WASHINGTON -- An eight-country cybercrimes investigation that led to an indictment in Pittsburgh of a computer mastermind may now depend for its continued success on the cooperation of a ninth country: Russia.
Evgeniy Mikhailovich Bogachev of the Black Sea town of Anapa, Russia, was named in a 14-count indictment, unsealed Monday, accusing him of conspiracy, wire fraud, computer fraud, bank fraud and money laundering.
He and five alleged co-conspirators, identified by nicknames, are also defendants in a civil suit filed by federal prosecutors that provided the government with the judicial approval needed to shut down the Cryptolocker virus and the Gameover Zeus computer network, which have infected millions of computers worldwide.
"Bogachev, a true 21st-century criminal, commits cybercrimes across the globe with a stroke of a key," Deputy Attorney General James Cole said at a news conference in Washington. He called the vast, global array of computers captured by the Gameover Zeus "the most sophisticated and complicated botnet we have encountered."
Justice officials said they have been watching Mr. Bogachev for years. His orchestration of the Gameover Zeus and Cryptolocker schemes elevated the 30-year-old to a spot on the FBI's list of most-wanted cybercriminals.
Agents had been separately investigating the Gameover and Cryptolocker cases when they discovered both were connected to Mr. Bogachev, known online as Lucky12345, Slavik and Pollingsoon.
The lucrative and damaging schemes were aimed at two different sets of victims: businesses, which were robbed by the millions; and individuals, whose pockets were virtually picked a few hundred dollars at a time.
The Cryptolocker virus spread through email messages with links that activate software that blocks up computer files and displays a splash message demanding payment within 72 hours. Payment was to be made in bitcoins, the difficult-to-trace online currency.
Assistant Attorney General Leslie R. Caldwell characterized Gamemover Zeus as a quiet scheme to defraud companies that wouldn't be aware of the infiltration until their bank accounts were empty, while she said Cryptolocker was "brutally direct."
"The criminals effectively held for ransom every private email, business plan, child's science project or family photograph -- every single important and personal file stored on the victim's computer," she said.
U.S. Attorney David Hickton said he would use all available legal processes to bring Mr. Bogachev to Pittsburgh to stand trial.
Mr. Cole said discussions with Russia have begun, but he declined to detail them.
"Our goal right now is to find him and get him into custody," he said.
Experts predicted that the talks would be tough.
"There have been attempts from both the United States and Britain to extradite Russians who commit crimes, and each time Russia has refused to extradite anyone," said Sean Guillory, a post-doctoral fellow at the Russian and East European Center at the University of Pittsburgh. "The Russians ... flatly refuse that their nationals should be tried in other nations' courts.
"The only way I could see the Russians cooperating is first behind the scenes, without any public knowledge," and that seems decreasingly likely given tensions over Ukraine, he said.
Malicious software called Zeus that stole victims' credentials, allowing criminals to drain bank accounts, emerged in 2007, according to a court filing in which FBI special agent Elliott Peterson, based in Pittsburgh, detailed the probe. When a victim opened an email and clicked on the link, the virus would infect their computer, stealing personal information and secretly turning the machine into another "bot" in a network of remotely directed machines.
The updated version, Gameover Zeus, infected perhaps a million computers. It targeted entities including U.S. hospitals "due to their large payroll payments," redirecting deposits to the criminals' sometimes unwitting "money mules," according to Mr. Peterson.
Gameover Zeus frequently drew amounts in the $1 million range from victim accounts, according to the court filings, and on one occasion drained $6.9 million from a Florida bank.
According to the indictment, PNC Bank and Haysite Reinforced Plastics of Erie, Pa., were victimized by the software. The government claims that Mr. Bogachev, in October 2011, shunted about $375,000 from a PNC Bank account belonging to Haysite to a bank in Atlanta, and from there to Great Britain.
Other victims, according to the complaint, include an Indian tribe in Washington state that lost $227,000 and assisted living facilities in Eastern Pennsylvania that lost $190,800.
A spokeswoman for PNC declined to comment, citing a bank policy prohibiting public discussion of unresolved legal matters.
Cryptolocker emerged last year, infecting around 230,000 computers, more than half of them in the U.S.
Victims of Cryptolocker would suddenly see a screen advising that their "personal files are encrypted," and learn that an "effectively unbreakable" password had been inserted between them and their banking, family and personal data. They could then pay ransoms -- the Swansea, Mass., police department, for instance, paid $750 -- or spend tens of thousands of dollars rebuilding their data, as some companies did.
Cryptolocker extracted at least $27 million in ransom payments, Mr. Cole said.
The FBI cultivated a confidential source with knowledge of Mr. Bogachev's methods, according to the court filings, and identified several websites with names like "Visitcoastweekend.com," which he used to communicate with his co-conspirators. The FBI then got warrants to use tracking devices to follow the computer traffic, working with law enforcement in the United Kingdom to unearth "a detailed ledger of hundreds of financial transactions" including some involving Hayside, according to the filings.
Agents and prosecutors in Pittsburgh, Washington and Omaha, Neb., then collaborated on a counterattack.
Prosecutors got court orders allowing them to establish a computer server to which they could redirect the communications of computers infected with Gameover Zeus.
The government then worked with law enforcement in Ukraine, Canada, France, Germany, Luxembourg, the Netherlands and the United Kingdom to begin seizing computer servers associated with Gameover Zeus and Cryptolocker, Ms. Caldwell said. Ukraine, for instance, seized Gameover Zeus command centers within its borders on May 7.
A "carefully timed sequence" of computer countermeasures by officials in the U.S. and The Hague, Netherlands, then allowed the governments to redirect all of the computer traffic allegedly associated with Mr. Bogachev, according to Ms. Caldwell.
Computer and security companies, plus Carnegie Mellon University and Georgia Tech, worked with law enforcement to understand the network.
By Saturday, Ms. Caldwell said, Cryptolocker was no longer functioning and Gameover Zeus was severely damaged.
Law enforcement is now working with computer and cyber security firms to help victims to recover from the malicious software, and has created a website providing assistance in removing the malware at www.us-cert.gov/gameoverzeus.
Robert Anderson, executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch, called Mr. Bogachev "one of the most prolific cyber-actors in the world."
The indictment, though, may do little more than put the Russians on notice, and restrict Mr. Bogachev's vacation options.
If Russia concluded that he committed crimes, it might prosecute him under its own laws, said Mr. Guillory. Barring that, the defendant "probably wouldn't be able to travel outside of Russia, because I'm sure if he traveled to the European Union they would hand him over."
Still, U.S. justice officials said they will pursue charges against Mr. Bogachev and will work to identify co-conspirators.
"Because computer hacking and computer theft are insidious, borderless crimes, we need to be bold, imaginative and relentless," Mr. Hickton said.
Rich Lord: firstname.lastname@example.org, 412-263-1542 or on Twitter @richelord. Washington Bureau Chief Tracie Mauriello: email@example.com, 703-996-9292 or on Twitter @pgPoliTweets. First Published June 2, 2014 11:47 AM