New Reward for Cyber Fugitive

Special Briefing
William R. Brownfield
Assistant Secretary, Bureau of International Narcotics and Law Enforcement Affairs
Leslie Caldwell, Department of Justice Assistant Attorney General for the Criminal Division; Joseph Demarest, FBI Assistant Director for Cyber Security; David Hickton, U.S. Attorney for the Western District of Pennsylvania
Foreign Press Center Briefing
Washington, DC
February 24, 2015

ASSISTANT ATTORNEY GENERAL CALDWELL: Thank you, and thank you all for joining us and good afternoon. Today we’re going to announce an award for – a reward, excuse me – for information leading to the arrest and/or conviction of Evgeniy Bogachev, an alleged leader of a tightly-knit gang of cyber criminals based in Russia and the Ukraine who are responsible for the development and operation of both the GameOver Zeus and Cryptolocker malware. GameOver Zeus was one of the most sophisticated and damaging botnets that’s ever been created. It infected more than 500,000 computers, up to even maybe more than a million computers worldwide. It caused more than $100 million in financial losses just in the United States alone.

On top of that, the Cryptolocker ransomware infected more than 250,000 computers worldwide. It targeted companies – big companies, small companies – and individuals. In May and June of 2014, we were able to gain control of the GameOver Zeus botnet from the criminals, and also we were able to take the Cryptolocker ransomware offline. This was thanks to an unprecedented action by the FBI, law enforcement in more than 10 countries, and the private sector. Today, due to the work of the FBI and our partners, GameOver Zeus has been neutralized, is out of the criminals’ hands, and Cryptolocker remains inactive. But one significant part of the puzzle remains incomplete, and that is that Mr. Bogachev remains at large. Although we were able to significantly disrupt GameOver Zeus and the Cryptolocker criminal enterprise, we have not yet brought Mr. Bogachev to justice. We must not allow international borders to shield criminals from the law. As the cyber threat grows and more nations join in the international fight against cybercrime, the number of countries that were once perceived as sanctuaries for criminals will shrink. It is shrinking, and it will continue to shrink.

In the case of Bogachev, the same international coalition that brought down his botnet and his ransomware is now chasing him. We appreciate the State Department shining a light on this issue and on this important case today with this reward. This reward is going to reinvigorate the efforts to find Bogachev, and it’s also very importantly going to encourage others to help us find him. And I’m confident that with these efforts, Bogachev will one day be brought to justice in the United States. Thank you.

ASSISTANT SECRETARY BROWNFIELD: Thank you very much, Leslie. Madam Assistant Attorney General, assistant director, and distinguished United States attorney for the western district of Pennsylvania, distinguished members of the media, good afternoon, and thank you all very much for allowing me to participate in this event this afternoon.

Ladies and gentlemen, I am not going to talk about an investigation, a case, or a prosecution, because people far more talented and far more experienced than me are here to talk about that. I am instead going to talk about the President’s strategy to combat transnational organized crime, endorsed and approved by President Obama in 2011 and endorsed by the United States Congress with its authorization and legislation to support a Transnational Organized Crime, or TOC, Rewards Program.

This program, ladies and gentlemen, which is barely two years old, began in 2013 with an offer of a major reward for information leading to the arrest and prosecution of members of the world’s largest wildlife trafficking organization. Since then, rewards have been offered for individuals involved in international smuggling, illicit finance, and internet fraud. It has been successful. In only two years, we have provided payments of more than $20 million in following up on reward offers under the TOC Reward Program. And to put that in some perspective for you, our international narcotics reward program, which is nearing 30 years of age, has paid out somewhat in excess of $88 million over this time frame. Twenty million over two years versus 88 million over nearly 30. I suggest to you that this reward program is having an impact.

We are today announcing, as the assistant attorney general has just said, a new reward offer of $3 million related to Mr. Evgeniy Mikhaylovich Bogachev, perhaps one of the most serious cyber criminals found on Planet Earth today, responsible, we believe, for losses of more than $100 million by innocent individuals and legitimate businesses in the United States of America alone. We hope that this reward offer will In fact lead to resolution of this case and justice in this matter. We are prepared to work with all governments of the world in bringing this case to successful conclusion.

But ladies and gentlemen, this reward offer is perhaps somewhat larger than just this specific case. This is a major reward offer related to cybercrime, and for those of you who have perhaps been asleep for the last 20 or 30 years, or do not own a computer nor ever have used the internet, you may be unaware of it. But for everyone else, this is perhaps the most dangerous criminal enterprise and activity that we are confronting in the 21st century. If this reward has as a consequence the possibility of making potential cyber criminals aware of the risks and willing to leave us alone and take their talents somewhere else, then I suggest to you we have all gained and benefited from this reward.

I thank you very much. Dr. D, over to you.

MR. DEMAREST: Thank you, Ambassador Brownfield. Thank you very much for that. Assistant Attorney General Leslie Caldwell, and of course, my good friend, U.S. Attorney Dave Hickton. Good afternoon. My name is Joe Demarest. I’m the assistant director of the cyber division for the FBI. I’m joined with State Department and Department of Justice and my colleagues from the western district of Pennsylvania U.S. attorney’s office to update our case against Evgeniy Bogachev in announcing this reward. And I have to thank the Department of State and the Transnational Organized Crime Program for offering and working with the FBI and Department of Justice to offer this $3 million reward that leads – or hopefully for information that leads to his arrest and/or conviction of Mr. Bogachev.

Mr. Bogachev is wanted for his role in creating and administering GameOver Zeus botnet and the Cryptolocker malware that infected thousands of computers, as Ms. Caldwell mentioned, worldwide, to the cost of millions of dollars. The scheme wasn’t one targeted heist, obviously. It affected many people and organizations, all simply opening – by opening an email. This was a sophisticated scheme in every way, from the malware design to the setup of the organization to use money mules, or people to move money from bank account to bank account to evade us in law enforcement.

To give you an example of how sophisticated this attack was or this botnet was and how it affected the everyday Americans, the FBI uncovered in our investigation the following: In November 2012, a regional bank in northern Florida had nearly $7 million fraudulently wired out of one of its accounts. The bank maintained an account at a larger correspondent bank – that’s a bank that provides services to other banks rather than to businesses or individuals. On November 6th, 2012, a fraudulent wire transfer was initiated from the correspondent bank account to an account in Switzerland. Although the correspondent bank’s records show that the wire was initiated by an employee of the Florida bank, the employee denied initiating and authorizing the wire transfer. Subsequently, an FBI investigation confirmed that a computer at the Florida bank was infected with the GameOver Zeus malware and that the infected computer was used to steal the credentials that were used to initiate the fraudulent wire.

Another example: In August of 2009, a dairy in Ohio fell victim to a phishing email and subsequently suffered the loss of approximately $300,000. The email was disguised to look as if it was being sent from a bank used by the company or dairy. Upon the opening of the email, the company became victim to the Zeus malware.

In December 2009, a small Catholic nonprofit society that has served the community of Chicago for over 114 years fell victim to the malware known as Zeus and subsequently suffered a loss of approximately $130,000. A member of the society received an email which was disguised to look as if being sent by a known sender. Upon opening the email, the computer was infected, again, with the Zeus malware.

Bogachev, in his role, worked as an administrator along with his co-conspirators to distribute the malware through phishing schemes and spam. Bogachev is also alleged to be the creator of the ransomware Cryptolocker. Both GameOver Zeus and Cryptolocker targeted and infected computers worldwide – as Ms. Caldwell had mentioned, 500,000 to potentially over 1 million.

With the U.S.-led mitigation efforts, there has been reduction in GameOver Zeus infections by almost 85 percent in the U.S., and globally about 81 percent. The idea was to attack or at least conduct enforcement operations as we mitigate the botnet, the infrastructure used by the botnet or the actors. The keys to Cryptolocker were uncovered by FireEye and Fox-IT and put on a portal through the Department of Homeland Security emergency readiness team US-CERT website for victims to decrypt their computers. More than 2,900 victims were able to unlock the encryption that Cryptolocker installed or used.

As I said, this was a worldwide infection, but it also had implications and teaming, with law enforcement globally working to combat and bring to justice the criminal organization and people behind it. And I would like to thank our partners, the Australian federal police; the national police of the Netherlands’ National High-Tech Crime Unit, their European cybercrime center; UK’S NCA, National Crime Agency; the Ukraine’s ministry of internal affairs, the Dutch national police High-Tech Crime Unit; BKA, or the German criminal police; the French judicial police; the Italian national police; the Swedish national police; Turkish national police – as you can see the national, international flavor of these investigations – the Switzerland Federal Office of Police; Luxembourg Police Grand-Ducale; Japan’s national police agency; New Zealand police; and the Royal Canadian Mounted Police.

We are turning the world again for assistance – or turning to the world again for assistance in locating Bogachev. While he is known to reside in Russia, he may in fact travel. With the $3 million reward, what we’re hoping it would cause incentive for someone somewhere who may see him and report to the authorities his whereabouts by contacting the local authorities or the nearest U.S. embassy or consulate and sending that information on to the FBI. Obviously, all the information that is reported would be kept strictly confidential.

The charges brought against the prolific cybercriminal and the reward funds now available are a resulted of dedicated and hard work of FBI agents who’ve spent countless hours both here and abroad. I would like to recognize the special agents who were actually in charge of this investigation, Jim Craig, Sarah Cain (ph), Elliott Peterson, and Steve Lampo, along with the leadership of the two respective offices involved, our Omaha office and our Pittsburgh office – the supervisors Justin Kolenbrander and Keith Mularski, and our assistant special agents in charge, Michael Christman, Michael Kitsmiller. Would also like to thank and acknowledge the leadership of the offices, the heads of the offices, both Scott Smith and Tom Metz. Brilliant work by those officers in working with our colleagues overseas.

The progress we made on this case and the response to reduce the infections would not be possible without those in the private sector. Calling out Dell SecureWorks, Fox-IT, and Krautzwerig (ph) were among the chief, and also our partners at DOJ. Without them, all of this would not have been possible.

So let this reward also be notice to other cyber criminals seeking refuge abroad, thinking they are out of the reach of U.S. law enforcement, the FBI, along with our partners. We’ll use every authority and power we have to identify, pursue, and bring those to justice who violate the law. Thank you very much.

MR. HICKTON: I’m very pleased to be here today and to share the podium with the assistant attorney general, the ambassador, and the assistant director for today’s important announcement. Today is a further demonstration of our resolve to bring cybercriminals to justice. The commitment of a whole-of-government approach using an all-tools arsenal is the only way to defeat transnational cyber criminals who proceed through the dark of the internet to commit insidious, malicious intrusions which threaten our security.

The case against Evgeniy Bogachev was charged in Pittsburgh, Pennsylvania, was taken down in Pittsburgh, Pennsylvania, and involved court orders signed by a federal judge in Pittsburgh, Pennsylvania to sever the lines of communication between the illegal GameOver Zeus network and the infected computers. But this was truly a team effort. It was based first upon the superb investigative work of the FBI, the important cooperation and collaboration of the district of Nebraska, and, of course, the criminal division of the Department of Justice. We also had unprecedented support, as Joe mentioned, from 10 other nations as well as our private sector partners.

The weekend-long technical takedown began on May 30th, 2014 with the coordinated seizure of computer servers in multiple countries that formed the backbone of GameOver Zeus and Cryptolocker. Working feverishly around the clock, our team freed infected computers from the botnet network and helped unwitting victims regain control of their own computers. We were compelled to act against Bogachev and GameOver Zeus network to protect and vindicate thousands of victims in western Pennsylvania and around the world.

To achieve justice in cyber space, we must be aggressive, innovative, and relentless to ensure that those living outside our borders do not have a pass to commit crimes within them. We are ready to bring Evgeniy Bogachev to justice in federal court in Pittsburgh. We will use every available legal and diplomatic means to bring all cyber criminals to justice wherever they reside. Thank you.

MODERATOR: With that, we’ll open up for questions. Let me just do some brief housekeeping. Please wait for the microphone, as we will be transcribing. Also, please identify yourself by name and outlet before you pose your question. New York, if you have a question, please approach the podium; we’ll call you in due order.

And I’m going to make one plea. We do have a limited amount of time and I’m sure many questions, so I ask please keep your questions to single-point questions if we can. I’m going to just run the front. We’ll start here and then go across the front.

QUESTION: My name is Alexey Bogdanovskiy. I work for the Russian news agency Ria Novosti. I would like to ask the assistant director, Mr. Demerest: My understanding was that you asked for the Russian authorities’ cooperation in this case back in June 2014 at least, right? Did you have any feedback from them?

MR. DEMEREST: Yeah. So I don’t know the exact timing of that, but we have engaged the FSB in particular for cooperation on this particular case.

MODERATOR: Andrei. And if you have a question, please direct it to the individual if you know who you would like to direct it to.

QUESTION: Yes, my name is Andrei Sitov. I am with TASS, the Russian wire service. And basically I also had this same question. So to reconfirm, you have not had any cooperation with the Russians on this case?

MR. DEMEREST: Okay. I’m not saying that. So we have engaged the FSB on this particular case and are currently sharing information with them regarding Bogachev.

QUESTION: Oh okay, so there is an exchange of information on that.

MR. DEMEREST: There is.

QUESTION: Okay, very good. And my second question was: How were you able to identify the individual? Were the Russians involved in that, or did you do this with your technical means?

MR. DEMEREST: Yeah, it’s through technical means and actually is attributing it to – directly to Bogachev, who had a number of different avenues. And GameOver Zeus, or Zeus, the malware itself, has been in existence since 2007. A lot of work and knowledge about Bogachev over the years. He was known by a nickname initially. From additional work, I’ll say not only by us but the 10 different countries, the partners we worked with, we were able to fully identify him.

QUESTION: And last, it’s probably more a question to the State Department or the Department of Justice. I wish you every success in fighting crime, international crime, but we also have to ask about the legality of the actions, especially as they pertain to our Russian citizens in third countries. So how are the legal rights of the suspects upheld in such cases?

ASSISTANT ATTORNEY GENERAL CALDWELL: So if Mr. Bogachev were to travel to another country with whom we have – the United States has an extradition treaty, and he – and if he were arrested, the extradition process would begin and he would have all the rights that he’s entitled to under the extradition process in whatever country he is arrested in.

QUESTION: So it depends on the country he --

ASSISTANT ATTORNEY GENERAL CALDWELL: It depends partly on the country and partly on the terms of the treaty between the United States and the country.

QUESTION: Holger Stark, Der Spiegel Magazine, Germany. Mr. Demerest, can you describe it little bit the network around Mr. Bogachev? Have you made any other arrests or did you identify other potential complicit? And to clarify, you said that there’s an exchange with the FSB. Does exchange mean that you received a lot of contribution from the Russian side?

MR. DEMEREST: I’ll say there’s an exchange with the FSB. I’ll start with that. So information is provided to the FSB for cooperation, so we’ll work through that with them on Mr. Bogachev.

I’ll defer to Mr. Hickton as far as other targets that were arrested in connection with the case.

MR. HICKTON: I can say that Mr. Bogachev was part of a conspiracy and that there are others, but I cannot say at this point who those are or identify them for you.

QUESTION: And did you make any arrests, or did someone make any arrests?

MR. HICKTON: We have identified them, but I’m not at liberty at this point to identify them for this forum.

MODERATOR: Do we have any other questions at this point? Let's go to --

QUESTION: Sheng Yang for China Daily to Ambassador Brownfield. You’ve mentioned that there should be transnational cooperation. So my question is: How do you see China’s role in this cooperation in cyber security issues?

AMBASSADOR BROWNFIELD: I’ll offer no views in terms of cooperation with China on this specific case. I will tell you that the United States and China have established a mechanism that is now well over 10 years old called the Joint Liaison Group for Law Enforcement between the United States and China. This mechanism allows all of the major law enforcement players in the Federal Government of the United States and the Government of China to meet regularly and systematically to address both general cooperation and specific case cooperation, and allows us in an open and frank manner to discuss both those things that seem to be working well and those things that we wish would work better. I believe I speak for both governments when I say we’d like to be able to do even more than we are doing, but we are pleased with what we have accomplished so far.

MODERATOR: A quick question over here to the right.

QUESTION: My name is Laurent Barthelemy from Agence France-Presse. I just wanted to check, Mr. Bogachev is the creator of the Zeus program? I just wanted to check that. And I’m also curious to know more about the timeline. When did you were first aware of that activity? How much time does it take to bring down such activity?

MR. HICKTON: Mr. Bogachev was the originator of the Zeus botnet which was in 2007. GameOver Zeus is the third iteration of his malware. It is distinctive because it has decentralized command and control and proceeds peer to peer, which has made it much more challenging. I don’t want to give the timeline of our investigation, but I think it is in the public domain that we began some of our work a couple years ago and that we learned through our work in GameOver Zeus that he was central to the ransomware known as Cryptolocker and that’s why that became part of the prosecution which we announced last June. Thank you.

MODERATOR: Any final question?

QUESTION: (Inaudible) question is why now --

MODERATOR: Andrei, will you wait for the microphone?

QUESTION: Sorry, I know this question that I forgot to ask. Why now? Why do you make the announcement on the reward now?

MR. DEMEREST: Well, I think in working with the Department of State, so we’re bringing more pressure to bear. And we think by – again, the offerings of State Department to work with the Department of Justice and the FBI to provide for a reward or for $3 million will certainly bear, I think, additional thought in maybe those around him to cooperate, someone who sees him or knows of him to cooperate. So it provides for a great incentive, we feel.

MODERATOR: If we have no more questions at this point – it looks like Andrei has a follow-up.

QUESTION: I'm sorry. And does this have a status of limitations? How long do such cases last?

ASSISTANT ATTORNEY GENERAL CALDWELL: Well, the statute of limitations, I believe, for the computer violations is five years, but there can be extenuating circumstances when the person is overseas and not subject to process here in the United States.

QUESTION: (Inaudible) follow-up.


MODERATOR: Only have one more question, and I think we're going to have to let our briefers go.

QUESTION: Yeah, I wanted to know if it was the first time that there was such a reward for cybercriminal?

AMBASSADOR BROWNFIELD: Under the Transnational Organized Crime Rewards Program, the TOC Rewards Program, it is the first time that there has been a reward offered for this type of criminal activity. There have been previous reward offers related to internet fraud, which is similar but not the same as what we are dealing with here. So if we are slicing the salami very fine, this is the first time that this particular form of cybercrime has been subject to a TOC Reward and a substantial TOC Reward Program.

MODERATOR: And I think with that we have to close the briefing. I want to thank everybody, and now we are off the record.

# # #