De acordo com uma acusação pelo Departamento de Justiça dos Estados Unidos, Nikolov agora pode pegar até 100 anos de prisão por seus crimes, e uma multa de até US $ 3,5 milhões. Nikolov já foi extraditado da Bulgária para os EUA e apareceu ontem no tribunal.


US authorities have indicted a man named Krasimir Nikolov, age 44, of Varna, Bulgaria, for his role in the distribution of the GozNym malware.
GozNym is a relatively new banking trojan that was created by combining the Gozi banking trojan and the Nymaim dropper/ransomware.

GozNym was one of the superstars of the malware scene

The IBM X-Force team first reported on GozNym's attacks in April 2016, but the trojan felt its presence since late 2015 when the first infections took root across the US.
During a very short period of a few months, the trojan evolved rapidly, with the addition of redirection attacks, and spread incredibly fast to a large number of countries, such as Canada, the UK, Japan, Spain, Poland, Brazil, and Germany.
The trojan was known to have targeted 22 different financial institutions in the US alone, from banks to credit unions.
According to US prosecutors, Nikolov used the trojan to collect banking credentials and then attempted to initiate fraudulent transactions.
Among the biggest robberies he tried to pull, authorities mentioned several cases:
  • Nord-Lock, Inc., a bolt-manufacturing company headquartered in Carnegie, Pa., was the victim of an attempted unauthorized wire transfer of $387,500 from its online account at PNC Bank to an account in Sofia, Bulgaria.
  • Protech Asphalt Maintenance, Inc., an asphalt and paving business located in New Castle, Pa., was the victim of several attempted unauthorized wire transfers totaling more than $243,000 from its online account at First National Bank.
  • Foresight Sports, Inc., a company that provided technology-based golf products and was located in San Diego, California, was the victim of attempted unauthorized wire transfers totaling more than $118,000 from its online account at American Express Foreign Exchange Service Payments.
  • California Furniture Collection, Inc., (DBA Artifacts International) a furniture business located in Chula Vista, California, was the victim of several attempted unauthorized wire transfers totaling more than $737,000 from its online account at CommerceWest Bank.
Surprising news came in September when researchers at Cisco Talos announced they shut down the botnet created with the GozNym malware.
Banking trojans of this size and complexity don't go down this easy, and so quickly after they've been created.

GozNym was part of the Avalanche malware distribution network

Unknown at the time was that Nikolov's operation was part of the massive Avalanche malware distribution network, which authorities in a few dozen countries were investigating, and brought down at the end of November.
Nikolov was one of the early Avalanche arrests, which were later followed by the arrest of the network's main administrator, a Ukrainian man, and 34 people who bought and launched DDoS attacks via DDoS-for-hire services hosted on Avalanche.
According to an indictment by the US Department of Justice, Nikolov now faces up to 100 years in jail for his crimes, and a fine up to $3.5 million. Nikolov was already extradited from Bulgaria to the US and appeared yesterday in court.