Bulgarian Hacker Krasimir Nikolov Charged in $1.5M GozNym Scheme

PITTSBURGH — Krasimir Nikolov, a 44-year-old man from Varna, Bulgaria, has been indicted on six federal counts tied to a high-tech cybercrime spree using GozNym malware to rip off American businesses. The malware, designed to siphon banking credentials and hijack online accounts, was used in a string of attempted electronic heists totaling more than $1.5 million, according to a Pittsburgh federal grand jury.

The indictment, returned October 4, 2016, and unsealed today, charges Nikolov with one count of criminal conspiracy, one count of unauthorized access to a computer to obtain financial information, and four counts of bank fraud. Prosecutors allege Nikolov obtained login data from computers infected with GozNym, then used that access to initiate unauthorized wire transfers from compromised accounts tied to U.S.-based companies.

The GozNym campaign began in late 2015, targeting businesses through phishing emails made to look like routine invoices. Click a link, open an attachment, and the malware slips in — silently harvesting online banking credentials. The stolen data was then used to push fraudulent transfers. Among the named victims: Nord-Lock, Inc. of Carnegie, Pa., hit with a $387,500 attempted transfer to Bulgaria; Protech Asphalt Maintenance, Inc. of New Castle, Pa., targeted in multiple attempts totaling over $243,000; and California Furniture Collection, Inc. (DBA Artifacts International) of Chula Vista, Calif., nearly drained of $737,000 via CommerceWest Bank.

Additional victims include Foresight Sports, Inc. of San Diego, Calif., which faced over $118,000 in attempted fraud through American Express Foreign Exchange Service Payments. Acting U.S. Attorney Soo C. Song credited swift action by the targeted companies and their banks for spotting the fraudulent transfers and blocking the losses before funds disappeared overseas.

The case against Nikolov emerged from a broader multinational crackdown on the Avalanche network — a digital safe haven for more than two dozen notorious malware strains, including GozNym. Last week, Justice Department officials revealed the takedown of Avalanche, which facilitated global phishing operations and money laundering pipelines. Nikolov’s prosecution is a direct result of the forensic sweep through that infrastructure.

Nikolov was arrested in Varna on September 8, 2016, and extradited to the United States over the weekend. He made his initial appearance in federal court in Western Pennsylvania at 3:30 p.m. today. If convicted, he faces up to 100 years in prison and a $3.5 million fine. Sentencing, under federal guidelines, will hinge on the severity of the offenses and Nikolov’s criminal history. The case is being handled by Assistant U.S. Attorney Charles Eberle and Senior Trial Attorney Richard D. Green of the Justice Department’s Computer Crimes division.