Romanian Duo Receives Jailtime For Infecting 400,000 With Malware

arrest cybercrime

Since 2007, the two allegedly operated a cybercrime ring called “Bayrob Group.”

A Romanian duo has been sentenced to jailtime for infecting 400,000 computers with malware that stole credentials and financial information, and scammed victims out of millions of dollars.

The two Romanian hackers, Bogdan Nicolescu, 37, and Radu Miclaus, 37, were sentenced to 20 years and 18 years in prison, respectively, on Friday. The sentencing comes after the pair were each convicted in April by a federal jury in Ohio on 21 charges, including conspiracy to commit wire fraud, conspiracy to traffic in counterfeit service marks, aggravated identity theft, conspiracy to commit money laundering and 12 counts each of wire fraud.

“These sentences handed down today reflect the dynamic landscape in which international criminals utilize sophisticated cyber methods to take advantage of and defraud, unsuspecting victims anywhere in the world,” said FBI Special Agent in Charge Eric Smith in a statement on Friday. “Despite the complexity and global character of these investigations, this investigation and prosecution demonstrate the commitment by the FBI and our partners to aggressively pursue these individuals and bring justice to the victims.”

Since 2007, the two allegedly operated a cybercrime ring called “Bayrob Group” out of Bucharest, Romania. The group developed malware and distributed it through malicious emails to victims, purporting to be from companies like Western Union, Norton AntiVirus and the IRS. But when recipients clicked on an attached file, malware was installed onto their systems. From there, it harvested personal data, credit-card information, user names and passwords, disabled victims’ malware protection tools, and blocked their access to websites associated with law enforcement.

The pair were able to copy victims’ email contacts using the malware, and consequently sent those contacts  malicious emails as well. In addition, the malware activated files forcing victims’ systems to register AOL accounts, and then sent more victims malicious emails from these legitimate email addresses. The two registered more than 100,000 email accounts using this method, and were able to send tens of millions of malicious emails, according to the Department of Justice (DoJ).

Nicolescu and Miclaus also injected fake webpages into legitimate websites, such as eBay, to intercept victims’ visits to these legit websites and trick them into entering credentials into the spoofed webpage. Finally, the two placed more than 1,000 fraudulent listings for automobiles, motorcycles and more on eBay. The two put malware-ridden photos on the listings, which then redirected victims who clicked on them to spoofed webpages that looked like the legitimate eBay page. These webpages tricked victims into paying for the “items” through a nonexistent “eBay Escrow Agent” – which turned out simply to be a person hired by the pair to collect the money and give it to them. This scam resulted in a loss of millions of dollars, according to DoJ.

According to the DoJ, these attacks earned the two more than $4 million. The two were arrested in Romania in Sept. 2016 and later brought to the U.S.

In related news, a hacker from Essex, who was previously sentenced in April 2019 to more than six years in jail for his part in a Russian-speaking cybercrime group, on Monday was ordered to pay up over £270,000 ($355,000 USD).

The hacker, Zain Qaiser, 25, played an “integral part of a highly sophisticated cyber crime group” that generated millions of pounds through ransomware payments, according to the National Crime Agency (NCA). Qaiser has been told he must hand over the money within three months, based on an assessment of his available assets, or else he will be sentenced to a further two years in prison.

zain qaiser

Credit: NCA

Specifically, for six years Qaiser allegedly used fraudulent identities to pretend to be legitimate online advertising agencies, and bought advertising traffic from pornographic websites.

These ads were laced with ransomware, however – including one called Reveton. When victims clicked on the ads they were infected with the malicious payload, which locked their browser. The infected device would then display a message purporting to be from a law enforcement or a government agency, which claimed the victim should pay a fine of between $300-$1,000 to unlock their device. The campaign infected millions of computers worldwide.

Using this scheme Qaiser made millions from victims in more than 20 countries, which NCA said he spent on high-end hotels, prostitutes, gambling, drugs and luxury items including a £5,000 Rolex watch, until Qaiser was arrested in July 2014 and charged in February 2017.

“Confiscation orders are a key tool in allowing us to pursue illegally-obtained assets and preventing convicted criminals from funding luxury lifestyles on their release,” Nigel Leary, Head of Operations in the NCA’s National Cyber Crime Unit, said in a Monday statement. “This was an extremely long-running and complex investigation which proves that we will use all the tools at our disposal to ensure cyber criminals are brought to justice and cannot continue to benefit from their illicit earnings.”

Authorities over the past month have continued disclosing crackdowns on cybercriminals, including just last week announcing with sanctions and charges against the leader of  cybercrime group Evil Corp., as well as the takedown of developers behind a commodity remote-access tool (RAT) that allows full control of a victim’s computer.

Also last week, feds announced they’re targeting money mules, middlemen who assist BEC schemes by receiving money from victims and forwarding proceeds to foreign-based perpetrators. Authorities say they have halted over 600 domestic money mules – exceeding last year’s 400 money mules stopped last year.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles