Federal Authorities Charges Andrey Ghinkul for Dridex Malware Conspiracy

If you play with firewalls, you will get burnt is the message being sent to cross-border cybercriminals. The Dell SecureWorks Counter Threat Unit (CTU) research team collaborated with the UK National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI) and the Shadowserver Foundation to take over the Dridex banking Trojan. It was a display of a truly global collaborative effort to bring cybercriminals to justice. The United States and the United Kingdom have arrested a Moldovan man said to be responsible for an elaborate million-dollar malware scheme.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, US Attorney David J. Hickton of the Western District of Pennsylvania and Special Agent in Charge Scott S. Smith of the FBI’s Pittsburgh Division announced the nine-count federal indictment. The indictment unsealed Tuesday, October 13, 2015, charged 30-year-old Andrey Ghinkul of Moldova with criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud.

According to the indictment, Ghinkul was the administrator of the botnet known as Bugat, Cridex or Dridex. Ghinkul and co-conspirators used the malware to obtain banking credentials to initiate fraudulent ACH (Automated Clearing House) transfers of millions of dollars and conspire with money mules to further launder the stolen funds.

The steps announced today are another example of our global and innovative approach to combatting cybercrime, said Assistant Attorney General Caldwell. Our relationships with counterparts all around the world are helping us go after both malicious hackers and their malware. The Bugat/Dridex botnet, run by criminals in Moldova and elsewhere, harmed American citizens and entities. With our partners here and overseas, we will shut down these cross-border criminal schemes.

Through a technical disruption and criminal indictment, we have struck a blow to one of the most pernicious malware threats in the world, said US Attorney Hickton.

Cyber criminals often reach across international borders, but this operation demonstrates our determination to shut them down, no matter where they are, said Executive Assistant Director Robert Anderson Jr. of the FBI’s Criminal, Cyber, Response and Services Branch. The criminal charges announced today would not have been possible without the cooperation of our partners in international law enforcement and (the) private sector. We continue to strengthen those relationships and find innovative ways to counter cyber criminals.

Dridex (Bugat v5) Botnet Takeover Operation was released on October 13, 2015, by Dell SecureWorks Counter Threat Unit Threat Intelligence. The threat’s analysis detailed malware distribution, malware architecture, affiliate models, botnet architecture and peer-to-peer communication. The Dridex botnet's web injects are displayed below:

The FBI estimates that Bugat was responsible for at least $10 million in direct loss domestically. The case is being prosecuted by Assistant US Attorneys Mary McKeen Houghton and Margaret E. Picking of the Western District of Pennsylvania, and the investigation is being conducted by the FBI. The charges and allegations contained in the indictment are accusations as the defendant Andrey Ghinkul is presumed innocent until and unless proven guilty.