The last two people found guilty of being part of the gang behind the UK’s biggest ever cybercrime phishing spree have been sentenced to nearly five years in jail each.
Ukrainians Yuriy Konovalenko, 29, and Yevhen Kulibaba, 33, were the ringleaders of the largely UK-based gang that police believe managed to steal at least £4.3 million ($6.9 million) between September 2009 and March 2010 by deploying the Zeus Trojan to raid online bank accounts in several countries.
The full scale of their crimes might never be known with some estimates putting the sums stolen from the gang’s activities above £20 million, which would make it the largest crybercrime campaign ever to reach court anywhere in the world. Police have connected the pair directly to almost £3 million of the uncovered thefts.
There has been a slow drip of sentences handed out to the gang members in what turned out to be a hugely complex investigation, ‘Operation Lath’, which saw 13 people charged with a variety of offences connected to the gang’s activities.
Last month, Kulibaba’s wife, Latvian national Karina Kostromina, was sentenced to two years in prison for carrying out money laundering for the gang.
"These defendants were part of an organised network of computer criminals operating a state-of-the art international online banking fraud, through which they stole many millions of pounds from individuals and businesses in the UK and United States,” said detective inspector Colin Wetherill of the Metropolitan Police’s Police Central E-Crime Unit (PCeU).
"The investigation involved unprecedented levels of cooperation between the Metropolitan Police, the UK banks, the FBI and other UK and international law enforcement agencies,” he said.
The huge success of the gang’s attacks on online bank accounts probably had something to do with timing. The malware family used, Zeus (also known as SpyEye) was not easily detected by some security systems and the banks concerned clearly underestimated the speed with which it could compromise the accounts of users.