IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF UNITED STATES OF AMERICA v. ALEXANDER KONOVOLOV a/k/a a/k/a ?none_1 MARAT KAZANDJ IAN a/k/a ?phantOm? VLADIMIR GORIN a/k/a ?Voland? a/k/a ?er? a/k/a ?riddler? GENNADY KAPKANOV a/k/a ?Hennadiy Kapkanov? a/k/a a/k/a ?ffhost? a/k/a ??restarter? a/k/a ?User4l? EDUARD MALANICI a/k/a ?JekaProf? a/k/a KONSTANTIN VOLCHKOV a/k/a ?elvi? RUSLAN VLADIMIROVICH KATIRKIN afk/a ?stratos? a/k/a ?xen? VIKTOR VLADIMIROVICH EREMENKO a/k/a ?nfcorpi? FARKHAD RAUF OGLY MANOKHIN a/k/a "frusa" ALEXANDER VAN HOOF a/k/a ?al666? Criminal N0. 0 (18 U.S.C. 371, 1349 and I956(h)) FILED APR 17 COURT. CLERK U.S. DISTRICT WEST. DIST. OF INDICTMENT The grand jury charges: Introduction At all times material to this Indictment, unless otherwise alleged: 1. From in and around October 2015, and continuing through in and around December 2016, ALEXANDER KONOVOLOV, a/k/a ?NoNe," a/k/a "none_1,? MARAT KAZANDJIAN, a/k/a ?phantOm,? VLADIMIR GORIN, a/k/a "Voland," a/k/a a/k/a ?riddler,? GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov,? a/k/a ?flux,? a/k/a ?ffhost,? a/k/a ??restarter,? a/k/a ?User 41 KONSTANTIN VOLCHKOV, a/k/a ?elvi,? EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a RUSLAN VLADIMIROVICH KATIRKIN, a/k/a ?stratos,? a/k/a ?xen,? VIKTOR VLADIMIROVICH EREMENKO, a/k/a "nfcorpi,? FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? ALEXANDER VAN HOOF, a/k/a ?al666,? along with conspirator Krasimir Nikolov, a/k/a ?pablopicasso,? a/k/a ?salvadordali,? a/k/a ?karlo,? and others, were part of a transnational organized cybercrime network that stole money from unsuspecting victims, primarily businesses and their ?nancial institutions, through the use of GozNym malware. 2. Speci?cally, the defendants and others conspired to: infect victims? computers with GozNym malware designed to capture victims? online banking login credentials; use the captured login credentials to fraudulently gain unauthorized access to victims? online bank accounts at ?nancial institutions; and steal funds from victims? bank accounts and launder those funds using US. and foreign bene?ciary bank accounts provided and controlled by conspirators. 3. The conspirators were located in various countries around the world including, but not limited to, Russia, Georgia, Ukraine, Moldova, Bulgaria and Kazakhstan. 2 4. In order to perpetrate the criminal scheme, the defendants utilized a network of co-conspirators who provided specialized technical skills and services used in furtherance of the conspiracy. The specialized skills or services included, inter alia, the following: 0 Malware Developer: In the context of this Indictment, a ?malware developer? was a conspirator involved in the creation, development, management, and leasing ofmalware for use by himself and/or others. 0 In the context of this Indictment, a was a conspirator involved in malware in such a way as to avoid detection by anti? virus tools and software on victims? computers. - Spammer: In the context of this Indictment, a ?spammer? was a conspirator involved in the mass distribution of malware through phishing emails. The phishing emails were designed to appear legitimate to entice victim recipients into opening the emails and clicking on a link or attachment, which facilitated the downloading of malware onto the victims? computers. 0 Bulletproof Hoster: In the context of this Indictment, a ?bulletproof hoster? was a conspirator involved the hosting of malware campaigns on an intricate network of servers designed to thwart detection by law enforcement and cybersecurity researchers, thereby enabling the malware-related criminal activities to continue without disruption. - Casher Account Takeover Specialist: 1n the context of this Indictment, a ?casher? or ?account takeover specialist" was a conspirator who used victims? stolen login credentials (obtained through GozNym malware infections) to access the victims? online bank accounts and steal, or attempt to steal, victims? funds through electronic funds transfers. 0 Cash-Out Drop Master: In the context of this Indictment, a ?cash?out? or "drOp master? was a conspirator who provided ?cashers account takeover specialists" and other members of the conspiracy with access to bank accounts (also known as ?drop accounts?) to receive stolen funds in the form of electronic funds transfers from victims" online bank accounts. ?Drop masters? utilized money mules (also known as ?drops?) to open drop accounts, withdraw stolen funds, or transfer stolen funds to other accounts for withdrawal. 5. The conspirators advertised, or otherwise offered, their specialized skills and services on underground, Russian?speaking, online criminal forums, including Mazafaka, Veri?ed, and DirectConnection. The online forums provided a virtual meeting place where vetted cybercriminals could advertise their skills and services and communicate with each other in private messages. 6. ?GozNym? was the name given by computer security researchers to a particular malicious software (malware) program. GozNym was a hybrid of two previous malware strains, Gozi and Nymaim. 7. GozNym was a multifunction malware package speci?cally designed to automate the theft of sensitive personal and financial information, including online banking login credentials such as usernames and passwords, from infected computers. 8. GozNym infected tens of thousands ofvictim computers worldwide, primarily in the United States and Europe. 9. In the United States, GozNym infections primarily targeted victim computers belonging to U.S. businesses, including in the Western District of 10. After Victims? online banking login credentials were captured by GozNym, the credentials were used to fraudulently gain unauthorized access to victims? online bank accounts at U.S. financial institutions, in order to transfer the victims? funds to beneficiary bank accounts controlled by members of the conspiracy. 1 1. Financial institutions in the United States first observed fraudulent activity related to GozNym malware in and around late 2015. 12. GozNym infections had the potential to cause in excess of $100 million in losses to businesses and their ?nancial institutions around the world. 13. The U.S. financial institutions referenced herein that were victims of GozNym- related fraud were insured by the Federal Deposit Insurance Corporation or chartered by the United States. 14. Unless otherwise noted, all communications of conSpirators set forth in this Indictment were translated from Russian to English by certi?ed Russian linguists. The Defendants 15. ALEXANDER KONOVOLOV, a/k/a ?NoNe,? a/k/a ?none_l is a national and citizen of Georgia. During the time frame of the conspiracy, KONOVOLOV resided in or near Tbilisi, Georgia, and used the online monikers ?NoNe? and ?none_1.? KONOVOLOV was the primary organizer and leader of the GozNym conspiracy, who admitted that since 2015 he controlled more than 41,000 victim computers (known as ?bots?) infected with GozNym malware. photograph is attached as EXHIBIT A. 16. MARAT KAZANDJ IAN, a/k/a ?phant0m,? is a national and citizen of both Kazakhstan and Georgia. During the time frame of the conspiracy, KAZANDJIAN resided both in and around Tbilisi, Georgia, and in Kazakhstan. KAZANDJ IAN, who used the online moniker ?phantOm,? was ALEXANDER primary assistant and technical administrator. photograph is attached as EXHIBIT B. 17. VLADIMIR GORIN, a/k/a ?Voland.? a/k/a ?mrv,? a/k/a ?riddler,? is a national and citizen of Russia. During the time frame of the conspiracy, GORIN resided in Orenburg, Russia, and used the online monikers ?Voland? and ?mrv? and currently uses the moniker ?riddler.? As the ?malware developer,? GORIN oversaw the creation, development, management, and leasing of GozNym malware to conspirators, including to ALEXANDER KONOVOLOV. photograph is attached as EXHIBIT C. 18. GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov," a/k/a a/k/a ?f?iost," a/k/a ?firestarter,? a/k/a "User4l,? is a national and citizen of Ukraine. During the time frame of the conspiracy, KAPKANOV resided in Poltava, Ukraine, and used the online monikers ?ffhost.? ??restarter,? and ?User41.? KAPKANOV was an administrator of a bulletproof 5 hosting services network, named by computer security researchers as the ?Avalanche? network, which provided services to more than 200 cybercriminals, including defendants ALEXANDER KONOVOLOV and MARAT KAZANDJ IAN . GENNADY KAPKANOV provided hosting services to more than twenty different malware campaigns, including GozNym. photograph is attached as EXHIBIT D. 19. EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a is a national and citizen of Moldova. During the time frame of the conspiracy, MALANICI resided in Balti, Moldova, and used the online monikers "JekaProf? and MALANICI, a provider of services, GozNym malware on behalf of the charged conspiracy to enable the malware to avoid detection by anti-virus tools and software on victims? computers. photograph is attached as EXHIBIT E. 20. KONSTANTIN VOLCHKOV, a/k/a "'elvi,? is a national and citizen of Russia. During the time frame of the conspiracy, VOLCHKOV resided in Moscow, Russia, and used the online moniker ?elvi.? VOLCHKOV, a provider of spamming services, conducted spamming operations of GozNym malware on behalf of the charged conspiracy. The spamming Operations involved the mass distribution of GozNym malware through phishing emails. The phishing emails were designed to appear legitimate to entice victim recipients into opening the emails and clicking on a link or attachment, which facilitated the downloading of GozNym onto the victims? computers. A photograph of VOL-CHKOV was not available. 21. RUSLAN VLADIMIROVICH KATIRKIN, a/k/a ?stratos,? a/k/a ?xen,? is a national and citizen of Kazan, Russia. During the time frame of the conspiracy, KATIRKIN resided in Ukraine, and used the online monikers ?stratos? and ?xen.? a ?casher? or ?account takeover specialist? on behalf of the charged conspiracy, used victims? stolen banking login credentials captured by GozNym infections to fraudulently 6 gain unauthorized access to Victims? online bank accounts and steal, or attempt to steal, Victims? funds through electronic funds transfers. photograph is attached as EXHIBIT F. 22. VIKTOR VLADIMIROVICH EREMENKO, a/k/a, ?nfcorpi,? is a national and citizen of Russia. During the time frame of the conspiracy, EREMENKO resided in Stavropol, Russia and used the online moniker ?nfcorpi.? EREMENKO, a ?cash-out? or ?drop master? on behalf of the charged conspiracy, provided ALEXANDER KONOVOLOV and his ?cashers? ?account takeover specialists? with access to bank accounts (also known as ?drop accounts?) controlled by EREMENKO to receive stolen funds from Victims? online bank accounts. photograph is attached as EXHIBIT G. 23. FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? is a national and citizen of Russia. During the time frame of the conspiracy, MANOKHIN resided in Volograd, Russia, and used the online moniker ?frusa.? MANOKHTN, a ?cash?out? or ?drop master? on behalf of the charged conspiracy, provided ALEXANDER KONOVOLOV and his ?cashers? ?account takeover specialists? with access to bank accounts (also known as ?drop accounts?) controlled by MANOKHIN to receive stolen funds from victims? online bank accounts. MANOKHIN traveled from Russia to Sri Lanka in February 2017. At the request of the United States, MANOKHIN was arrested by Sri Lankan authorities on federal criminal charges ?led against him in the United States. Following his arrest, MANOKHIN was released on bail but was required to remain in Sri Lanka pending the outcome of the extradition request of the United States. In December 2017, MANOKHIN unlawfully absconded from Sri Lanka to Russia prior to the conclusion of the extradition proceedings. photograph is attached as EXHIBIT H. 24. ALEXANDER VAN HOOF, a/k/a ?al666,? is a national and citizen of Ukraine. During the time frame of the conspiracy, VAN HOOF resided in Nikolaev, Ukraine, and used the 7 online moniker ?al666.? VAN HOOF, a ?cash-out? or ?drop master? on behalf of the charged conspiracy, provided ALEXANDER KONOVOLOV and his ?cashers? ?account takeover Specialists? with access to bank accounts (also known as "drop accounts") controlled by VAN HOOF to receive stolen funds from victims? online bank accounts. VAN photograph is attached as EXHIBIT I. Conspirator Charged in Related Indictment 25. Conspirator Krasimir Nikolov, a/kfa ?pablopicasso,? a/k/a ?salvadordali,? a/k/a ?karlo,? a national and citizen of Bulgaria, is the subject ot?a related Indictment at Criminal No. 16-218 During the time frame of the conspiracy. Nikolov resided in Varna, Bulgaria, and used the online monikers ?pablopicasso,? ?salvadordali? and ?karlo.? Nikolov, a ?casher? or ?account takeover specialist? on behalfof the charged conspiracy, used victims? stolen banking credentials captured by GozNym malware infections to access the victims? online bank accounts and steal, or attempt to steal, victims? funds through electronic funds transfers. At the request of the United States, Nikolov was arrested in Bulgaria and extradited to the Western District of in December 2016. COUNT ONE (Conspiracy to Commit Computer Fraud) The grand jury charges: Statutory Allegations 26. From in and around October 2015, and continuing thereafter to in and around December 2016, in the Western District of and elsewhere, ALEXANDER KONOVOLOV, a/k/a ?NoNe,? a/k/a ?none_l MARAT KAZANDJ IAN, a/k/a ?phant0m,? VLADIMIR GORIN, a/k/a ?Voland,? a/k/a ?mrv? a/k/a ?riddler,? GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov,? a/k/a afk/a ?fthost,? a/k/a ??restarter,? a/k/a ?User 41,? KONSTANTIN VOLCHKOV, a/k/a ?elvi,? EDUARD MALANICI, a/k/a ?JekaProf,? a/kj?a RUSLAN VLADIMIROVICH KATIRKIN, a/k/a ?stratos,? a/k/a ?xen.? VIKTOR VLADIMIROVICH EREMENKO, a/k/a ?nfcorpi,? FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? ALEXANDER VAN HOOF, a/k/a ?211666,? and conspirator Krasimir Nikolov, a/k/a "pablopicasso," a/k/a ?salvadordali,? a/k/a ?karlo,? knowingly and intentionally conspired and agreed with each other, and with persons known and unknown to the grand jury, (collectively, the conspirators) to commit offenses against the United States, that is: a. to knowingly cause the transmission of a program, information, code, and command, and as a result of such conduct, intentionally cause damage, and attempt to cause damage, without authorization, to a protected computer, and cause loss to one or more persons during a 1-year period aggregating at least $5,000.00 in value and damage affecting 10 or more protected computers during a 1-year period, in Violation of 'l?itle18, United States Code, Sections 1030(a)(5)(A) and b. to knowingly and with intent to defraud, access a protected computer without authorization, and by means of such conduct further the intended fraud and obtain anything ofvalue exceeding $5,000 in any 1?year period, in violation of Title 18, United States Code, Sections 1030(a)(4) and Obiectives of the Consuirag 27. The objectives of the conspiracy included: infecting victims? computers with GozNym malware designed to capture victims? online banking login credentials; using the captured login credentials to gain unauthorized access to victims? online bank accounts at U.S. ?nancial institutions; and stealing funds from victims? U.S. bank accounts and laundering those funds using U.S. and foreign bene?ciary bank accounts provided and controlled by conspirators. Manner and Means of the Conspiracy 28. The manner and means used to accomplish the conspiracy?s objectives included the following: 29. Each conspirator provided a specialized technical skill or service used in furtherance of the conspiracy. The conspirators advertised, or otherwise offered, their Specialized skills and services on underground, Russian?speaking, online criminal forums. 30. VLADIMIR GORIN, a/k/a ?Voland,? a/k/a "mrvf? a/k/a ?riddler,? oversaw the creation, deveIOpment, management, and leasing of GozNym malware. GORIN provided GozNym to ALEXANDER KONOVOLOV, a/k/a ?NoNe,? a/k/a ?none_1.? 31. ALEXANDER KONOVOLOV, the leader and primary organizer of the conspiracy, formed much of the conspiracy by meeting and recruiting conspirators through underground, Russian-speaking, online criminal forums. 32. GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov,? a/k/a a/k/a ?ffhost,? a/k/a ??restarter,? a/k/a ?User4l,? was an administrator ofthe Avalanche bulletproof hosting service. The service provided co-conspirators and other cybercriminals with a secure platform to conduct malware and money mule campaigns without the fear of detection or disruption by law enforcement or cybersecurity researchers. 10 33. GENNADY KAPKANOV provided bulletproof hosting services to ALEXANDER KONOVOLOV and MARAT KAZANDJ IAN in furtherance of the GozNym conspiracy. 34. GENNADY KAPKANOV offered co-conspirators and other cybercriminals various services, in exchange for a fee. including the following: the registering of malware and money mule-related domains with numerous domain registrars in several countries, including Malaysia, Pakistan, Russia, India, and China; the hosting of malware on Avalanche servers that infected victim computers; and the ?proxying? (passing) of information and data from victims? computers through a layered, or tiered, network of servers and ?nally to back?end servers where it was ultimately accessed by Avalanche?s malware customers. 35. GENNADY KAPKANOV advertised the bulletproof hosting services to cybercriminals on underground, Russian-speaking, online criminal forums, including Veri?ed and Mazafaka. An advertisement for services on the Veri?ed and Mazafaka forums are attached as EXHIBITS and K, respectively. 36. GENNADY KAPKANOV described a portion of his services during the following communication on or about April 8, 2016, with a potential customer who inquired about Avalanche?s hosting services: 0 CUSTOMER: Servers are needed for 0 KAPKANOV: what purposes are the servers needed? 0 CUSTOMER: Botnet controller. An abuse complaint comes to one server, on average, once a month. I KAPKANOV: We can suggest fast-?uxing. You can buy them at any clean data center or you can buy a VPS. With the required con?guration of the hardware, we proxy the traf?c from your bots to your server, thus it becomes bulletproof since all of the abuse of service complaints come to us. The price is 150 Web money per week or 450 Web money for 4 weeks. 11 37. GENNADY KAPKANOV and his fellow administrator leased access to servers from legitimate hosting providers using ?ctitious names or the names of unwitting third parties. The servers were often leased using stolen credit cards. 38. VLADIMIR GORIN, ALEXANDER KONOVOLOV, and MARAT KAZANDJ IAN collaborated with GENNADY KAPKANOV in the registering of malicious GozNym domains, the hosting of GozNym executable ?les on servers for infecting victim computers, and the proxying of information from infected GozNym computers through the Avalanche network where it was accessible at a back-end server. 39. The conspirators GozNym malware to enable the malware to avoid detection by anti-virus tools and software on victims? computers. EDUARD MALANICI, a/k/a ?JekaProf," a/k/a and others known and unknown to the grand jury, GozNym malware on behalf the conspiracy. 40. The conspirators distributed GozNym malware and infected victim computers through spamming. KONSTANTIN VOLCHKOV, a/k/a ?elvi,? and others known and unknown to the grand jury, conducted spamming of GozNym malware on behalf of the conspiracy. 41. The spamming involved sending malicious phishing emails through the intemet to large numbers of victims, primarily US. businesses. The emails falsely represented themselves to be legitimate emails from companies, associations, and organizations. 42. The conspirators designed the phishing emails to fraudulently entice victim recipients to click on a hyperlink or attachment that falsely represented itself to be a legitimate link or attachment, such as business invoice. When the victim clicked on the link or attachment, the victim?s computer was typically redirected to a malicious domain controlled by conspiracy, from which GozNym malware was downloaded onto the victim?s computer without the victim?s knowledge or consent. 12 43. The conspirators used GozNym malware on infected victim computers to capture the victims? con?dential personal and ?nancial information, including online banking login credentials, by keystroke logging and/or web injects fake online banking webpages). 44. Keystroke logging recorded (or logged) the keys struck on a victim?s keyboard. The keystrokes were captured surreptitiously by the computer program keylogger) without the victim?s knowledge. Through keystroke logging, conspirators stole victims? online banking credentials when the victims logged into their online bank account from their infected computer. 45. Web injects introduced (or injected) malicious computer code into a victim?s web browser while the victim browsed the Internet and ?hijacked? the victim?s lntemet session. Web injects were used to display false online banking pages into the victim?s web browser to trick the victim into entering online banking information, which was then captured by the conspirators. 46. To defeat two?factor authentication and RSA tokens needed to access many online bank accounts, the conspirators created and utilized a GozNym token panel in furtherance of the conspiracy. A screen shot of the GozNym token panel is attached as EXHIBIT L. 47. The token panel was an interface hosted on a server that was con?gured to allow conspirators to see the victims that had been infected with GozNym malware along with the victims? con?dential banking information captured by GozNym malware. The con?dential information displayed on the token panel included usernames, passwords and answers to security questions needed for accessing victims? online bank accounts. Using web injects designed to look like the legitimate online banking webpage of a victims? ?nancial institutions, the token panel enabled the conspirators to interact with the employees of victim businesses and enticed the employees to enter their RSA token code into the fake online banking wcbpages. 48. The conspirators, including VLADIMIR GORIN, ALEXANDER KONOVOLOV, MARAT KAZANDJIAN, RUSLAN VLADIMIROVICH KATIRKIN, and 1 3 Krasimir Nikolov, all used a VNC (Virtual Network Computing) connection hosted at IP address 162.244.32.157 to remotely control victims? computers in furtherance of the conspiracy. 49. The conspirators used the victims? stolen banking credentials without authorization to falsely represent to banks that conspirators were victims (or employees of victims) who had authorization to access the victims? bank accounts and to make electronic funds transfers from the victims? bank accounts. 50. The conspirators used the stolen banking credentials to gain unauthorized access to victims? online bank accounts and caused, and attempted to cause, banks to make unauthorized wire transfers, ACH payments, or other electronic funds transfers from the victims? bank accounts, without the knowledge or consent of the victim account holders. 51. Defendant RUSLAN VLADIMIROVICH KATIRKIN and conspirator Krasimir Nikolov (charged in the related Indictment at Criminal No. 16-218) were two ?cashers? or ?account takeover specialists? who utilized the token panel to access victims? online bank accounts to steal, or attempt to steal, victims? funds through electronic funds transfers. 52. The earliest identi?ed token panel used the domain fokentokencom and was hosted at IP address 204.155.30.87. Subsequent panels were hosted at IP address 204.155.31.133, and thereafter at IP address 204155.308. 53. The conspirators used US. and foreign bank accounts (also known as ?drOp accounts?) provided and controlled by other members of the conspiracy to receive stolen funds, in the form of electronic funds transfers, from victims? online bank accounts. The conspirators who controlled the drop accounts were known as ?cash?outs" or ?drop masters" and included, among others, VLADIMIROVICH EREMENKO, a/k/a. ?nfcorpi,? FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? and ALEXANDER VAN HOOF, a/k/a ?a1666.? l4 54. The ?cash-outs? or ?drOp masters? sometimes employed ?drops,? also known as ?money mules,? who were directed to move the stolen funds to other accounts and ?cash out? the stolen funds from the ?drop accounts.? 55. The conspirators divided the stolen funds accordingly based upon previously- negotiated percentage sharing agreements. Overt Acts 56. In furtherance of the conspiracy, and to achieve the goals and objectives of the conspiracy, the defendants, and other conSpirators known and unknown to the grand jury, did commit and cause to be committed, the following overt acts, inter alia, in the Western District of and elsewhere: a. Administrative and Technical Tasks Conducted in urtherance of the Conspiracy 57. On or about October 5. 2015, VLADIMIR GORIN conducted on online search for "phantOm on token server," a reference to MARAT KAZANDJIAN. a/k/a ?phantOm,? and his involvement with the GozNym token server. 58. On or about October 24, 2015, ALEXANDER KONOVOLOV and Krasimir Nikolov communicated regarding the criminal scheme that included details of how the botnet would operate, the financial institutions that would be targeted, and other conspirators, such as ?phantOm? MARAT KAZAN DJ IAN) who would be involved in the scheme. 59. On or about November 5, 2015, ALEXANDER KONOVOLOV communicated with Krasimir Nikolov regarding bank accounts (?drop accounts?) available to receive stolen funds. KONOVOLOV sent Nikolov the details for a bank account at Ally Bank provided and controlled by defendant ALEXANDER VAN HOOF, a/k/a ?al666.? 15 60. On or about November 10, 2015, VLADIMIR GORIN posted on an underground online criminal forum that those who wished to rent a malware ?Trojan? GozNym) from him have: quality loads; viable cash-out schemes; and launderers exchangers. 61. On or about November 22, 2015, MARAT KAZANDJ IAN sent Krasimir Nikolov a message containing the domain along with the password ?qwertyl23,? which provided Nikolov with access to the GozNym token panel hosted on a server at IP address 204.155.30.87. 62. On or about December 7, 2015, MARAT KAZANDJIAN sent Krasimir Nikolov a message that explained how to login to the GozNym token panel. 63. On or about January 15, 2016, MARAT KAZANDJIAN sent Krasimir Nikolov a message containing the IP address 204.155.31.133 which hosted the GozNym token panel after it was moved from the previous server at IP address 204.155.30.87. 64. On or about January 18, 2016, ALEXANDER KONOVOLOV discussed with VLADIMIR GORIN a potential delay in GozNym-related activities. GORIN stated that he ?won?t be keeping the bots loaded on the old server very long.? KONOVOLOV asked GORIN if he will still be able to start spamming at ?12 midnight, Moscow time, on the 20th.? GORIN replied, ?the probability of starting on the 20?h is KONOVOLOV complained, ?So sh*t this is such a mess. I have 4 people to switch.? Shortly thereafter, KONOVOLOV sent a copy ofhis communications with GORIN to both GENNADY KAPKANOV and Krasimir Nikolov and advised, ?We have a problem.? 65. On or about January 18, 2016, GENNADY KAPKANOV sent ALEXANDER KONOVOLOV and MARAT KAZANDJ IAN a message containing the login name and password to access Avalanche?s domain registration (?dreg?) panel. The dreg panel allowed 16 users to register new malicious domains and check on the status of previously?registered domains. 66. During the time frame of the conspiracy, GENNADY KAPKANOV maintained a ?buddy list? containing the online monikers of his criminal associates. KAPKANOV assigned each criminal associate a corresponding numerical designation. User ?250? was the numerical designation for ?none_l" ALEXANDER KONOVOLOV) and User ?250 admin? was the numerical designation for ?phantOm? MARAT KAZANDJ IAN). A screen shot of numerical designations for ?none_l and ?phantOm? is attached as EXHIBIT M. 67. On or about January 25, 2016, MARAT KAZANDJIAN sent Krasimir Nikolov a message containing information for a fraudulent invoice. This invoice was consistent with those used in the GozNym phishing emails that were designed to appear legitimate to entice the recipient to click on it. 68. On or about February 29, 2016, defendant KONSTANTIN VOLCHKOV, afk/a ?elvi,? received a message from a conspirator stating, ?Hi. I?m from None in regard to spam.? VOLCHKOV and the conspirator then discussed the details of GozNym spamming efforts, including that the spam emails were to be directed to employees at large and small businesses, and each email was to be crafted to include the address of the business and the name of the employee targeted. VOLCHKOV explained, ?There will be the database, the ?fromf the name of the ?from.? the subject, and the message, and a place in the message where to put the name.? 69. On or about March 1, 2016, the conspirator sent KON ST ANTIN VOLCIIKOV the links to two sendspace.com ?les, and stated, ?The password is None.? The conspirator then 17 asked VOLCHKOV, ?At what time will the spam be available?? VOLCHKOV replied, have no idea yet. They are preparing the documents.? 70. On or about March 4, 2016. ALEXANDER KONOVOLOV sent a conspirator a c0py of the communications KONOVOLOV had with defendant EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a regarding the of GozNym malware in furtherance of the conspiracy. MALANICI stated, ?I?ll make a loader for you so that the ping is normal.? KONOVOLOV replied, ?ok. It?s needed tomorrow for my spammer.? KONOVOLOV asked, ?Will the bots survive long?? MALANIC I replied, them and they won?t die." KONOVOLOV replied, ?I?ll contact you as soon as the spammer shows up tomorrow.? 71. During the time frame of the conspiracy, GENNADY KAPKANOV and his fellow Avalanche administrator registered dozens of malicious GozNym domains on behalf of ALEXANDER KONOVOLOV and MARAT KAZANDJ IAN, and maintained a list of those malicious domains on a domain registration table. 72. On or about March 7, 2016, GENNADY KAPKANOV and ALEXANDER KONOVOLOV discussed and passed in messages numerous malicious GozNym domains, including ?secureserverl 7.00m." 73. On or about March 15, 2016, GENNADY KAPKANOV and MARAT KAZANDJ IAN discussed and passed in messages a malicious GozNym domain identi?ed as ?hXXp://secureserverl 7.com/home/re5509.exe? that KAPKANOV then hosted on Avalanche servers where it was used to infect victims? computers. 74. On or about March 16, 2016, GENNADY KAPKANOV and MARAT KAZANDJ IAN discussed and passed in messages a malicious GozNym domain identi?ed as ?secureserverl 8.com? that KAPKANOV then hosted on Avalanche servers where it was used to infect victims? computers. 18 75. On or about March 25, 2016, ALEXANDER KONOVOLOV directed a conspirator to contact EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a regarding additional GozNym KONOVOLOV stated, ?Contact procry'ptgroupQDexploit.im." The conspirator replied, already contacted him.? KONOVOLOV advised, ?He?ll load for you with certainty that it won?t be an excessive load and die. You?ll see how the bot pings and how it works.? The conspirator replied, ?He has already loaded everything.? 76. On or about April 11, 2016, defendant RUSLAN VLADIMIROVICH KATIRKIN, a/k/a ?stratos,? a/k/a ?xen,? accessed the GozNym token panel hosted at IP address 204.155.31.133; the same IP address MARAT KAZANDJIAN sent to Krasimir Nikolov on January 15, 2016. 77. On or about April 15. 2016, RUSLAN VLADIMIROVICH KATIRKIN con?rmed with a conspirator that he (KATIRKIN) was ?on None?s token,? a reference to ?casher? ?account takeover specialist? activities using the GozNym token panel. 78. On or about April 27. 2016, MARAT KAZAN DJ IAN sent conspirator Krasimir Nikolov the link to access the GozNym token panel after it was moved to a new hosting server at IP address 204.155.30.8. 79. On May 26, 2016, KONSTANTIN VOLCHKOV sent a message to GENNADY KAPKANOV and stated, ?None told me to call you, in regard to domains.? b. Attacks on Speci?c Victims 80. GozNym infected tens of thousands of victim computers worldwide. including in the Western District of and had the potential to cause in excess of $100 million in losses to businesses and their ?nancial institutions, including the following: 19 (1) Victim 1 81. Victim 1 was an asphalt and paving business located in New Castle, in the Western District of 82. On or about February 16, 2016, ALEXANDER KONOVOLOV sent GENNADY KAPKANOV a message containing a malicious GozNym domain identi?ed as 83. GENNADY KAPKANOV thereafter hosted the malicious domain on Avalanche servers where it was used to infect victims? computers with GozNym, including Victim 1?s computers. KAPKANOV maintained the ?billpay-centercom? domain on the domain registration user table, as seen in a screen shot attached as EXHIBIT N. 84. On or about February 18, 2016, the conspirators sent Victim 1?s employee a phishing email designed to look like a legitimate email from Bank ofAmerica. A copy ofthe phishing email is attached as EXHIBIT 0. The email contained a link identi?ed as ?invoice_0028556.doc." The source code of the phishing email showed that when the recipient clicked on the link the recipient was directed to the website 0028556 where a GozNym executable file was downloaded and the recipient?s computer was infected with GozNym malware. 85. On or about February 18, 2016, the conspirators fraudulently enticed Victim 1?s employee to click on the link ?invoice_0028556.doc? and, in doing so, caused the installation of GozNym malware on Victim 1?s computer. 86. On or about February 22, 2016, ALEXANDER KONOVOLOV sent Krasimir Nikolov the details for a Bank of America account in the name DC Services by Hinkley, along with a notation that the account was authorized to receive between $50,000.00 to $100,000.00 in 20 funds. Additionally, KONOVOLOV sent Nikolov a username and password that to electronically access the account. 87. On or about February 24, 2016, the conspirators used GozNym malware to fraudulently obtain Victim 1?s online banking credentials and attempted to cause three unauthorized electronic funds transfers totaling $121,132.08 from Victim 1?s bank account at First National Bank, located in the Western District of to bene?ciary bank accounts controlled by conspirators. Two electronic funds transfers totaling $1 14,144.68 were destined for the same Bank of America account in the name DC Services by Hinkley that ALEXANDER KONOVOLOV provided to Krasimir Nikolov on or about February 22, 2016. 88. On or about April 1 1, 2016, Krasimir Nikolov sent a conspirator a message containing Victim 1?s business name, as well as Victim 1?s business email account. 89. On or about April 1 1, 2016, Krasimir Nikolov received from conspirators detailed information regarding four bene?ciary bank accounts designated to receive ?Jnds stolen from GozNym victims, including Victim 1. 90. On or about April 12, 2016, Nikolov gained unauthorized access to Victim 1?s First National Bank account using Victim 1?s online banking credentials captured by GozNym malware, and attempted to cause four electronic funds transfers totaling $122,000.00, from Victim 1's account to the same four bene?ciary bank accounts provided to Nikolov by conspirators on or about April 1 1, 2016. (2) Victim 2 91. Victim 2 was a law ?rm located in Washington, DC. 92. On or about February 16, 2016, ALEXANDER KONOVOLOV sent GENNADY KAPKANOV a message containing a malicious GozNym domain identi?ed as 21 A screen shot of the message is attached as EXHIBIT P. 93. GENNADY KAPKANOV then hosted the malicious domain on Avalanche servers where it was used to infect victims? computers with GozNym malware, including Victim 2?s computers. 94. On or about February 16, 2016, the conspirators sent a phishing email to Victim 2?s employee designed to look like a legitimate email from ?Quicken Billpay?center.? A copy of the phishing email is attached as EXHIBIT Q. The email directed the recipient to ?Click the link below to View your Invoice.? The link was identi?ed as and was the same malicious link passed from ALEXANDER KONOVOLOV to GENNADY KAPKANOV earlier that same date. Clicking on the link caused a GozNym malware executable ?le to be downloaded and the recipient?s computer to be infected with GozNym malware. 95. On or about February 16, 2016, the conspirators fraudulently enticed Victim 2?s employee to click on the link and, in doing so, caused the installation of GozNym malware on Victim 2?s computer. 96. On or about February 25, 2016, ALEXANDER KONOVOLOV and Krasimir Nikolov passed messages containing the details for a bene?ciary bank account ending in 8231 in the name Cane Inc., PO. Box 3, Whitinsville, MA. 97. On or about February 25, 2016, Krasimir Nikolov gained unauthorized access to Victim 2?s Bank of America account using Victim 2?s online banking credentials captured by GozNym malware, and attempted to cause an unauthorized electronic funds transfer totaling $97,520.00 from Victim 2?s account to the same bene?ciary bank account ending in 8231 in the 22 name Cane, Inc. passed earlier that date between ALEXANDER KONOVOLOV and Krasimir Nikolov. This transaction resulted in a loss of $76,178.12. (3) Victim 3 98. Victim 3 was a church was located in Southlake, Texas. 99. On or about February 11, 2016, conspirators gained unauthorized access to Victim 3?s Wells Fargo Bank account using Victim 3?s online banking credentials captured by GozNym malware, and attempted to cause three unauthorized electronic funds transfer totaling $610,440.00 from Victim 3?s bank account to bene?ciary bank accounts provided and controlled by the conspirators. Speci?cally, one electronic funds transfer totaling $217,440.00 was destined for a bank account ending in 5091 in the name Orto LP at Norvik Banka, JSC in Riga, Latvia, provided and controlled by defendant VIKTOR VLADIMIROVICH EREMENKO, a/k/a ?nfcorpi.? 100. On or about February 21, 2016, ALEXANDER KONOVOLOV and Krasimir Nikolov discussed and passed the malicious GozNym domain 897-84-579.doc." 101. On or about February 22, 2016, in an effort to re-infect Victim 3?s computers with GozNym, the conspirators sent Victim 3?s employee a subsequent phishing email designed to look like a legitimate email from Bank ofAmerica. The email. attached as EXHIBIT R, looked nearly identical to the phishing email sent by the conspirators to Victim 1. The phishing email contained a link identi?ed as The source code of the phishing email showed that when the recipient clicked on the link the recipient?s computer was directed to the website 7.com/invoices/ invoice 897- 84?579.doc? the same domain discussed and passed between ALEXANDER KONOVOLOV and Krasimir Nikolov on February 21, 2016). At this website, a GozNym 2 3 executable ?le was downloaded and the recipient?s computer was infected with (30sz malware. 102. On or about February 22, 2016, the conspirators fraudulently enticed Victim 3?s employee to click on the link 7.00m/invoices/invoice 897-84- ME and, in doing 50, caused a subsequent installation of GozNym malware on Victim 3?s computer. 103. The domain ?secureserverl7.com? was the same malicious GozNym domain discussed and passed by GENNADY KAPKANOV and ALEXANDER KONOVOLOV on March 7, 2016, and by GENNADY KAPKANOV and MARAT KAZANDJIAN on March 15, 2016. 104. The malicious GozNym domain ?secureserverl 7.com? was hosted by GENNADY KAPKANOV on Avalanche servers and was used to infect victim computers with GozNym malware, including at Victim 3. (4) Victim 4 105. Victim 4 was an association dedicated to providing recreation programs and other services to persons with disabilities located in Downers Grove, Illinois. 106. On or about March 16, 2016. GENNADY KAPKANOV and MARAT KAZANDJ IAN discussed and passed in messages the malicious GozNym domain ?secureserverl 8.com.? 107. The malicious GozNym domain ?secureserverl 8.com" was hosted by GENNADY KAPKANOV on Avalanche servers and was used to infect victims? computers with GozNym malware, including Victim 4?s computers. 108. On or about March 16, 2016, the conspirators sent Victim 4?s employee a phishing email designed to look like a legitimate business email. The email contained a link to 24 the malicious GozNym domain ?secureserverl 8.com.? Clicking on the link caused a GozNym malware executable ?le to be downloaded and the recipient?s computer to be infected with GozNym malware. 109. On or about March 16, 2016, the conspirators fraudulently enticed Victim 4?s employee to click on a link in a phishing email and, in doing so, caused the installation of GozNym malware on Victim 4?s computer. 110. On or about March 25, 2016, ALEXANDER KONOVOLOV sent Krasimir Nikolov a message containing the account details for several bene?ciary bank accounts in Tbilisi, Georgia. 11 1. On or about March 25, 2016, Krasimir Nikolov gained unauthorized access to Victim 4?s BankFinancial account using Victim 4?s online banking credentials captured by GozNym malware, and attempted to cause two unauthorized electronic funds transfer totaling $108,300.00 from Victim 4?s account to bene?ciary bank accounts provided and controlled by conspirators. The bene?ciary accounts designated to receive Victim 4?s stolen funds included the speci?c bank account in Tbilisi, Georgia, sent by ALEXANDER KONOVOLOV to Krasimir Nikolov earlier that same date. (5) Victim 5 112. Victim 5 was a distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, Florida. 113. On or about March 7, 2016, defendant FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? provided conspirators with access to a bank account at Santander Bank, NA, in the name of B.H., Inc. for the purpose of receiving stolen funds from Victim 5?s Bank of America account. 25 1 14. On or about March 7, 2016, conspirators gained unauthorized access to Victim 5?s Bank of America account using Victim 5?s online banking credentials captured by GozNym malware, and caused and attempted to cause an electronic funds transfer of $98,900.00 from Victim 5?s account to the Santander Bank account in the name of B.H., Inc. provided and controlled by FARKHAD RAUF OGLY MANOKHIN. This transaction resulted in a loss of $98,900.00. 115. On or about March 8, 2016, FARKHAD RAUF OGLY MANOKHIN sent ALEXANDER KONOVOLOV a screen shot of a confirmation of the electronic funds transfer of $98,900.00 from Victim 5?s bank account to the Santander Bank bene?ciary account provided and controlled by MANOKHIN. 116. On or about March 8, 2016, FARKHAD RAUF OGLY MANOKHIN advised ALEXANDER KONOVOLOV of his concern that his ?drop had run off" and had stolen the $98,900.00 from the conspirators. After MANOKHIN advised that he would re-send the wire transfer, KONOVOLOV stated, "Send it to. . .nfcorpi? (a/k/a VIKTOR VLADIMIROVICH EREMENKO). 17. On or about March 16, 2016, FARKHAD RAUF OGLY MANOKHIN contacted VIKTOR VLADIMIROVICH EREMENKO, a/k/a "nfcorpi." The communication from MANOKHIN began, ?Hi. I?m from NoNe.? EREMENKO replied, ?Understood.? MANOKHIN and EREMENKO collaborated on the receipt and transfer of stolen funds using their respective bank accounts (drop accounts). (6) Victim 6 118. Victim 6 was a fumiture business located in Chula Vista, California. 1 19. On or about March 25, 2016, Nikolov sent a co?conspirator a message containing the email address of an employee at Victim 6, along with an account passcode .26 120. On or about March 25, 2016, Nikolov sent a KONOVOLOV a message containing the following information: 03/25/2016 [Victim 6?s name],? along with the speci?c name and account number of the bene?ciary account at VTB Bank in Tbilisi, Georgia. 121. On or about March 25, 2016, Nikolov gained unauthorized access to Victim 6?s CommerceWest bank account using online banking credentials captured by GozNym malware, and attempted to cause ten electronic funds transfers totaling $737,550.00, from Victim 6?s bank account to bene?ciary accounts at VTB Bank in Tbilisi, Georgia, provided and controlled by the conspirators. (7) Victim 7 122. Victim 7 was a provider of electrical safety devices located in Cumberland, Rhode Island. 123. On or about March 25, 2016, ALEXANDER KONOVOLOV directed Krasimir Nikolov to send him the name and account details for a bank account at a bank located in Tbilisi, Georgia, that was provided and controlled by conspirators. 124. On or about March 30, 2016, conspirators gained unauthorized access to Victim 7?s Bank of America account using online banking login credentials captured by GozNym malware, and attempted to cause, and did cause, an electronic funds transfer in the amount of $199,777.00 from Victim 7?s Bank ofArnerica account to a beneficiary account in the same name and at the same bank in Tbilisi, Georgia, that Nikolov provided to KONOVOLOV on or about March 25, 2016. The fraudulent transaction resulted in a loss 125. On or about March 31, 2016, conspirators again gained unauthorized access to Victim 7?s Bank of America account using online banking login credentials captured by GozNym malware. and attempted to cause an electronic funds transfer in the amount of 27 $195,000.00 from Victim 7?s Bank of America account to a bene?ciary account at a bank in Tbilisi, Georgia, provided and controlled by a conspirator. (8) Victim 8 126. Victim 8 was a contracting business located in Warren, Michigan. 127. On or about April 5, 2016, conspirators sent Victim 8?s employee a phishing email and attachment designed to look legitimate, which enticed the employee to click on the attachment and, in doing so, caused the installation of GozNym malware on Victim 8?s computer. 128. On or about April 1 1, 2016, FARKHAD RAUF OGLY MANOKHIN provided conspirators with access to a bank account ending in 3663 in the name of JST at Bank of America, for the purpose of receiving stolen funds Via an electronic funds transfer from Victim 8?s Comerica Bank account. 129. On or about April 1 l, 2016, RUSLAN VLADIMIROVICH KATIRKIN gained unauthorized access to Victim 8?s Comerica bank account using Victim 8?s online banking credentials captured by GozNym malware, and attempted to cause two unauthorized electronic funds transfers totaling $128,000.00 to bank accounts provided and controlled by conspirators. One electronic funds transfer totaling $79,000.00 was destined for the Bank of America account ending in 3663 in the name of ST provided and controlled by FARKHAD MANOKHIN. The transaction resulted in a loss of $28,000.00. (9) Victim 9 130. Victim 9 was a provider of cold pack shipping products located in Moon, in the Western District 131. On or about April 5. 2016, defendant FARKHAD RAUF OGLY MANOKHIN provided conSpirators with access to a Citibank, NA. bank account ending in 6728 in the name 28 of 1.2., for the purpose of receiving stolen funds via an electronic funds transfer from Victim 9?s account at First National Bank of 132. On or about April 8, 2016, conspirators gained unauthorized access to Victim 9?s account at First National Bank of using Victim 9?s online banking credentials captured by GozNym malware, and attempted to cause an electronic funds transfer of $19,000.00 from Victim 9?s account to the Citibank, NA. account ending in 6728 in the name of 12., provided and controlled by FARKHAD RAUF OGLY MANOKHTN. (10) Victim 10 133. Victim 10 was a bolt manufacturing company located in Carnegie, in the Western District of 134. On or about April 7, 2016, conspirators sent Victim 10?s employee a phishing email and attachment designed to look legitimate, which enticed the employee to click on the attachment and, in doing so, caused the installation of GozNym malware on Victim 10?s computer. 135. On or about April 1 l, 2016, defendant RUSLAN VLADIMIROVICH gained unauthorized access to Victim 10?s PNC Bank account from the GozNym token panel hosted at IP address 204.155.31.133 using Victim 10?s online banking credentials captured by GozNym malware, and attempted to cause two electronic funds transfers totaling $455,500.00 from Victim 10?s PNC account to beneficiary accounts provided and controlled by conspirators. (11) Victim 11 136. Victim 11 was a casino located in Gulfport, Mississippi. 137. On or about April 18, 2016, conspirators sent Victim 11?s employee a phishing email and attachment designed to look legitimate, which enticed the employee to click on the 29 attachment and, in doing so, caused the installation of GozNym malware on Victim 1 1 ?8 computer. 138. On or about April 21, 2016, conspirators gained unauthorized access to Victim 1 1?5 People?s Bank account using online banking login credentials captured by GozNym malware, and attempted to cause four electronic funds transfers totaling $197,300.00 from Victim 11?s account to bene?ciary bank accounts provided and controlled by the conspirators. One electronic funds transfer for $92,500.00 was destined for a bene?ciary bank account ending in 2263 in the name Harris Insurance. A second transfer for $92,500.00 was destined for a bene?ciary bank account ending in 3338 in the name roulet and Associates. 139. On or about May 3, 2016, Krasimir Nikolov sent a message to ALEXANDER KONOVOLOV containing the details for the same bene?ciary account ending in 2263 in the name Harris Insurance as well as the details for the same beneficiary account ending in 3338 in the name Croulet and Associates for which Victim 11?s stolen funds were destined. (12) Victim 12 140. Victim 12 was a stud farm located in Midway, Kentucky that specialized in breeding, selling, and racing thoroughbred horses. 141. On April 21 2016, defendant ALEXANDER VAN HOOF, a/k/a ?al666.? provided a conspirator with detailed information regarding two bene?ciary accounts designated to receive stolen funds from GozNym victims. 142. On or about April 21, 2016, conspirators gained unauthorized access to Victim 12?s Limestone Bank account using online banking login credentials captured by GozNym malware, and attempted to cause three electronic funds transfers totaling $60,000.00, from Victim 12's account to bene?ciary accounts provided and controlled by conspirators. In 30 particular, the two bene?ciary accounts provided and controlled by VAN HOOF were designated to receive a total of$17,000. (13) Victim 13 143. Victim 13 was a law of?ce located in Wellesley, Massachusetts. 144. On or about August 30, 2016, Krasimir Nikolov gained unauthorized access to Victim 13?s Brookline Bank account using online banking login credentials captured by GozNym malware, and attempted to cause, and did cause, an electronic funds transfer in the amount of $41,000.00 from Victim 13?s account to a bene?ciary account at TD Bank provided and controlled by a conspirator. 145. On or about August 30, 2016, Krasimir Nikolov provided the details of the electronic funds transfer, including the $41,000.00 amount and the name of the Victim 13?s employee on the transfer, to the conspirator who provided and controlled the bene?ciary account at TD Bank. 146. On or about September 2, 2016, Krasimir Nikolov communicated with MARAT KAZANDJ IAN and ALEXANDER KONOLOLOV regarding the fraudulent $41,000.00 electronic funds transfer from Victim 13?s bank account, as well as the agreed upon percentage split of the stolen ?ll?ldS amongst the conspirators. The fraudulent transaction resulted in a loss of $41,000.00. All in violation of Title 18, United States Code, Section 371. 31 COUNT TWO (ConSpiracy to Commit Wire and Bank Fraud) The grand jury further charges: 147. The allegations contained in Paragraphs 1 through 145 of this Indictment are repeated, re-alleged, and incorporated by reference as if fully set forth herein. Statutorv Allegations 148. From in and around October 2015, and continuing thereafter to in and around December 2016, in the Western District of and elsewhere, the defendants, ALEXANDER KONOVOLOV, a/k/a "NoNe," a/k/a "none_1 MARAT KAZANDJ IAN, a/k/a ?phantOm,? VLADIMIR GORJN, a/k/a ?Voland,? a/k/a a/k/a "riddler," GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov,? a/k/a a/k/a ?fthost,? a/kfa ?firestarter,? a/k/a ?User 41,? KONSTANTIN VOLCI-IKOV, a/k/a ?elvi,? EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a RUSLAN VLADIMIROVICH KATIRKIN, a/k/a ?stratos,? a/k/a "xenj? VIKTOR VLADIMIROVICH EREMENKO, a/k/a "nfcorpi," FARKHAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? ALEXANDER VAN HOOF, a/k/a ?211666,? along with conspirator Krasimir Nikolov, a/k/a "pablopicasso," a/k/a "salvadordali," a/k/a ?karlo? knowingly and willfully did conspire, combine, and agree together and with other persons known and unknown to the grand jury to commit wire fraud and bank fraud, to wit: a. to knowingly and willfully devise and execute, and attempt to execute, a scheme and artifice to defraud, and for obtaining money and property by means of materially false and fraudulent pretenses, representations, and promises; and in executing and attempting to execute this scheme and artifice, to knowingly cause to be transmitted in interstate and foreign commerce, by means of wire communication, certain signs, signals and sounds as further described herein, in violation of Title 18, United States Code, Section 1343; b. to knowingly and willfully devise and execute, and attempt to execute, a scheme and artifice to defraud financial institutions, as de?ned in Title 18, United States Code, Section 20, and to obtain moneys and funds under the custody and control of?nancial institutions by means ofmaterially false and 32 fraudulent pretenses, representations, and promises, in violation of Title 18, United States Code, Section 1344. Obiectives 0f the Conspiracv 149. The objectives of the conspiracy included: infecting victims? computers with GozNym malware designed to capture victims? online banking login credentials; using the captured login credentials to gain unauthorized access to victims? online bank accounts at US. ?nancial institutions; and stealing funds from victims? US. bank accounts and laundering those funds using US. and foreign bene?ciary bank accounts provided and controlled by conspirators. Manner and Means of the Consniracv 150. The manner and means used to accomplish the objectives of the conspiracy are set forth in paragraphs 28 through 55 of this Indictment. 151. In order to infect victims? computer with GozNym malware, the defendants and conspirators known and unknown to the grand jury crafted and transmitted through the Internet in interstate and foreign commerce phishing emails containing malicious hyperlinks or attachments which, when clicked, downloaded GozNym malware onto victims? computers without the victims? knowledge or consent. The phishing emails were falsely designed to appear as legitimate business emails from companies and financial institutions in order to deceive victim recipients into opening the emails. The malicious hyperlinks and attachments were falsely represented to be legitimate links and attachments, such as business invoices, in order to fraudulently entice the victim recipients to click on them. GozNym malware captured the victims? online banking login credentials. 152. In order to fraudulently gain unauthorized access the victims? online bank accounts, the defendants, and conspirators known and unknown to the grand jury, used the 33 victims? captured online banking login credentials without authorization to falsely represent to banks that the defendants and their conspirators were victims or employees of Victims who had authorization to access the bank accounts and to make electronic funds transfers from said accounts. All in violation of Title 18, United States Code, Section 1349. 34 COUNT THREE The grand jury further charges that: 153. The allegations contained in Paragraphs 1 through 145 of this Indictment are repeated, re?alleged, and incorporated by reference as if fully set forth herein. 154. From in and around October 2015, and continuing thereafter to in and around December 2016, in the Western District of and elsewhere, the defendants, ALEXANDER KONOVOLOV, a/k/a ?NoNe,? a/k/a ?none_1,? MARAT KAZANDJ IAN, a/k/a ?phantOm,? VLADIMIR GORIN, afk/a ?Voland,? a/k/a ?mrv,? a/k/a ?riddler,? GENNADY KAPKANOV, a/k/a ?Hennadiy Kapkanov,? a/k/a ?flux,? a/k/a ?ffhost,? a/k/a ??restarter,? a/k/a ?User 41 KONSTANTIN VOLCHKOV, a/k/a ?elvi,? EDUARD MALANICI, a/k/a ?JekaProf,? a/k/a RU SLAN VLADIMIROVICH KATIRKIN, a/lda ?stratos,? a/k/a ?xcn,? VIKTOR VLADIMIROVICH EREMENKO, a/k/a ?nfcorpi,? FARKI-IAD RAUF OGLY MANOKHIN, a/k/a ?frusa,? and ALEXANDER VAN HOOF, a/k/a ?31666," along with conSpirator Krasimir Nikolov, a/k/a i?pablopicasso," a/k/a ?salvadordali,? a/k/a ?karlo,? and others known and unknown to the grand jury, intentionally and knowingly did combine, conspire, and agree together and with each other to commit money laundering against the United States in violation of Title 18, United States Code, Sections 1956, that is: a. to knowingly conduct and attempt to conduct ?nancial transactions involving property representing the proceeds of speci?ed unlawful activity, namely, computer fraud, in violation of Title 18, United States Code, Section 1030, knowing that the transactions were designed, in whole or in part, to conceal and disguise the nature, location, source, ownership and control of the proceeds of the speci?ed unlawful activity, contrary to the provisions of Title 18, United States Code, Section b. to knowingly tranSport, transmit. transfer, and attempt to transport, transmit, and transfer funds from a place in the United States to a place outside the United States, knowing that the funds involved in the transportation, transmission, and transfer represent the proceeds of unlawful activity, namely computer fraud, in violation of Title 18, United States Code, Section 1030, 3 35 and knowing that such transportation, transmission, and transfer is designed, in whole or in part, to conceal and disguise the nature, location. source, ownership and control of the proceeds of the unlawful activity, contrary to the provisions of Title 18, United States Code, Section Objectives of the Conspiracy 155. The objectives of the conspiracy included: infecting victims? computers with GozNym malware designed to capture victims? online banking login credentials; using the captured login credentials to gain unauthorized access to victims? online bank accounts at US. ?nancial institutions; and stealing funds from victims? US. bank accounts and laundering those funds using US. and foreign bene?ciary bank accounts provided and controlled by conspirators. Manner and Means of the Conspiracy 156. The manner and means used to accomplish the objectives of the conSpiracy are set forth in paragraphs 28 through 55 of this Indictment. 157. The defendants, and conspirators known and unknown to the grand jury, did conduct and attempt to conduct unauthorized electronic funds transfers from victims? online bank accounts at US. ?nancial institutions into US. and foreign bene?ciary bank accounts provided and controlled by conSpirators. All in violation of Title 18, United States Code, Section 1956(h). A True Bill, gZ/C?ll/t/Q/G SCOTT W. BRADY United States Attorney PA ID No. 88352 36 Alexander Konovolov Exhibit A Marat Kazandjian Exhibit Vladimir Gorin Exhibit Gennady Kapkanov Exhibit Eduard Malanici Exhibit Ruslan Vladimirovich Katirkin Exhibit Viktor Vladimirovich Eremenko Exhibit Farkhad Rauf. Ogly Manokhin Exhibit Alexander Van Hoof Exhibit 1 Joker's ?l I.) In! 'MP?t??mm DUMPS SHUP .SU DUMPS SHOP MIRRORS: MUMPS SHOP SITE: )lb?U DUMPS SHOP MIRRORS: II A6y30yc10?qnable newer-ma: fast flux, cepsepa/VPS, npoxcuposauue, noneHbI/SSL User CP New Posts Search Notices 3a6epeM Bac 8am mm EBpone Hosting, Dedicated Servers, Spam 41W_A5Y3?bll (EPBEP FIRST UNDERGRDUD FIRST UNDERGRDUD ., - I HIGH UUQLITY SHOP HIGH OUFILJTY SHOP . . . Sands: I Thread Tools Search this thread 7 Rate Thread Display Modes ?7 ccpacpa . saga?mu: . yer-Esq? unusiuue .lawnm! Bapaacrs'ynre' Fpennarden Ban (ne?womue A?ysoy?o?wnabl? xocnmr no Fast Flux Hocnmr Ha {joTaxJ non wobble npoeKTbI. 0T6L1pm01cn ucxmoumenbm Ha RaHanax. cra6t1ano ancomui amafm. - Penupek?rbl (npoxcupoaanne) nomepmxo? Mgeanbno nonxonur mm ananenbuea Someros. ?narogapn Taxo? TEXHon-amu Bce Syn-n OCTasaTan mac. LHQ rec-350nm Bar-v nrnonbaosaTb cepeep n+060r-I naTa - A?yaovno?uuable nunenenuble cepaepa a VPS. nepxarb a?vm or cnar-Hav3a. - Perucrpauun noneuoa SSL cepmcbukaroa. L1 (mm-(08. Ho ace? unn "m 9 9 A !3 E12 31:!uy20161731 lirostarter. ?enaen cep?ru. Muf- in? nmmne a xaesep om): mm has: in Fm San: (100%) Vent-I: Mn Inhr BILL Fastflux mum" npomuponame. A?yaocw?ue cepoepa. Wu ?uent?. Kan-Imam new. [3 Top *1 Bill Wg Ar. hitektul Wg Igm Uh 1 i . Exhibit 4. Nana JW .23: nk com aspx?m: 059 5&bumd=9563bafdab 39:10:22 name: I) 221896058 Bonnet 509 70 58 6 174 Socks 440-5 104 19125217? 4345 104193 252177 40761 mow-m [Molding ll collapsebg mm? 09107I2016 05:55:57 PM, 09070018 05:58:09 D?a - 091070016 05:14:11 PM, Ne?'ellen mmom 101-133111on Obhc? last I'm 0910712010 06:14:29 PM, Low: Daa homellnic Kw passwond: rm - ?mam ~52- . ankann=c14060d05902 Clem 08010016 03353.05 PM 0910712016 06'14?29 PM Acllviy 0910712016 08:15:32 PM 01 Comment: Exhibit 9 250 (Offline) - iamiom?mmnm 250 Logged out [none.l@xmpp.jp Client Offline ffhost 250_admin (Offline) 250_admin phant0m@exploit.im Client Offline ffhost Exhibit 2933 201601-13 103911 2950 316-0118103953 2551 201001-10 105022 2925 20150121112052 2977 2015-01-23 1121558 no: 2016015110907 31! 2015021607023 3220 20160221161254 1mm ymwmem MWM 1am.m may-mm MWUM mmodamilm ?#8388238: Exhibit ?hmumhww $11quwa MUWID manor-mam.? mm?: muoogkm mlmlem Wm nsmecfubsy pa mgoogkm WM 3 am.? I In menu - Bank of Amenca a, Good morning. Please see the attached invoice and renal payment awarding to the tears ?ied at the bottom ofthe invoice. If you haw any questions please let us know Thank you! m? 1.0. Accounmg Spedaistl Bank oMrne?m? PLLC rnvoioe 0028556.doc Banking producs mpmudod byBankofknm.NArdaFind banks. Vat-bersFDiC aM'dMIyownad subsiduhesofBank of AnuncaCorponion. nsurameptoducs: Are Not FDIC An.- 301 Bank Gmnmeed May Lose aha Are Not Are 3'0: Insured by Any Federal Are Not 1 Condition to Any Deposits GorermmAgenc)? Banking Serr'rc or Actirin MurilE?pl. amiable ?mil Lynda. Pierce. Fennel. Smur- Wm o'lhml E690 or 5 !me mine mama. IhmILyIrh Human! nukes amiableprm ma mama WI LM. Puma. FermatSmm tampon-d. was I l'arholwm swan-3mm of?menu Corporation Insurance products are blind trough Lib howlna.3mko?knm.NA. Minor Muf?n-sic: InmrameSenioes. Incl! :1wa band Inmnu mndesand msdaru Mm af?mma Commit-on. Bank ofAmenca. MMWFUC Equil Hakim; Lancer 02015 Bmkof?ma'ica 0.3me right rewnd. F2r?rd lhis gmlil ThiIIfl'lli nu latte Exhibit 0 (2/16/2016 7:45:02 250: {GPGdec)rassilkn eerez tuscflux doc macrosdn tele pisem budet to?eano na jertv slats: [2/16/2016 7:45:23 250: {2/16/2016 7:45:31 250: <6PGdec>knk to :ak [2/16/2016 7:45:35 250: na nebulahoe [2/16/2016 7:15:37 250: (GPGdec)1k [2/16/2016 7:46:27 ??h05t: oxe? Hy Jun: 5! ransom me 110M211 cnena'rb, HO rapau'nc? nub He 1.x. nc? enema [2/16/2016 7:46:42 250: [2/16/2016 7:16:56 250: [2/16/2016 7:46:59 250: posmo:r1 avoboden Exhibit Milochik, Michael (MPD) From: Sent: To: Subject Tuesdai. February 16, 2016 10:59 AM Your Quicken Bill Pay lnvorce from 02/12/2016. Greetings from Quicken Bilipay-centeri Thank you for your business. and we look forward to the opportunity of sewing you again in the future. Click the link below to View your invoice. if you have any questions cail us at 1'877488-8843 Sincerely, Billpay-center This message has been scanned [or viruses and dangerous content by MailScanner. and is believed to be clean. Wail VWubsa?iba This email was sent Mimi: Rapld removal with ?eUansmhe? omvioer. . I I I. 1.- :Lll Ventext 290 West Mt Pleasant Ave Suite 3200 Livingston NJ 07039 Exhibit Sam: 927016 35 34 9M 0000C 10: Subject: I'll! nca ayment BankofAme?ca Good morning. Please see the altar hed wane and remit paymmt according to me zerms sled al the Doctor" 01 {he yau wave any questuts please let us mam Thank m?w Accountng Specmsn Bank otAmenca Pl are modded by Sam oiAmenca A and ammo Dams Members FDIC and whom- owned suosm; Amman "1393"!? M0 nsuunce Are Hut mt. Au No! Bank 'Juannteed May I use value :nsmed Am Not 0990915 Are Not Insured by Any fodeul Ale Hal .3 (.ootlmon to An) Gmemmem Agency Sara 0: Activity 1 norm! Educ tram Waugh Imutynm Puma Fem-m a 5mm Inca-ousted consuls c'uerm Edge A mudanue) ct sale-ream ammo msung Menu Weam management makes available amount and sermons a?eled n, Merrill PIEICC cane: a 8m: is a "0:5qu and a umolhv owned ?030? of bank of An?mca Commas?! imam pun; 1? we clued Noam Hamil me? L?e ?gene. In: Ban-r of America NA anu'o: Banc of Arrenca Imu Inc ail af?ict: an licensed ?nsurzr-m agqnau and suasvamnes ol Pant a! A?renca Ban: mlmencz, NA Memau FDIC 1' Hum 1 hr. 0 2-315 Bank at Amonca Comoranon N1 nants 'eseM'd Exhibit