The hackers were like modern-day John Dillingers, brazenly committing their crimes and repeatedly escaping law enforcement's grasp.
But like Dillinger and most other criminals, they eventually slipped up, and the FBI and its international partners were waiting for them after years of tracking their activities.
Auction Fraud Gets Law Enforcement's Attention
In 2007, an Ohio woman wired thousands of dollars to an eBay seller thinking she was buying a used car. The car never arrived. When she went to her local police department, the listing did not appear on the officers' computers.
That's because the woman was on a fraudulent version of the online auction site that mimicked the real one-a result of having unknowingly downloaded malicious software, known as malware, to her computer.
And to thousands of other victims just like her, the website and transactions looked legitimate. But buyers who thought they were wiring money across town were, in fact, sending money to hackers halfway across the world.
The hackers, known as the Bayrob Group, laundered the money via money mules, making it difficult to track. (Money mules are criminal accomplices who, often unwittingly, move criminal money through their own bank accounts.) Additionally, if a user on an infected machine went to the "Help" section of the site, they were met with the hackers'-not eBay's-customer service.
The Bayrob hackers also blocked websites like ic3.gov-the FBI's Internet Crime Complaint Center-where a user might have gone for help. And before smartphones were so common, the infected computer may have been a victim's only access to the Internet.
The would-be car buyer, along with many other victims, lost her money because wiring funds lacks the consumer protection of a credit card. Agents estimate each victim lost between $8,000 and $11,000.
"At the time, this was really cutting edge," said Special Agent Ryan Macfarlane, who worked this case out of the FBI's Cleveland Field Office. "These guys did a very good job of staying current with the technologies in the cyber criminal underground."
"They had all of these infected systems, and they tried to use as many ways as possible to make money from them."
Ryan Macfarlane, special agent, FBI Cleveland
Following the Money and the Malware
The Bayrob hackers were frustratingly nimble and good at covering their tracks. They used multiple layers of proxy servers to hide their location. Those proxy servers communicated with the "command and control" servers that talked to the thousands of computers the malware had infected.
But as the hackers gained more victims, more partners joined the investigation. The FBI worked with numerous law enforcement agencies around the world on this case, as well as with companies such as AOL, eBay, and Symantec.
Beginning in 2012, the Bayrob Group began to diversify its criminal business as technology advanced. They continued to spread their malware via spam and social media, but they also got into cryptocurrency mining and selling credit card numbers on the Darknet.
"They had all of these infected systems, and they tried to use as many ways as possible to make money from them," Macfarlane said.
Mistake Yields a Break in the Case
A break finally came when a Bayrob participant accidentally logged into his personal email instead of his criminal one. AOL, who was investigating his abuse of their network, connected the two accounts. That personal account led to online profiles in Romania and on social media-essentially the first action tying one of the suspects to the crimes.
That small mistake helped set investigators, in partnership with the Romanian National Police, on a path toward discovering the identities of all three hackers. And after much further investigation, including undercover buys from the group on Darknet marketplace Alphabay, the FBI had enough evidence to work with Romanian authorities on the arrests.
By the time the hackers were arrested in 2016, the Bayrob Group had become one of the top senders of malicious email.
"We were essentially taking down this entire infrastructure and arresting the three individuals at one time," Macfarlane said. "And the Romanian National Police were key partners in this effort. They stuck with us year after year. We couldn't have done this without them."
Bayrob Group members Bogdan Nicolescu and Radu Miclaus were both convicted on wire fraud, money laundering, and identity theft charges. In December 2019, Nicolescu was sentenced to 20 years and Miclaus to 18 years in prison.
A third member of the group, Tiberiu Danet, pleaded guilty to similar charges. He was sentenced in January to 10 years in prison.
While it was years in the making, putting a stop to these prolific thieves was worth the time and effort for the investigators-even when the hackers were as elusive as a gangster on the run.
"We stuck with it because these guys weren't stopping," Macfarlane said. "They continued to evolve, and they were becoming a bigger and bigger threat."
Protecting Yourself Online
Although many of the victims had no way of knowing their computers were compromised, the FBI says there are steps you can take to protect yourself and your devices, such as making sure your antivirus and operating systems are always up to date. Also be careful of what you click on, even if it's coming from someone you know.
"A lot of people don't think that someone they know will be compromised," said FBI Special Agent Stacy Diaz, who also worked on the case. "These hackers know how social networks work, and they use those relationships to grow their network."
Bayrob by the Numbers
- Infected computers: 400,000+
- Money lost: $4 million+
- Average loss per victim: $8,000-$11,000
- Years in operation: 2007-2016
- Malware variations: 160+
- Malicious emails sent: 70+ million