Two men from Bucharest, Romania have been convicted by a federal jury for infecting more than 400,000 computers-mostly based in the United States-with malware.
Bogdan Nicolescu, 36, going by the nickname "Masterfraud," and Radu Miclaus, 37, known as "Minolta," were convicted of 21 counts involving malware and online fraud.
However, the two men were not the only people in this active group as there was also a co-conspirator who pleaded guilty.
Danet Tiberiu, known as "Amightysa" has also been extradited and indicted in the U.S for his part in the cybercrime scheme.
Their operation, which came to be known as "Bayrob," went on for more than a decade and caused losses amounting to millions of dollars.
'Bayrob' Operation
The defendants (collectively referred to as "the Bayrob group") were indicted by federal authorities for their role in running a long-term scheme to infect computers with malware to steal personal information and credit cards to sell on the dark web, engaging in online fraud and mining cryptocurrencies.
Bayrob initially began in 2007 with the development of proprietary malware.
For some background, Bayrob is a Trojan horse that installs a proxy server, which is then used to steal sensitive information from the compromised computer.
This is exactly how the Bayrob group worked and operated, sending malicious emails purporting to be from legitimate entities such as Norton Antivirus, the IRS and Western Union.
When the recipients click on the file attached to the email, the malware gets installed on their computer.
This malware collected dozens of email addresses from the compromised computer and then sent emails to the harvested email addresses.
By doing this, the defendants managed to infect and control over 400,000 individual devices, most of them located in the United States.
Controlling the victims' computers allowed the cybercriminals to gather personal information such as usernames, passwords and credit card information.
The stolen credentials were then sold on the dark web, or the defendants would stole money from the accounts directly.
The malware also blocked the victims' access to law enforcement websites and disabled the computer's malware protection.
The Bayrob group was also able to activate files that forced the compromised computers to set up email accounts with AOL.
Using this technique, the defendants registered over 100,000 email accounts and sent millions of malicious emails.
According to a statement from the U.S. Department of Justice, the defendants went an extra mile to increase their benefits.
They created fake websites that were extremely similar to websites such as PayPal, Facebook and eBay that the victims were redirected to.
Once they try to reach such websites, the malware would intercept the request and would then bring the visitors to the fake websites.
On these sites, the victims made purchases and entered their credit card information, all of which the defendants used to gain assets.
The Bayrob group was also able to inject counterfeit pages on legitimate sites such as eBay.
These pages made the victims unknowingly follow instructions directly from the malware operators.
The Romanians placed more than 1,000 fake listings of motorcycles, cars and other high-priced products they sold on eBay.
These fake webpages persuaded the victims to pay for their orders through an "eBay escrow agent" that didn't actually exist.
None of the payers ever received the products they ordered nor did they get their money back.
This is how millions of dollars was stolen in this operation. The FBI believes that the defendants have stolen between $4 million to $35 million from their victims.
The money laundering was done through hiring money transfer agents and making fake companies with fraudulent websites.
Using these websites and companies, the group was able to engage in legitimate financial transactions.
The stolen money was wired to these nonexistent companies and then wired to Money Gram or Western Union in Romania.
In order to collect and deliver the money, the "money mules" in the operation used fake identities.
The Fall of the Malware Gang
Now convicted, the Romanian nationals operated for quite some time.
The law enforcement investigation to discover who is behind these cybercrimes lasted for eight years.
During this time, Symantec, the cybersecurity firm that originally discovered the Bayrob Trojan back in 2007, said they discovered multiple malware versions.
However, public attention did not stop the defendants to continue refining and expanding their criminal operations.
The current arrests are the culmination of this long-lasting investigation into the group's activities, which included money laundering, identity theft, a number of fraud actions, and trafficking in counterfeit products and services.
The sentencing of the defendants has been scheduled for August 14, 2019.
