FBI: Crime Ring Stole $70 Million Using Computer Virus

Zeus Trojan malware steals bank account passwords; 37 charged in New York.

ByABC News
July 16, 2010, 12:20 PM

Oct. 1, 2010 — -- An Eastern European cybercrime ring stole $70 million from US banks, the FBI announced today. In additions to the dozens of individuals charged in the U.S. and Britain Thursday, the FBI also said that five individuals in Ukraine had been detained today on suspicion of creating the computer virus used in the scam.

Dozens of people in the U.S and Britain were charged Thursday in a worldwide cyberscam that used the powerful Zeus Trojan virus to crack open bank accounts and divert millions of dollars to Eastern Europe. Authorities said at the time that the ring was accused of stealing $12.5 million from accounts in both countries, but also said the global total was likely to rise as the year-long investigation continued.

The US Attorney for the Southern District of New York and the Manhattan D.A. charged 37 people Thursday, most of them Russian nationals, with stealing more than $3 million from small business and government accounts in the U.S. Another 19 suspects were arrested in London, and 11 were charged in the theft of $9.5 million from British banks.

While 20 of the New York suspects are in custody, another 17 remain at large.

"This advanced cybercrime ring is a disturbing example of organized crime in the 21st century – high tech and widespread," said Manhattan District Attorney Cy Vance Jr. "The far-reaching results of this investigation to date represent what people deserve: successful cooperation between city, state, federal and foreign law enforcement officials."

"As today's arrests show," said US Attorney Preet Bharara, "the modern, high-tech bank heist does not require a gun, a mask, a note, or a getaway car. It requires only the Internet and ingenuity."

The Zeus malware, which has traditionally targeted PCs but has now been updated to attack cell phones as well, is designed to steal bank account log-on credentials. It either lures the victim to click on a link in an e-mail or steers the victim to a web site hosting the malware, and then records keystrokes when the victim logs into various private accounts.

The five individuals detained today in Ukraine are suspected of creating and selling the virus that was used in the bank thefts.

The investigation that led to the worldwide arrests originated in May 2009, when a compnay in Omaha, Nebraska that handles bank transactions noticed unusual money movements to 46 different banks.

The virus allegedly used by the crime ring targeted accounts where large withdrawals were not unusual. According to the FBI, the crime ring sent emails to individuals with titles such as treasurer or chief financial officer. To avoid electronically shifting those funds directly to Russia, so-called "money mules" opened accounts to receive the funds. According to state and federal authorities, the mules had often entered the US under student visas, and then were provided with passports under fake names to open the accounts.

"Once these false-name accounts were successfully opened," said a statement from the US Attorney's office, "and received the stolen funds from the accounts compromised by the malware attacks, the 'mules' were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash."

Though at least two-thirds of the alleged "mules," managers and recruiters charged in New York were Russian, at least seven were Moldovan. The 37 face federal charges that include money laundering, forgery, conspiracy to commit bank fraud, conspiracy to use false identification and use of false passports.

The FBI said that it had enjoyed unprecedented cooperation with Ukrainian law enforcement, joining forces with the Ukrainian Security Service on a cyber crime task force. "During this investigation," said FBI assistant director Gordon Snow, "the FBI worked closely with our overseas counterparts to identify subjects who were instrumental in the development and control of the malicious software, those who facilitated the use of malware, and those who saw a means to make quick, easy money—the mules."

Spread by phishing schemes and drive-by downloads, the Zeus Trojan virus has been around since at least 2007, and is consistently described as very difficult to detect even by sophisticated anti-virus software. As a result, millions of computers are believed to be infected.

CLICK HERE to follow the ABC News Investigative Team's coverage on Twitter.

Recently, internet security experts have said that a new version of the malware appears to be targeting mobile phones -- intercepting SMS confirmations sent by banks to customers and defeating the fund transfer authentication codes.

CLICK HERE to follow ABC News Chief Investigative Correspondent Brian Ross on Twitter.

Click Here for the Blotter Homepage.

The five individuals detained today in Ukraine are suspected of creating and selling the virus that was used in the bank thefts.

The investigation that led to the worldwide arrests originated in May 2009, when a compnay in Omaha, Nebraska that handles bank transactions noticed unusual money movements to 46 different banks.

The virus allegedly used by the crime ring targeted accounts where large withdrawals were not unusual. According to the FBI, the crime ring sent emails to individuals with titles such as treasurer or chief financial officer. To avoid electronically shifting those funds directly to Russia, so-called \"money mules\" opened accounts to receive the funds. According to state and federal authorities, the mules had often entered the US under student visas, and then were provided with passports under fake names to open the accounts.

\"Once these false-name accounts were successfully opened,\" said a statement from the US Attorney's office, \"and received the stolen funds from the accounts compromised by the malware attacks, the 'mules' were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.\"

Though at least two-thirds of the alleged \"mules,\" managers and recruiters charged in New York were Russian, at least seven were Moldovan. The 37 face federal charges that include money laundering, forgery, conspiracy to commit bank fraud, conspiracy to use false identification and use of false passports.

The FBI said that it had enjoyed unprecedented cooperation with Ukrainian law enforcement, joining forces with the Ukrainian Security Service on a cyber crime task force. \"During this investigation,\" said FBI assistant director Gordon Snow, \"the FBI worked closely with our overseas counterparts to identify subjects who were instrumental in the development and control of the malicious software, those who facilitated the use of malware, and those who saw a means to make quick, easy money—the mules.\"

Spread by phishing schemes and drive-by downloads, the Zeus Trojan virus has been around since at least 2007, and is consistently described as very difficult to detect even by sophisticated anti-virus software. As a result, millions of computers are believed to be infected.

CLICK HERE to follow the ABC News Investigative Team's coverage on Twitter.

Recently, internet security experts have said that a new version of the malware appears to be targeting mobile phones -- intercepting SMS confirmations sent by banks to customers and defeating the fund transfer authentication codes.

CLICK HERE to follow ABC News Chief Investigative Correspondent Brian Ross on Twitter.

Click Here for the Blotter Homepage.

","publishedDate":"2010-07-16T16:20:36Z","contributors":[{"name":"ABC News","url":"","role":"","logo":"","logoAlt":""}],"modifiedDate":"2010-10-05T17:39:46Z","section":"Blotter","wordCount":760,"relatedTags":{"heading":"Related Topics","tags":[]},"lead":{"ratio":"16x9","disableForMobile":false,"type":"xl","mediaType":"image","alignCaptionToBody":true},"ads":{"Sticky":{"kvps":{"test":true}},"RightRail":{"kvps":{"test":true}},"InlineBox":{},"InlineOutstream":{"disabled":false},"Taboola":{"position":"bottom","pageType":"article","config":{"network":"abcnews-abcnews","mode":"thumbnails-a","container":"taboola-below-article-thumbnails","type":"article","targetType":"mix","placement":"Below Article Thumbnails"}}},"featuredVideo":null,"dateline":"Oct. 1, 2010 —","seo":{},"LivePromotion":{}},"autoUpdate":{"enabled":false,"topics":["general-elections-2020-balance-of-power"]}},"upw":{"balanceOfPower":{"electoral":{"header":"Biden Projected to be President-Elect","candidates":{"democrats":{"id":1036,"displayName":"Joe Biden","shortDisplayName":"J. Biden","firstName":"Joe","lastName":"Biden","party":"democrats","major":true,"incumbent":false,"winner":true,"votes":306},"republicans":{"id":8639,"displayName":"Donald Trump","shortDisplayName":"D. Trump","firstName":"Donald","lastName":"Trump","party":"republicans","major":true,"incumbent":true,"winner":false,"votes":232},"other":{"displayName":"Other","votes":0}},"parties":{"democrats":"democrats","republicans":"republicans"},"type":"electoral","votes":{"democrats":{"available":{},"total":306,"difference":{},"popular":{"displayValue":"81,283,098","value":81283098}},"republicans":{"available":{},"total":232,"difference":{},"popular":{"displayValue":"74,222,958","value":74222958}},"other":{"available":{},"total":0,"popular":{}},"total":538},"needed":{"displayText":"270 to win","displayValue":"270","value":270},"lastUpdated":{"value":"2020-12-18T21:15:13.850Z","displayValue":"December 18, 4:15:13PM ET"},"reporting":"99% of Expected Vote Reporting"},"senate":{"header":"Senate Seat Results","candidates":{"democrats":{"displayName":"Democrats","icon":"party-democrats","votes":46,"winner":false},"republicans":{"displayName":"Republicans","icon":"party-republicans","votes":50,"winner":false},"other":{"displayName":"Other","votes":2}},"parties":{"democrats":"democrats","republicans":"republicans"},"type":"senate","votes":{"democrats":{"available":{"displayText":"12 Democrats up for election","shortDisplayText":"12 Dems. up for election","displayValue":"12","value":12},"total":46,"difference":{"displayText":"Gained 1 seat","displayValue":"1","value":1},"popular":{}},"republicans":{"available":{"displayText":"23 Republicans up for election","shortDisplayText":"23 Reps. up for election","displayValue":"23","value":23},"total":50,"difference":{"displayText":"Lost 1 seat","displayValue":"-1","value":-1},"popular":{}},"other":{"available":{"displayText":"0 Others up for election","shortDisplayText":"0 Others up for election","displayValue":"0","value":0},"total":2,"popular":{}},"total":100},"needed":{"displayText":"51 for control","displayValue":"51","value":51},"lastUpdated":{"value":"2020-12-17T18:22:05.390Z","displayValue":"December 17, 1:22:05PM ET"}},"house":{"header":"House Results: Dems Retain Control","candidates":{"democrats":{"displayName":"Democrats","icon":"party-democrats","votes":222,"winner":true},"republicans":{"displayName":"Republicans","icon":"party-republicans","votes":210,"winner":false},"other":{"displayName":"Other","votes":0}},"parties":{"democrats":"democrats","republicans":"republicans"},"type":"house","votes":{"democrats":{"available":{"displayText":"233 Democrats up for election","shortDisplayText":"233 Dems. up for election","displayValue":"233","value":233},"total":222,"difference":{"displayText":"Lost 10 seats","displayValue":"-10","value":-10},"popular":{}},"republicans":{"available":{"displayText":"201 Republicans up for election","shortDisplayText":"201 Reps. up for election","displayValue":"201","value":201},"total":210,"difference":{"displayText":"Gained 10 seats","displayValue":"10","value":10},"popular":{}},"other":{"available":{"displayText":"1 Others up for election","shortDisplayText":"1 Others up for election","displayValue":"1","value":1},"total":0,"popular":{}},"total":435},"needed":{"displayText":"218 for control","displayValue":"218","value":218},"lastUpdated":{"value":"2020-12-17T18:22:02.900Z","displayValue":"December 17, 1:22:02PM ET"}},"lastUpdated":{"value":"2020-12-18T21:15:13.850Z","displayValue":"December 18, 4:15:13PM ET"},"autoUpdate":{"enabled":false,"topics":["general-elections-2020-balance-of-power"]},"electionsConfig":{}},"types":["electoral","senate","house"]}},"analytics":{"accountID":"wdgnewabcnews,wdgasec,wdgnewabcnweb,wdgnewabcnewsrollup","ns":"abcnews","pageName":"abcn:blotter:story","pageType":"story","pageUrl":"abcnews.go.com/Blotter/fbi-crime-ring-stole-70-million-computer-virus/story?id=11777873&userab=abcn_web_article_ts-218*variant_a-818","globalSpecVersion":"v1.08","siteDifferentiator":"abcn:site","tagID":"apage_news01","userABCookie":"abcn_web_article_ts-218*variant_a-818","alertTag":"none","authors":"ABC News","authorsBureau":"none","authorsUnit":"none","dateline":"Oct. 1, 2010 —","id":"11777873","modDate":"2010-10-05","mediaOnPage":"none","modTime":"13:39","provider":"ABC News","pubDate":"2010-07-16","pubTime":"12:20","section":"Blotter","subBrand":"none","title":"FBI: Crime Ring Stole $70 Million Using Computer Virus","videoId":"none","videoName":"none","wordCount":760},"taboola":{"config":{"network":"abcnews-abcnews","mode":"thumbnails-a","type":"other","targetType":"mix","placement":null,"pageTypeOverrides":{"story":{"mode":"thumbnails-a","type":"article","targetType":"mix","placement":"Below Article Thumbnails"},"home":{"mode":"thumbnails-b","container":"taboola-homepage-thumbnails","type":"home","targetType":"mix","placement":"Homepage Thumbnails"},"section":{"mode":"thumbnails-b","type":"category","targetType":"mix","placement":"Section Front Thumbnails"},"liveBlog":{"mode":"thumbnails-d","type":"other","targetType":"mix","placement":"Blog"}}}}},"request":{"headers":{},"httpVersion":"1.1","method":"GET","url":"/Blotter/fbi-crime-ring-stole-70-million-computer-virus/story?id=11777873&userab=abcn_web_article_ts-218*variant_a-818","vary":{"host":"abcnews.go.com","cached":true,"path":"/Blotter/fbi-crime-ring-stole-70-million-computer-virus/story","forwarded-proto":"https","device":"desktop","country":"us","userab":"abcn_web_article_ts-218*variant_a-818","region":"gdpr"}},"viewport":{"width":1260,"height":0},"user":{}};