Thirty-seven members of an international cybercrime ring based in Eastern Europe were charged today with a variety of state and federal crimes accusing them of using the Zeus Trojan to snare bank account numbers and passwords that were then used to pilfer more than $3 million from victims' accounts.
The takedown, which is the culmination of a year-long investigation by the FBI, the U.S. Attorney's office in southern New York, the New York Police Department and the U.S. Secret Service, resulted in the arrests of 10 people in the U.S. Thursday morning. Another 10 were previously arrested overseas and another 17 are still being sought both in the U.S. and abroad, the FBI said in a statement.
The masterminds of the cybercrime syndicate allegedly concealed the Zeus Trojan in what appeared to be benign email attachments that, once opened, allowed the malware to embed itself in the victims' computers.
Once the malware had infiltrated users' PCs, it was able to record keystrokes and banking websites visited, allowing the hackers to access their online accounts and make unauthorized transfers of "thousands of dollars" at a time to receiving accounts controlled by co-conspirators.
"This advanced cybercrime ring is a disturbing example of organized crime in the 21st Century -- high-tech and widespread," New York District Attorney Cyrus Vance said in a statement.
The criminal charges allege that the receiving accounts were established by a "money mule organization" that collected the ill-gotten proceeds and transported or transferred victims' cash overseas where it was then divvied up by the hackers and other participants in the scam.
The FBI said the organization actively recruited people who had entered the U.S. on student visas, providing them with fake passports and instructing them to open dummy bank accounts under false names in the U.S. It further alleges that once those accounts were created, the mules then transferred funds to other accounts or were ordered to withdraw the cash and smuggle it back to Eastern Europe.
The first indication that an international cyber scam was afoot came to light last year when NYPD detectives began investigating a suspicious $44,000 withdrawal from a Bronx, N.Y. bank. That led to a coordinated, multi-agency investigation both in the U.S. and overseas.
"The Zeus Trojan allegedly allowed the hackers, from thousands of miles away, to get their hands on other peoples' money," FBI Assistant Director Janice Fedarcyk said in the statement. "But their scheme didn't eliminate risk."
The U.S. Attorney's office filed charges against all 37 defendants, accusing them of bank fraud, money laundering, false use of a passport and conspiracy to commit wire fraud. If convicted, the accused face sentences ranging from 10 years to 30 years in prison and fines of between $250,000 and $1 million per count.
Fighting cybercrime syndicates
This isn't the first time U.S. law enforcement agencies have cracked down on a foreign-based cybercrime syndicate.
In November, a group of eight hackers based in Eastern Europe were indicted on 16 separate federal counts, including computer fraud and aggravated identity theft for their alleged role in an elaborate scheme that pilfered more than $9 million from an Atlanta-based credit card processing company.
As today's arrests show, the modern, high-tech bank heist does not require a gun, a mask, a note or a getaway car," Manhattan U.S. Attorney Preet Bharara said. "But today's coordinated operation demonstrates that these 21st Century bank robbers are not completely anonymous; they are not invulnerable."
"Working with our colleagues here and abroad, we will continue to attack this threat and bring cybercriminals to justice," he added.
Follow eSecurityPlanet on Twitter @eSecurityP.