Ten people have been charged in connection with malicious software attacks that infected tens of thousands of computers and caused more than $100 million in financial losses, US and European authorities announced on Thursday.
The malware, which enabled cybercriminals from Eastern Europe to take remote control of infected computers and siphon funds from victims' bank accounts, targeted companies and institutions across all sectors of American life. Victims included a Washington law firm, a church in Texas, a furniture business in California and a casino in Mississippi.
The defendants come from six nations and several are awaiting prosecution in Europe. An 11th defendant in a related case was extradited to the US from Bulgaria in 2016 and pleaded guilty last month in federal court in Pittsburgh, Pennsylvania, where Thursday's case was brought.
The charges include conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud and conspiracy to commit money laundering.
Though the Justice Department has pursued multiple malware prosecutions in recent years against foreign hackers, this case stands out as a model of international collaboration, said Scott Brady, the United States attorney in Pittsburgh.
How to prosecute cybercrime?
Instead of seeking the immediate extradition of all 10 defendants — an often cumbersome process that can take years of negotiations, even in countries that have treaties with the US — prosecutors will first bring charges against several of them in the East European countries of Ukraine, Moldova and Georgia.
"It represents a paradigm change in how we prosecute cybercrime," Brady said in an interview with The Associated Press ahead of a news conference in The Hague with representatives of the six countries.
The investigation was an outgrowth of the Justice Department's dismantling in 2016 of a network of computer servers, known as Avalanche, which hosted more than two dozen different types of malware.
"For the past three years, we have been unpeeling an onion as it were that is very challenging to investigate and identify," Brady said.
The malware cited in the current court case infected 41,000 computers, relying on spam emails that were disguised as legitimate messages or invoices, officials said. Once opened, the emails enabled hackers operating from Europe to record the keystrokes from the victims' computers, steal banking log-in credentials and wire money away from accounts.
Brady said that while prosecutors always look to recover stolen funds, that effort is especially challenging in international cybercrime cases.
"Proceeds were converted to bitcoin and without the private key, it is really hard to identify and access, let alone seize, those accounts," Brady said.