Bulgarian Charged with GozNym Malware Attacks in the U.S.

PITTSBURGH – A Bulgarian man has been indicted by a federal grand jury in Pittsburgh in connection with a sophisticated malware package known as GozNym, designed to steal banking credentials and other confidential personal information from infected computers, Acting United States Attorney Soo C. Song announced today.

The six-count indictment, returned on Oct. 4, 2016, and unsealed today, named Krasimir Nikolov, age 44, of Varna, Bulgaria, as the sole defendant. Count One charges Nikolov with criminal conspiracy; Count Two charges unauthorized access of a computer to obtain financial information; and Counts Three through Six charge bank fraud. The indictment alleges that Nikolov acquired victims’ stolen banking credentials through GozNym malware infections of victims’ computers to gain unauthorized access to victims’ online bank accounts from which electronic funds transfers were issued or attempted to be issued.

According to Acting U.S. Attorney Song, GozNym malware has been used to target private businesses and their respective financial institutions in the United States since late 2015. Victims receive phishing emails containing a hyperlink or an attachment designed to look like a legitimate business invoice. By clicking on the hyperlink or attachment, the victim’s computer becomes infected with GozNym malware. The malware steals the victim’s online banking login credentials which the criminals then use to access the victim’s bank account and issue unauthorized wire transfers.

Last week Acting U.S. Attorney Song and other members of the Justice Department announced a multi-national operation to dismantle a complex and sophisticated criminal network known as Avalanche which hosted more than two dozen of the world’s most pernicious types of malware, to include GozNym, and several money laundering campaigns. The prosecution of Krasimir Nikolov stems from the criminal investigation into the Avalanche network and the malware campaigns it hosted.

Among the numerous GozNym attacks that occurred throughout the United States, the indictment names the following:

• Nord-Lock, Inc., a bolt-manufacturing company headquartered in Carnegie, Pa., was the victim of an attempted unauthorized wire transfer of $387,500 from its online account at PNC Bank to an account in Sofia, Bulgaria.
• Protech Asphalt Maintenance, Inc., an asphalt and paving business located in New Castle, Pa., was the victim of several attempted unauthorized wire transfers totaling more than $243,000 from its online account at First National Bank.
• Foresight Sports, Inc., a company that provided technology-based golf products and was located in San Diego, California, was the victim of attempted unauthorized wire transfers totaling more than $118,000 from its online account at American Express Foreign Exchange Service Payments.
• California Furniture Collection, Inc., (DBA Artifacts International) a furniture business located in Chula Vista, California, was the victim of several attempted unauthorized wire transfers totaling more than $737,000 from its online account at CommerceWest Bank.
   

Acting U.S. Attorney Song praised the diligence and quick action of the victims and their respective banks in discovering the fraudulent wire transfers and recalling the funds before they were lost.

Nikolov was arrested at his residence in Varna, Bulgaria, on September 8, 2016. He was extradited to the United States over the past weekend, and made his initial appearance in federal court in Western Pennsylvania today at 3:30 p.m.

The law provides for a maximum total sentence of up to 100 years in prison and a fine of $3,500,000. Under the Federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offense and the prior criminal history of the defendant.

Assistant United States Attorney Charles Eberle of the Western District of Pennsylvania and Senior Trial Attorney Richard D. Green of the Justice Department’s Computer Crimes and Intellectual Property Section are prosecuting this case on behalf of the government.

The Federal Bureau of Investigation conducted the investigation leading to the indictment in this case. The FBI was assisted by Bulgaria’s General Directorate for Combating Organized Crime. In addition to the Justice Department’s Computer Crimes and Intellectual Property Section’s involvement in the investigation, the Department’s Office of International Affairs provided significant assistance with the extradition process.

An indictment is an accusation. A defendant is presumed innocent unless and until proven guilty.