Skip to main content

Assistant Attorney General Leslie R. Caldwell Delivers Remarks
for the Gameover Zeus and Cryptolocker Operations and Related Criminal Charges


Washington, DC
United States

Good afternoon and thank you, Deputy Attorney General Cole, for the warm welcome. It is indeed a pleasure to return to the Justice Department, and an honor to serve as the head of the Criminal Division. I am reminded today, however, of how much the cyber threat landscape has changed since I last worked as a federal prosecutor.

Evgeniy Bogachev and the members of his criminal network devised and implemented the kind of cyber crimes that you might not believe if you saw them in a science fiction movie. By secretly implanting viruses on computers around the world, they built a network of infected machines – or “bots” – that they could infiltrate, spy on, and even control, from anywhere they wished. Sitting quietly at their own computer screens, the cyber criminals could watch as the Gameover Zeus malware intercepted the bank account numbers and passwords that unwitting victims typed into computers and networks in the United States. And then the criminals turned that information into cash by emptying the victims’ bank accounts and diverting the money to themselves. Typically, by the time victims learned they had been infected with Gameover Zeus, it was too late.

The Cryptolocker scheme, by contrast, was brutally direct about obtaining victims’ money. Rather than watch and wait, the cyber criminals simply took the victim’s computer hostage until the computer owner agreed to pay a ransom directly to them. They used sophisticated encryption – a tool originally designed to protect data from theft – to make it impossible for victims to access any data stored on their computers. The criminals effectively held for ransom every private email, business plan, child's science project, or family photograph – every single important and personal file stored on the victim’s computer. In order to get their data back, computer owners had to hand over their cash. As with Gameover Zeus, once you learned you were infected with the Cryptolocker malware, it was too late.

As the Deputy Attorney General mentioned, these schemes were highly sophisticated and immensely lucrative, and as you can imagine, Bogachev and his co-conspirators did not make them easy to reach or disrupt. But under the leadership of the Justice Department, federal prosecutors, FBI agents and analysts, foreign law enforcement authorities in more than 10 different countries, and numerous private sector partners joined together to disrupt both these schemes.

Here is what we did: first, on May 7, in coordination with the FBI, Ukrainian authorities seized and copied key Gameover Zeus command servers in Kiev and Donetsk. Then, on Monday, May 19, as you will hear from U.S. Attorney Dave Hickton, we obtained sealed criminal charges against Bogachev in Pittsburgh charging him with illegal hacking, fraud and money laundering. We took more steps on Wednesday, May 28, obtaining civil court orders against Bogachev and his co-conspirators based on federal laws that prohibit ongoing fraud and the illegal interception of communications. These orders allowed us to cause the computers infected with Gameover Zeus to cease communicating with computer servers controlled by the criminals, and instead to contact a server established by the court order. The court also authorized us to collect information necessary to identify the victim computers so that we can provide that information to public- and private-sector entities that can help the victims rid their computers of the infection. At the same time, our foreign law enforcement partners seized critical computer servers used to operate Cryptolocker, which resulted in Cryptolocker being unable to encrypt victim files.

Beginning in the early morning hours on Friday and continuing through the weekend, the FBI and foreign law enforcement then began the coordinated seizure of computer servers around the world that had been the backbone of Gameover Zeus and Cryptolocker. These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom. Recognizing that seizures alone would not be enough because cyber criminals can quickly establish new servers in other locations, our team began a carefully timed sequence of technical measures to wrest from the criminals the ability to send commands to hundreds of thousands of infected computers, and to direct those computers to contact the server that the court had authorized us to establish. Working from command posts in the United States and at the European Cybercrime Centre in the Hague, Netherlands, the FBI and our foreign counterparts—assisted by numerous private sector partners—worked feverishly around the clock to accomplish this re-direction and to defeat various defenses built into the malware, as well as countermeasures attempted in real time over the weekend by the cyber criminals who were trying to retain control over their network.

I am pleased to report that our actions have caused a major disruption of the Gameover Zeus botnet. Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.

Over the next few days and weeks, our investigators and prosecutors will work with private-sector partners to notify infected victims and provide links to safe and trusted tools that can help them rid themselves of Gameover Zeus and Cryptolocker and then close the vulnerabilities through which their computers were infected. We will work with our foreign partners to continue the disruption of the botnet’s technical infrastructure and identify additional victims. And we will do our best to ensure that the operators cannot re-establish control over the infected machines and thus continue their lucrative enterprise.

These legal and technical measures, as cutting edge as they are, are far from a complete solution to these sophisticated threats. We fully expect that these schemes will re-emerge and evolve as the criminals target and infect new victims. That is why we are combining these measures with criminal charges against the defendant Evgeniy Bogachev for his role as an administrator of both schemes. We are asking Russian law enforcement to take action to bring this defendant and those working with him to justice, and will work with our counterparts to do so. As Deputy Attorney General Cole stated, it is only by combining traditional law enforcement actions with the type of innovative legal and technical measures announced today that we can begin to fully address modern cyber threats.

I want to thank all those who contributed to this operation, and in particular our private sector and international partners who worked so closely with us on this sophisticated operation. And now I would like to invite U.S. Attorney Dave Hickton of the Western District of Pennsylvania to make remarks.

Thank you.

Updated September 17, 2014