U.S.: Washington, 39 Countries Dismantle Massive Online Criminal Network

Editor's Note: This analysis was produced by Threat Lens, Stratfor's unique protective intelligence product. Designed with corporate security leaders in mind, Threat Lens enables industry professionals to anticipate, identify, measure and mitigate emerging threats to people and assets around the world. Learn more here.

The U.S. Department of Justice announced Dec. 5 that the United States had collaborated with 39 other countries and several international law enforcement groups to take down Avalanche, a cybercriminal network that has operated since at least 2010. Avalanche was an intricate network of servers located around the world, which enabled cybercriminals to secretly operate criminal enterprises across international boundaries.

The operation, spearheaded by the U.S. Attorney's office for the Western District of Pennsylvania, appears to have been prompted by an investigation into spear phishing on a local government office and two private companies. The government was the victim of unauthorized file encryption through ransomware, and the two companies and their banks were the victim of monetary theft through GozNym malware. The malware was introduced to employee computers through apparently legitimate invoices. Tracing back the malware, investigators uncovered Avalanche, which enabled users to move and launder stolen money, banking passwords and other sensitive information without detection through its many scattered servers. Investigators also learned of "money mule" schemes, in which large groups of "mules" launder money by purchasing goods with stolen money. Avalanche was advertised online to criminals on encrypted forums.

Operations of this scale are rarely handled by law enforcement, and the success of the effort is unprecedented. Investigators in India, Taiwan, Singapore and Ukraine, to name a few, were able to block some of the more than 800,000 malicious domains controlled by criminals. One way of doing this involved "sinkholing" Avalanche traffic by redirecting it to law enforcement computers. The tactic helped investigators identify and seize servers in 40 jurisdictions internationally and order an undisclosed number of arrests. However, though the operation was an undeniable law enforcement success, it will not stop other cybercrime networks from operating or new ones from emerging. Three years ago U.S. authorities destroyed the online narcotics market the Silk Road. Since then, online sales of illegal drugs and other contraband have proliferated, rather than decreased. Cybercriminal networks are resilient and rapidly evolve when challenged by law enforcement.