Case Study: ZeuS & Money Mule Ring
Source: http://krebsonsecurity.com/2010/09/11-charged-in-zeus-money-mule-ring
And http://krebsonsecurity.com/2011/10/zeus-trojan-gang-faces-justice/
This story relates to the activities of a criminal gang who were convicted of laundering
millions of dollars utilizing the ZeuZ banking Tojan. The following extract has been lifted
from a website krebsonsecurity.com. the Case Study demonstrates the nature of the
organized criminal gangs and their capacity to undertake thefts of enormous value.
As krebsonsecurity.com explains:
“ZeuS is a commercial crimeware kit sold for a few thousand dollars per copy in
underground online forums. It is primarily designed to steal sensitive financial data stored
on victim computers or transmitted through victim Web browsers. ZeuS’s most advanced
features allow criminals to inject content into a bank’s Web page as it is displayed in the
victim’s browser in real time, take screen shots from infected PCs, and quietly redirect
victims from banking Web sites to counterfeit versions set up by the attackers. ZeuS is set
up so that stolen data is sent to a “drop server” controlled by the attacker, and it allows
miscreants to control the infected systems remotely.
Currently, there are at least 160 unique ZeuS control networks online worldwide, according
to Zeus Tracker, a site that keeps tabs on the number and geographic distribution of unique
ZeuS botnets.
Andy Fried, owner of Deteque, a computer security consultancy in Alexandria, Va., has been
tracking ZeuS related activity and spam for many months. Fried said that while rounding up
those who are buying and deploying ZeuS botnets is important, going after the money mule
infrastructure is the best way to ensure that the stolen data can’t be used.
“These ZeuS operations are a pipeline, and the money mules are a very important part of
that,” Fried said. “[Online banking] credentials have intrinsic value, but it’s not until you’re
able to utilize that information — and that’s where the money mules come in — that those
credentials have real value. That’s why choking off the money mule network will probably
have the best short-term detrimental effect against ZeuS.””.
Returning to the case study, krebsonsecutiry.com initially reported on the arrest of the
individuals and the suspicions surrounding their activities. The following details how that
arrest subsequently turned out with convictions for all 13 defendants involved in the
cybercrime ring.
“Authorities in the United Kingdom have convicted the 13th and final defendant from a
group arrested last year and accused of running an international cybercrime syndicate that
laundered millions of dollars stolen from consumers and businesses with the help of the
help of the ZeuS banking Trojan. The news comes days after U.S. authorities announced the
guilty plea of the 27th and final individual arrested last year in New York in a related
international money-laundering scheme.
According to the Metropolitan Police, the U.K. courts have convicted 13 members of the
gang, including four who were profiled last year by KrebsOnSecurity shortly after their initial
arrest and charging. The gang is thought to have used the ZeuS Trojan to steal nearly £3
million (USD $4.6M) from banks in the U.K. They are believed to be responsible for aiding in
the theft of at least USD $3 million from U.S. banks and businesses in the past two years.
According to sources close to the case, members of the group also
were heavily involved in online banking thefts perpetrated against
dozens of small businesses and organizations based in the United
States. Eight gang members were charged with money laundering, and
10 were charged with conspiracy to defraud.
Yevhen Kulibaba
Karina Kostromina,
Among those convicted were the husband-and-wife ringleaders of the
gang, 33-year-old Ukrainian property developer Yevhen Kulibaba, and
his wife, Karina Kostromina, Kulibaba shuttled some of the stolen
funds from the U.K. to Ukraine and to Latvia. According to British
prosecutors, the two lived a “jet set” lifestyle and spent money on
holidays, cars and property. Kostromina was cleared of conspiracy
charges but convicted of money laundering, and sentenced this week
to two years in prison. Kulibaba is awaiting sentencing on charges of
conspiracy to defraud.
An individual described as Kulibaba’s right-hand man — 29-year-old
Yuriy Konovalenko, aka “Pavel Klikov” — is due to be sentenced, also
for conspiracy. He was described by the e-Crime Unit as a selfemployed Web designer from Ukraine. Sources say Konovalenko was
chiefly responsible for managing a large number of “money mules,”
people hired to withdraw, carry or transmit cash stolen by the gang. A
review of Konovalenko’s social networking site identities suggests he is
a blood relative of Kulibaba’s, but [at the time of the initial report] U.K.
police declined to confirm or deny this information. Valerij Milka, a
30-year-old Ukrainian whom U.K. police say was a building laborer and
fourth member of the conspiracy, was jailed for three years after
admitting his role.
Yuriy Konovalenko
Milka Valerij
News of the convictions in the United Kingdom comes days after authorities in the United
States announced the guilty plea of the 27th and final individual arrested last year in New
York as part of a major law enforcement sweep against Russian and Eastern European
exchange students-turned-money mules. U.S. prosecutors have charged a total of 37
Russian and Eastern European students in connection with last year’s law enforcement
sweep; According to the FBI, two defendants have entered into deferred prosecution
agreements, and eight defendants are fugitives and are being sought in the United States
and abroad.
It should be noted that these individuals were only a small part of a much larger fraud ring.
According to sources close to the investigation, the true masterminds of these ZeuSpowered bank heists reside in Donetsk, Ukraine, and have yet to be charged with any crime.
Authorities in Ukraine this time last year detained five individuals identified by the FBI and
other national law enforcement authorities as the “coders and exploiters” in the fraud
operation, but the men were released and have not been charged with a crime.”
.
.