, Sweden, Austria, Germany and Belgium, all helped.
As Europol points out, Portugal’s Judicial Police (Polícia Judiciária) was also integral to the takedown, something Europol dubbed Operation 2BaGoldMule.
Members of the group worked in tandem with cybercriminals to open and maintain hundreds of bank accounts, both corporate and personal, in order to receive money from cybercrime victims. That money was then transferred to other bank accounts and converted to cryptocurrency using "tumbling" services. Cryptocurrency tumblers, or mixing services, are often used to mix up cryptocurrency funds, usually illicit or tainted, with others, making it even more difficult to trace where the money came from.
The individuals also used stolen and phony documents from Polish and Bulgarian nationals to open shell companies to further the scheme through corporate bank accounts, which helped generate additional bank accounts to receive stolen funds.
On Russian-speaking online cybercriminal forums QQAAZZ billed itself as a "global, complicit bank drops service" for those who needed its services.
While there weren’t any dollar figures disclosed in releases via the DOJ or Europol aside from “tens of millions of dollars,” it sounds like the criminal network was a profitable one; after taking up to 50-percent of the money, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.
The group was aided by what the DOJ called an "extensive Bitcoin mining operation," which was also seized, in Bulgaria.
The bulk of those charged resided in Eastern Europe; Latvia, Georgia, and Bulgaria, chiefly.
The DOJ usually declines to name victims and that’s the case for those impacted by this takedown. It did specify that the following companies and individuals had funds stolen or attempted to be stolen:
- a technology company in Windsor, Connecticut;
- a Jewish Orthodox Synagogue in Brooklyn, New York;
- a medical device manufacturer in York, Pennsylvania;
- an individual in Montclair, New Jersey;
- an architecture firm in Miami, Florida;
- an individual in Acworth, Georgia;
- an automotive parts manufacturer in Livonia, Michigan;
- a homebuilder in Skokie, Illinois;
- an individual in Carrollton, Texas; and
- an individual in Villa Park, California.
The 14 defendants are just the latest to be charged in the conspiracy; authorities charged six others over the last year with similar counts.
While malware like the banking trojans named in the release have faded from glory - Dridex hasn't been around since 2015, GozNym was dismantled last year, and Trickbot was disrupted last week - it's interesting from a historical standpoint to see what the groups used to facilitate their theft of millions.