Three Members of Goznym Banking Trojan Gang Sentenced

Three individuals who were part of the criminal organization responsible for the Goznym malware attacks in Europe and North America between 2015 and 2016 have been sentenced for their role in the operation, according to a recent announcement by the U.S. Department of Justice.

The Goznym banking Trojan was a hybrid of the Nymaim malware dropper and Gozi banking malware and was primarily distributed via massive email spamming campaigns. Once downloaded on a device, it would constantly run and would collect and exfiltrate banking credentials when the device user accessed their online bank account. Most of the victims were businesses and financial institutions in the United States and Europe.

The new malware was relatively short-lived and was sinkholed in September 2016 when the bulletproof hosting service, Avalanche, through which the malware was operated was shut down. The operator of that service, Gennady Kapkanov, 36, of Poltava, Ukraine, was arrested in November 2016. During the time the malware was active it the attackers stole almost $100 million from victims’ bank accounts.

The cybercrime network behind the Goznym banking Trojan was dismantled by law enforcement in the United States and Europe in May 2019. 10 individuals were identified as being in the network all of whom have been indicted on charges of conspiracy to commit computer fraud, conspiracy to commit wire fraud and bank fraud, and conspiracy to commit money laundering. Five members of the gang are Russian nationals and remain at large.

Krasimir Nikolov, 47, of Varna, Bulgaria, was apprehended in Bulgaria in September 2016 and was extradited to the United States two months later. He had already served over 39 months in prison and was sentenced on December 16, 2019 in federal court in Pittsburgh for criminal conspiracy, computer fraud, and bank fraud.

Nikolov was an account takeover specialist whose role in the operation was to use the credentials stolen by the Goznym banking Trojan to access online bank accounts and perform fraudulent wire transfers to bank accounts controlled by other gang members. He was sentenced to time served and will now be sent back to his native Bulgaria.

Alexander Konovolov, aka NoNe, of Tbilisi, Georgia, was the leader of network and was responsible for recruiting other cybercriminals on darknet forms. He was also in charge of more than 41,000 devices worldwide that had been infected with the banking Trojan. He was sentenced to serve seven years and his assistant and technical administrator, Marat Kazandjian, aka phant0m, of Kazakhstan and Tbilisi, Georgia, was sentenced to serve 5 years. The pair were apprehended and prosecuted in Georgia. An FBI agent and FBI computer scientist from the Pittsburgh Field Office gave evidence at the trial.

“For years, these cyber criminals believed they could steal millions from innocent victims. Through international cooperation with multiple agencies, we were able to target, takedown and bring to justice members of this criminal enterprise,” said FBI Pittsburgh Special Agent in Charge Robert Jones. “We will continue to relentlessly pursue these cyber criminals who think they can conduct illicit activity from behind the perceived anonymity of a computer.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of