FBI News & Resources
PRESS RELEASES
Craigslist Robbers - The crew of robbers, based in the San Francisco Bay Area, is estimated to have stolen more than $500,000 in jewelry from victims who traveled from more than six states between November 2012 and December 2013. Five men were charged in 2014 in connection with the violent robberies during which, among other items, a $90,000 Cartier watch, a $14,000 Rolex watch, and a $19,000 engagement ring were stolen. The last member of the crew to be sentenced, Michael Anthony Martin, 42, of Tracy, California, was handed a term last December of 30 years in prison.
The case illustrates how the FBI and police work together on cases that may at first appear to be local or isolated, but on closer investigation can span multiple jurisdictions. In this case, a Bay Area detective’s efforts to solve a “snatch-and-grab” robbery at a Fremont, California coffee shop ultimately led him to more than 20 similar robberies of victims from as far away as Wisconsin and Florida. Fremont Police Department Det. Michael Gebhardt’s legwork also uncovered the scheme’s mastermind: a prison inmate who personally called Craigslist targets—purporting to be a successful record producer—and assigned his co-conspirators to carry out the plans. It all started in 2012 with the brazen robbery of a Bay Area man who was selling his watch. The seller and the purported buyer, both local, arranged to meet in Fremont in a public place—a coffee shop. “As they are talking, the potential buyer just grabs the Rolex and takes off running,” Gebhardt said.
“It’s definitely a tale of something that started small and just mushroomed into this massive investigation.”
Det. Michael Gebhard, Fremont (California) Police Department
Video surveillance and the so-called buyer’s cell phone number turned up an identity that police were able to link to two more robberies in Bay Area cities. In each case, the victims were selling Rolex watches and the prospective buyers grabbed the goods and ran. “The M.O. [modus operandi] is the same,” Gebhardt recalled thinking. “He’s targeting people on Craigslist for Rolexes.”
Two months later, the detective received word that police in Oakland were investigating five similar robberies, including one they witnessed firsthand during a separate investigation. Oakland police officers arrested three men, who it turned out were associates of the watch thief Gebhardt was investigating for the 2012 coffee shop heist. With some digging, Gebhardt learned his subject was taking directions from his father, an inmate at the California Men’s Colony state prison. The father was using a number of relatives, including his son and a cousin in Texas, to lure prospective Craigslist sellers with flights and limos and then have co-conspirators rob them once they were captive.
.
Avalanche Network Crashes - For years, sophisticated cyber criminals have used our own technology against us—but as their networks have grown more complex and widespread, criminals increasingly rely on an international infrastructure as well,” said Assistant Attorney General Caldwell. “Avalanche is just one example of a criminal infrastructure dedicated to facilitating privacy invasions and financial crimes on a global scale. And now a multinational law enforcement coalition has turned the tables on the criminals, by targeting not just individual actors, but the entire Avalanche infrastructure. Successful operations like this one can disrupt an entire criminal ecosystem in one strike.”
“The takedown of Avalanche was unprecedented in its scope, scale, reach and cooperation among 40 countries,” said Acting U.S. Attorney Song. “This is the first time that we have aimed to and achieved the destruction of a criminal cyber infrastructure while disrupting all of the malware systems that relied upon it to do harm.”
“We are committed to halting cybercriminal activity against the United States,” said Assistant Director Smith. “Cybercriminals can victimize millions of users in a moment from anywhere in the world. This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized crime in the virtual.”
The Avalanche network offered cybercriminals a secure infrastructure, designed to thwart detection by law enforcement and cyber security experts, over which the criminals conducted malware campaigns as well as money laundering schemes known as “money mule” schemes. Online banking passwords and other sensitive information stolen from victims’ malware-infected computers was redirected through the intricate network of Avalanche servers and ultimately to backend servers controlled by the cybercriminals. Access to the Avalanche network was offered to the cybercriminals through postings on exclusive, underground online criminal forums.
The operation also involved an unprecedented effort to seize, block and sinkhole – meaning, redirect traffic from infected victim computers to servers controlled by law enforcement instead of the servers controlled by cybercriminals – more than 800,000 malicious domains associated with the Avalanche network. Such domains are needed to funnel information, such as sensitive banking credentials, from the victims’ malware-infected computers, through the layers of Avalanche servers and ultimately back to the cybercriminals. This was accomplished, in part, through a temporary restraining order obtained by the United States in the Western District of Pennsylvania.
The types of malware and money mule schemes operating over the Avalanche network varied. Ransomware such as Nymain, for example, encrypted victims’ computer files until the victim paid a ransom (typically in a form of electronic currency) to the cybercriminal. Other malware, such as GozNym, was designed to steal victims’ sensitive banking credentials and use those credentials to initiate fraudulent wire transfers. The money mule schemes operating over Avalanche involved highly organized networks of “mules” who purchased goods with stolen funds, enabling cybercriminals to launder the money they acquired through the malware attacks or other illegal means.
The Avalanche network, which has been operating since at least 2010, was estimated to serve clients operating as many as 500,000 infected computers worldwide on a daily basis. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network.
Several victims of Avalanche-based malware attacks are located in the Western District of Pennsylvania. A local governmental office was the victim of a Nymain malware attack in which computer files were encrypted until the victims paid a Bitcoin ransom in exchange for decrypting the files. Two companies, based in New Castle and Carnegie, Pennsylvania, and their respective banks were victims of GozNym malware attacks. In both attacks, employees received phishing emails containing attachments designed to look like legitimate business invoices. After clicking on the links, GozNym malware was installed on the victims’ computers. The malware stole the employees’ banking credentials which were used to initiate unauthorized wire transfers from the victims’ online bank accounts.
The U.S. Attorney’s Office of the Western District of Pennsylvania, the FBI and the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) conducted the operation in close cooperation with the Public Prosecutor’s Office Verden; the Luneburg Police of Germany; Europol; and Eurojust, located in The Hague, Netherlands; and investigators and prosecutors from more than 40 jurisdictions, including India, Singapore, Taiwan and Ukraine.
Other agencies and organizations partnering in this effort include the Department of Homeland Security’s U.S.-Computer Emergency Readiness Team (US-CERT), the Shadowserver Foundation, Fraunhofer Institute for Communication, Registry of Last Resort, ICANN and domain registries from around the world. The Criminal Division’s Office of International Affairs also provided significant assistance.