Back in 2016, three members of the Bayrob hack group were extradited to the United States. Law enforcers said that Romanian citizens Bogdan Nicolescu aka Masterfraud, aka mf, Danet Tiberiu aka Amightysa, aka amy, and Radu Miclaus aka Minolta, aka min since 2007 have been involved in fraud and fraud , and then their “business” evolved into a large botnet, which was also involved in cryptocurrency mining.
According to authorities, over the years of activity, the group stole more than four million dollars from its victims, however, Symantec analysts who helped law enforcement agencies to terminate the group reported that in fact the damage from Bayrob’s actions could amount to more than $ 35,000,000.
Let me remind you that in 2007, attackers primarily engaged in fraud through eBay and advertising scam. They put up for sale non-existent goods (as a rule, these were expensive cars) and waited for a potential buyer to be interested in their lot. As soon as the victim showed interest in a non-existent product, fraudsters contacted her to discuss the details of the transaction. A potential buyer was sent a file supposedly containing a gallery with photos of the car, but in addition to the photos, there was also a Bayrob Trojan created by the group itself.
At first, Bayrob acted as a simplified banker, only instead of a fake page of a banking portal, it led users to a fake eBay page, which posted a message about the sale of a non-existent car. Fake pages and letters were created with great care, and the English language of the group was up to par and practically did not contain errors. Fraudsters invented fake customer reviews for fake eBay pages, faked information about previous car owners, participation in accidents and restrictions on alienation, and even created fake websites for transport companies that supposedly had to deliver the car to the buyer.
In fact, all this was necessary to lull the victim's vigilance, to delay the moment when the buyer realizes that he was deceived, and notify the bank and law enforcement agencies about what happened. During this time, hackers managed to use the services of the so-called “money mules”, which sent money from the US to Romania (while the group did not hesitate to mislead or rob their own couriers, often leaving them without a “commission” due to them).
In 2014, Bayrob evolved into a full-fledged backdoor trojan that "learned" to steal bank card data and other confidential information from infected machines. It began to spread in attachments to spam emails, allegedly sent on behalf of organizations such as Western Union, Norton AntiVirus and IRS.It is also known that hackers have registered more than 100,000 mailboxes and sent with him dozens of millions of malicious emails to previously collected email addresses. In addition, they intercepted requests to Facebook, PayPal, eBay and other sites and redirected their victims to similar domains where they stole their credentials
So, if in 2007 about 1000 cars were infected with Bayrob, by 2014 their number increased to 50,000, and by 2016 it exceeded 300,000 altogether. A botnet of this size allowed a variety of operations to be carried out, for example, among other things , the group engaged in cryptocurrency mining.
Charges were brought against all three suspects back in 2016, but the matter came to court much later. So, about the fact that Bogdan Nicolescu and Danet Tiberiu pleaded guilty, became known only in April 2019, and the sentencing of 21 counts was scheduled for this fall.
Late last week on US Department of Justice website There was information that Nicolescu and Tiberius were sentenced to 20 and 18 years in prison, respectively.
Now law enforcement officials report that the attackers not only stole other people's money and extracted cryptocurrency on infected machines, but also stole various information from the victims, then reselling this data on the darknet (it could be credentials, financial information, and so on).