The $100 Million Bot Heist

When it comes to using computers to steal money, few can come close to matching the success of Russian hacker Evgeniy Bogachev. The $3 million bounty the FBI has offered for Bogachev’s capture is larger than any that has ever been offered for a cybercriminal—but that sum represents only a tiny fraction of the money he has stolen through his botnet GameOver ZeuS.¹ At its height in 2012 and 2013, GameOver ZeuS, or GOZ, comprised between 500,000 and 1 million compromised computers all over the world that Bogachev could control remotely. For years, Bogachev used these machines to spread malware that allowed him to steal banking credentials and perpetrate online extortion.² No one knows exactly how much money Bogachev stole from his thousands of victims using GOZ, but the FBI conservatively estimates that it was well over $100 million.² Meanwhile, Bogachev has spent lavishly on a fleet of luxury cars, two French villas, and a large yacht.¹

Bogachev lives in the resort town of Anapa on the Black Sea, where Russian officials have declined for years to arrest him or extradite him to the United States. In fact, the Russian government has benefited from his criminal activity. While Bogachev has leveraged his vast network of compromised computers and credentials for financial gain, officials of the Russian government have also on occasion made use of his network and computer intrusions for espionage purposes of their own.¹ But, while the FBI cannot arrest Bogachev so long as he remains safely in Russia, in the summer of 2014 they partnered with several companies and researchers to try to shut down GOZ and cut Bogachev off from the hundreds of thousands of compromised computers under his control. The GOZ takedown effort was an unprecedented law enforcement effort to fight cybercrime in terms of its scope, technical sophistication, and complexity. It included participants from Germany, the United Kingdom, the Netherlands, and New Zealand, as well as the U.S., and hinted at the potential for international cooperation and public-private partnerships to strengthen cybersecurity and attack criminal infrastructure.

It was called Operation Tovar.

riminals who infect users’ computers and harness These proxy nodes made it considerably more difficult—though not impossible—to trace the bot back to a single controlling server, since the GOZ operators were not communicating directly with most of the infected machines they controlled.