While it is essential to put an end to the technical aspects of malware (see the game of string tricks, part one), the real deterrent for criminals is to hit them hard with money.  This was the purpose of the Europol 2BaGoldMule against QQAAZZ. In cooperation with partners from 16 countries, including Latvia, Bulgaria, the United Kingdom, Spain and Italy, Europol helped coordinate the execution of search warrants at 40 different locations in support of criminal proceedings in the United States, Portugal, the United Kingdom and Spain.

Europol has published a two-part InfoGraphic as part of its account of 20 arrests in the multi-million-dollar money laundering case QQAAZZ :

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

Information graph: https://www.europol.europa.eu/publications-documents/operation-2bagoldmule

The criminals behind the QQQAAZZ money laundering have received money from botnet operators and have also, through various front companies and crypto-currency companies, failed to produce net money while keeping 40-50% of the funds to themselves.

The U.S. Department of Justice reports that bank accounts controlled by QQAAZZ have received money stolen by bank trojans, including Dridex, Trickbot and GozNym malware.  The DOJ action consisted of two rounds, with the first indictment already printed with the names of the persons in October 2019:

Alexei Trofimovich

Alexei Trofimovich, Alexei Trofimovich, Aleko Stoyanov Angel

Ruslan Nikitenko

a/k/a Krzysztof Wojciech Levko, Milen Nikolczew Nikolov, Rafal Winter

Arthur Zachariah

a/o Petr Ginelli, Arkadiusz Schuberski

Denis Rusetskis

a/o Denis Rusetsky, Sevdelin Sevdalinov Atanasov

These persons used a number of shell companies to open a large number of bank accounts in Portugal.  In 2018 I was in a meeting in London with a handful of major British banks and for the first time I heard them exchanging information about how common it is that when someone enters their Trickbot bank account, a transfer is sent to Portugal!

According to the indictment, Ruslan Nikitenko used his straw company Selfilled LDA to open accounts with eleven banks in Portugal.  He used Colossal Devotion LDA to open accounts with nine other banks.  Arthur Zakharievich founded a fictitious company, Cardinal Gradual Real Estate Unipessoal LDA, by opening accounts with ten banks in Portugal.  Dennis Rusetskis founded Flamingocloud LDA and opened accounts with thirteen banks in Portugal!

According to the indicator for October 2019, more than $1.1 million has been spent on the project. In total, delays of USD 100 million were incurred in subsequent transactions, although more than half of these funds were blocked or recovered.

Date Victim bank Attempt to connect Beneficiary
07MAR2017 Schwab   $75000 Actrofi services
20 SEN2017 BOA   $84900 Actrofi services
26OCT2017 JPMorgan Chase   $98780 Privilege
29NOV2017 American Express  $121360 Selbewoolt
30NOV2017 OVERNIGHT STAY AND BREAKFAST  $72000 Privilege
08MAR2018 USAA  $29500 Flamingoblaco
08MAR2018 USAA  $29500 tremendous effort
21MAR2018 BOA  $49000 tremendous effort
10APR2018 JPMorgan Chase  $59426 Cardinal Step by Step
10APR2018 JPMorgan Chase  $59426 Cardinal Step by Step
10APR2018 JPMorgan Chase  $59426 Cardinal Step by Step
30AUG2018 PNC  $99693 Selbewoolt
14NOV2018 BOA  $56202 Actrofi services
14NOV2018 BOA  $112921 Dennis Gorenko
14NOV2018 BOA  $45830 Dennis Gorenko
06DEC2018 JPMorgan Chase  $114652 Flamingoblaco

Between this case and the current indictment, there was slightly more publicity in May 2020 when Plinofayal, a Russian crook whose real name is Maxim Boyko, was arrested by the FBI when he landed at Miami airport, according to reports from the BBC and other agencies.

In a recent complaint, the indictment of the American Western District was printed only because it was filed on 29SEP2020.  This indictment points to another group of money launderers:

  • Nika Nazarovi – from Georgia – alias Nika Utiashvili, Mikhail Atanasov, Stefan Trifonov Zhelyazkov.
  • Martins Ignatievs – from Latvia – alias Yodan Angelov Stoyanov, Alexander Tikhomirov Yanev, Svetlin Ilyanov Asenov
  • Alexander Kobiashvili – from Georgia – alias Antonios Nastas, Ognian Krasimirov Trifonov.
  • Dmitri Kuzminov – from Latvia – alias Parus Gospodinov.
  • Valentsins Sevets – from Latvia – alias Marek Jasvilko, Rafal Shchitko.
  • Dmitry Slapins is from Latvia.
  • Armens Vecels – Latvia
  • Artiom Caspli – from Bulgaria
  • Ion Cebanu is from Romania.
  • Tumas Treskinkis – Latvia
  • Russian Sarapovs – Latvia
  • Sylvester Tamenieks – Latvia
  • Abdelhak Hamdaui – from Latvia
  • Peter Iliev – from Belgium

He said that cybercriminals in general have tried to transfer tens of millions of dollars to accounts controlled by QQAAZZ, and that QQAAZZ has managed to launder millions of dollars stolen from victims around the world.

The prosecution divides criminals into three levels:

Manage

Middle management

and the smugglers

The September 2020 indictment mentions some of the companies whose bank accounts were used to transfer money to European shell companies set up by the above mentioned companies:

  1. Technology company in Windsor, Connecticut
  2. an Orthodox Jewish synagogue in Brooklyn, New York.
  3. a medical device company in York, Pennsylvania.
  4. the man from Montclair, N.J.
  5. Architectural firm in Miami, Florida
  6. a man in Akworth, Georgia.
  7. Manufacturer of car parts in Livonia, Massachusetts.
  8. Cleaning lady in Skokie, Illinois.
  9. a man in Carolton, Texas.
  10. a man in Villa Park, California.

Dozens of other victims have been identified in the United States, but the total number of victims whose money has been stolen or attempted to be stolen by these schemes is unknown.

The persons mentioned in both charges have received money in bank accounts of shell companies, including at least 147 accounts with banks in Portugal, Germany, Spain and the United Kingdom.

The indictment contains a partial list of money transfers that took place between the American victims and the accounts controlled by these criminals.

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

To this end, the members of the QQQAAZZ checkout system have advertised their services in exclusive, secret, Russian-language online forums of cyber criminals. Some of these forum ads cost up to $10,000 a year!

Some of the nicknames used by QQAAZZ members in these forums have been added:

sqaazz global sqaazz markdevido

Rich Donaldtrump55 Manuel Krakadil

Calilinux by Richie Total22

This exchange forum has established a relationship between malicious gangs and money launderers.  For example, members of QQQAAZZ under the name Rich with members of the GozNym malware crime group said that they were accomplices in the UK and Europe and that they had numerous accounts that could be used for money laundering, including an account in the name of Yaromu Gida at a bank in Turkey.  An amount of $176,500 was received for this account. U.S., stolen from a medical device manufacturer in the Western District of Pennsylvania.

DonaldTrump55 provided information about the bank account of a deposit of Ruslan Nikitenko at a bank in Portugal, opened with a fake Polish identity card in the name of Krzysztof Wojciech Lewko.  The account then received $121,360 from an American victim.

*** This is the syndicated blog Security Bloggers Network of CyberCrime & Doing Time, written by Gary Warner, UAB. The original message can be found at http://garwarner.blogspot.com/2020/10/trickbot-on-ropes-qqaazz-money.html.www google comsearch,search engine algorithms,google search index size,ranking algorithm,https about google commitments,www.google search web,top 50 search engines,duckduckgo search engines,google search engines,gibiru,swisscows review,why is google the most popular search engine,google algorithm update 2020,google algorithm update march 2020,types of google algorithm,google search algorithm code,google panda 2019,may 2020 core update,google crawler tool,google crawler test,how does google analyze words?,how long does a typical search take?,what is the best type of link?,how google search engine works step by step,uses of search engine,yahoo search engines,uses of yahoo search engine,guruji search engine,google search operators,advanced search engine,what is inurl,google search query url,google directive,google search parameters for seo,what is a core algorithm update,core google update,may 5 google update,seo keywords example,keyword research tools,keyword research tips,keyword research ppt,on-page seo for beginners,seo friendly,how many google searches per day 2020,what is search,how many people use bing,internet live stats,how many tweets per day,how many people use youtube,instakeywords,questiondb,answer the public affiliate program,soovle,question and answer websites,keyword tool dominator,search engine,web search engine,google search algorithm,image search,search google,how google search engine works algorithm,duckduckgo

You May Also Like

Adobe Fuse CC Download to Create 3D Models and Charecters

If you want to create your own 3D models and characters on…

How to Enter Recovery Mode on Posh Orion Mini S350 Phone

Here is a complete guide on how to activate the Posh Orion…

10 Best Torrent Sites For 2020 – 100% Working Torrents

In the world of internet torrenting there are hundreds of possibilities to…

Top 7 Portable Mobile Laptops

Portable Resident for mobile phones. The most common sizes are between 13…