The FBI wanted poster looks like a yearbook page from a Russian provincial college. Seventeen men and women from Eastern Europe, mostly between the ages of 19 and 22, with bad skin, nerdy haircuts and no resemblance to your stereotypical bank robbers. But in the past two years, this ring of hackers was allegedly able to steal tens of millions of dollars from small businesses in the U.S. The arrests of 39 of their operatives in the U.S. last week is being touted by the FBI as one of the biggest busts in the history of cybercrime. The problem, though, is that the real masterminds are likely still pecking at their keyboards across Russia and Eastern Europe, and experts say there is little to stop them from regrouping, sending out another virus and pumping millions of dollars more out of American bank accounts. Such is the frustrating reality of cybercrime in the ex-Soviet states, where hackers often work with impunity.
According to the FBI, the gang busted last week after an 18-month investigation used a version of the Zeus Trojan virus to infect weak computer systems, especially those belonging to small businesses, churches and at least one hospital. Once infected, the machines sent the owners' bank passwords back to the hackers in Eastern Europe. Then came the messy part. Russian and Moldovan nationals who had mostly entered the U.S. on student visas were recruited to set up hundreds of bank accounts in the U.S. under fake names among them were "Fortune Binot" and "Bazil Kozloff" and slowly withdraw the cash that had been illegally transferred into those dummy accounts. In total, they stole some $70 million before they were caught; the gang had attempted to steal $220 million in total, the FBI said in a statement on Oct. 1.
But this is a tiny fraction of the income these networks earn each year from similar kinds of global fraud, says Nikita Kislitsyn, the editor of Russia's Hacker Magazine, whose website hosts one of the favored forums for Russian-speaking hackers. "We're talking about tens of billions of dollars per year, so this is a drop in the ocean," Kislitsyn says. "There is a huge market and a well-established infrastructure for these crimes, and it's still very rare for anyone to get arrested."
Those who do get caught are usually the ones who get their hands dirty by setting up fake bank accounts or withdrawing stolen money from ATMs. These so-called money mules, dozens of whom were arrested during the bust last week, are usually recruited online through Russian social-networking sites; they are paid a small percentage of the sums they are able to withdraw. The hackers who infect the computers and make the illegal transfers in the first place usually remain hidden behind their online aliases, and seldom come into contact with their network of mules.
Their work, of course, can be done from anywhere in the world, but the most sophisticated bank fraudsters tend to be based in Russia and its neighbors, says Aleks Gostev, the chief security expert at Kaspersky Lab, Russia's leading cybersecurity firm. The original Zeus virus was written by Russian hackers, Gostev says, and on hacker forums such as mazafaka.ru and its offshoots, one can hire a hacker for less than a $1,000 to customize a Zeus Trojan to specifically target practically any system in the world. "To effectively fight these kinds of criminals, the ones who work in the shadows, you need intensive international cooperation," Gostev says. "The secret services of many countries need to be involved, including agents in the former Soviet states, where these crimes usually originate."
On this front, the FBI investigation made public last week was a breakthrough: the Ukrainian secret police, known as the SBU, worked closely with the FBI, and five suspects were detained in Ukraine last week. But the Russian government does not appear to have been too helpful, even though most of the suspects on the FBI indictment were listed as Russian nationals. On Oct. 1, after the FBI informed the Russian Foreign Ministry of the arrests, Moscow's vice consul in New York City warned that the consulate general might file an official complaint if it turns out that Russians were arrested without following diplomatic protocol. No mention has been made of the two sides working together on this case.
In the past, however, there have been cases of cooperation between the U.S. and Russia on issues of cybercrime, notably when the U.S. indicted a Russian hacker for stealing some $9 million from the U.S. division of the Royal Bank of Scotland in 2006. But last month a Russian court gave that cyberthief a suspended sentence, underscoring the widely held belief that Russia remains a kind of safe zone for hackers. This reputation comes largely thanks to Russia's faulty legislation against cybercriminals and a lack of understanding of their crimes, which normally target banks and institutions in the West, not in Russia, making them less of a concern for local law enforcement. (For instance, Hacker Magazine, despite Russia's strict laws controlling the media, published a story in August explaining how to crack the NATO website, with screenshots and step-by-step instructions.)
Alexey Salnikov, deputy head of Moscow State University's Institute on the Problems of Information Security, which advises the government on cybercrime, says the main problem is in the hackers' anonymity. "There is no scientific basis for establishing the authorship of these crimes," he says. "When the attack comes from one country, the victim is in another and the stolen money is in a third, how do you solve the crime when every country has completely different laws?" This seems to be the central question, and if last week's bust proves anything, it is that global law enforcement has only begun to answer it. So the next time Russian hackers are caught siphoning millions from American accounts, it seems likely that the FBI will again be chasing mules.