Anti-Phishing, DMARC , Email Threat Protection , Fraud Management & Cybercrime

Romanian Cybercrime Suspects Extradited to Face US Charges

Three-Man 'Bayrob' Trojan Gang Tied to $35 Million in Losses, Symantec Says
Romanian Cybercrime Suspects Extradited to Face US Charges
The gang's early efforts allegedly involved car auction scams and malware-laced slideshows of vehicles purportedly for sale.

Three Romanian men accused of running a cybercrime ring that used custom-built "Bayrob" malware and money mules to steal at least $4 million from victims have been extradited to face charges in the United States.

See Also: Kaspersky Lab's New Focus on Fraud Prevention

The three suspects - Bogdan Nicolescu (aka "Masterfraud,"), 34; Danet Tiberiu (aka "Amightysa,"), 31; and Radu Miclaus (aka "Minolta"), 34 - were arrested earlier this year by Romanian police. They were extradited to the United States last week, following an eight-year investigation led by the FBI, which included assistance from the Romanian National Police.

Danet's attorney, Cleveland-based Ron Frey, tells Information Security Media Group: "Mr. Danet has no prior involvement with the criminal justice system whatsoever. At arraignment, we appeared in court and he entered a not-guilty plea to all counts."

Attorneys for the other two defendants couldn't be immediately reached for comment.

A 21-count indictment, dated Aug. 8 and unsealed Dec. 17 in federal court, charges each of the men with wire fraud, identity theft, money laundering and trafficking in counterfeit goods or services.

"These defendants stole millions of dollars from people in the United States through a sophisticated fraud conspiracy they operated in Eastern Europe," says U.S. Attorney Carole S. Rendon.

The gang allegedly employed phishing attacks as well as malware to snare victims. "The Bayrob Group disseminated the Bayrob Trojan through malicious emails purporting to be from legitimate entities such as Western Union, Norton AntiVirus and the U.S. Internal Revenue Service," according to the indictment. "The emails prompted the recipient to click on an attached file for information about a cash receipt or deficiency. When victims clicked on the attached file, the Bayrob Trojan was surreptitiously installed on their computer."

According to the indictment, various versions of the Bayrob malware successfully infected at least 60,000 PCs since 2007, allowing attackers to harvest email addresses stored in the computers' email programs, steal personal data, disable anti-malware software, as well as automatically register AOL accounts that were then used to send malicious emails to further disseminate the malware.

Later versions of the malware also included the ability to use the infected PCs' processing power to mine for cryptocurrency, authorities say. Such mining involves solving complex mathematical challenges - to validate cryptocurrency transactions - in return for a potential reward.

Bayrob Gang: "Career Cybercriminals"

The men - "career cybercriminals" - were based in Bucharest, Romania, according to security firm Symantec, which says it assisted with the law enforcement investigation.

"Bayrob first came to our attention in 2007, when it was discovered operating a scam that conned victims into believing they were buying a vehicle on eBay," Symantec's Security Response team says in a blog post. "It later expanded and diversified with a number of different fraud and malware operations, ranging from credit card theft to cryptocurrency mining using infected computers."

Symantec first detailed the gang's activities in a series of 2007 blog posts.

Symantec's efforts earned it a shout-out from attackers in updated Bayrob code.

While the indictment ties the gang to at least $4 million in losses, Symantec estimates that the total losses over the past eight years may reach $35 million. It's also accused the gang of sending 11 million malicious emails and running a botnet that by the middle of this year was composed of 300,000 infected PCs.


Symantec says that the gang practiced exceptional operational security, relying on encrypted communications - including PGP and instant messaging encrypted with the Off-The-Record messaging protocol - as well as using a double layer of proxies for controlling the command-and-control servers that interfaced with infected PCs, or bots. Authorities say the gang only used VPNs to connect to proxies.

But at some point in its 10-year run, a gang member made an OPSEC mistake. "To cover its tracks, the gang hid behind a double layer of proxies, connecting first to proxies in Romania and then to more proxies in the U.S.," Symantec says. "One of our most significant breakthroughs came when we discovered a weak point in their use of these proxies. Due to this weakness, the gang's malicious activities were exposed, allowing us to passively observe its activities."

After that, the security firm says that it was able to painstakingly map the attackers' malicious infrastructure and tactics, ultimately leading to their identities and related operations being unmasked.

Humble Cybercrime Beginnings

Symantec says the gang and its malware evolved substantially over time. Early attacks involved tricking would-be vehicle buyers into installing the gang's malware, which redirected them to real-looking but fake eBay auction pages, Symantec says. Auction "winners" were instructed to send money to the seller via a bank transfer, "which was routed to an account that belonged to a money mule, who would in turn transfer the proceeds of the fraud to the gang," it says.

These "money transfer agents" were recruited from both sides of the Atlantic, Symantec adds, via classified advertising, and subjected to interviews via instant messaging and VoIP calls. "Rather than the usual cybercriminal tactic of using 'work from home' ads, the Bayrob gang often copied legitimate job ads in order to appear more convincing," it says. "Those who responded were told that the job had been filled but were then offered an alternative, work-from-home job. ... Some victims were even told they'd gotten a job with a fake Yahoo subsidiary called Yahoo Transfers."

Some money mules were told they'd been hired by a fake Yahoo subsidiary, Symantec says.

Symantec says money mules in the United States were offered the option of keeping 6 percent of the funds they transferred or else sending the entire amount in return for the promise of receiving 10 percent later, although the latter option was a scam and never paid out.

International Cooperation

Officials have lauded this case as being a textbook example of disrupting a cross-border cybercrime operation. "Our response demonstrates that, with effective international cooperation, we can track these criminals down and make sure they face justice, no matter where or how they try to hide," says Leslie R. Caldwell, assistant attorney general for the Justice Department's criminal division.

Despite such assurances, however, one obvious exception is Russia, which security experts say has long been a hotbed of cybercrime. To date, Russia has not extradited any cybercrime suspects (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

To target these cybercriminals, the Justice Department sometimes engages in what it dubs informal extradition, or what some might call kidnapping. It involves federal agents intercepting a suspect abroad, flying them to U.S. territory, charging them and then bringing them before a judge. As with this case against the alleged Romanian cybercriminals, however, such investigations may take years to come to fruition.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.