GozNym Closure Comes in the Shape of a Europol and DOJ Arrest Operation

Two and a half years after the initial arrest of a major member of the GozNym cybercrime gang, Europol and the U.S. Department of Justice (DOJ) joined forces to reach additional gang members who used the Trojan to pilfer large amounts of money from companies in the U.S. The operation was crowned “unprecedented,” having successfully dismantled what was left of the gang that attempted to steal well over $100 million.


A Two-Headed Beast Emerges


In April 2016, IBM X-Force researchers came across a new banking Trojan that seemed a little too familiar. After taking a closer look at what seemed to be a pretty sophisticated, modular code, our team announced that a Trojan hybrid was spawned from the Nymaim and Gozi ISFB malware.


X-Force named it GozNym, representing its two major components, having realized that the likely operators of Nymaim — a malware loader used mostly in ransomware attacks — recompiled its source code with part of the Gozi ISFB source code, creating a combination that they launched into attacks targeting the customers of more than 24 U.S. and Canadian banks. GozNym-facilitated fraud attacks amounted to over $4 million in losses within the first few days of its activity.


What was the purpose of this odd combination? It is likely that those behind the GozNym project aimed to marry the best of both Nymaim and Gozi ISFB to creat ..