Operation Trident

The bloodhounds are continuing to register notable victories over online crime rings. This time there were a massive series of arrests done in US, UK and other countries in relation to fraudsters spreading or cashing out on a major Zeus Trojan operation, which has been pestering US businesses for the past 18 months.

In a clever multi-national investigation called Trident Breach, over 150 charges or arrests were made across the US, UK and East Europe. Check out this cool chart that explains the scale of the Cybercrime operation and the geographic location of its members.

The first announcement came from the UK, where the Metropolitan Police Central eCrime Unit said it had arrested 19 people who have spread the Zeus Trojan to pray on victims. The total proceeds from their operation is 6 million pounds.

Then US law enforcement authorities then announced the FBI put behind bars 37 fraudsters who were charged with knowingly serving as mules accounts for stolen Zeus credentials. These collaborators, entering to the US under student visas, were responsible for receiving money transfers from victims and then wiring the money into the hands of the cash-out masterminds.

A few days later, the full scale of the operation became apparent with 5 more arrests done in Ukraine, this time of the Cybercriminals who were responsible for setting up the Zeus botnet and controlling the operation.  In total the group cleaned $70m, mostly from business accounts.

As of October 2010, Zeus remains the predominant Trojan: RSA still sees the vast majority of stolen credentials coming from Zeus botnets. There are hundreds of Zeus servers running right now, each of them operated by a single fraudster or a small group of criminals, each of them monitoring thousands of victims 24/7. Millions of hijacked PCs run Zeus.

Zeus has all the signs of a healthy business. Beyond the fact its developer released a major version early 2010, it has a lively community of add-ons, localized versions, templates and scripts that can be used on the main Zeus platform. An example: a Zeus add-on script that empties your account in 10 seconds, then shows a false account balance whenever you log into online banking. Only if you look at a printed statement you’ll see your account is empty.

Zeus does have competition, though. SpyEye is a new incumbent that certain fraudsters prefer over Zeus; in certain locales it has about half of Zeus market share. Gozi started to rent its botnet to other uses; and there are always new Trojans developed.    

The recent arrests add up to the all the good work the FBI, Scotland Yard, and law enforcement agencies in US, UK and Europe have been doing recently.

Well done, lads!