International Cybercrime Malware Service Dismantled by Federal Authorities

BOSTON – The U.S. Attorney’s Office announced today that, as part of an international law enforcement effort, federal authorities in Boston seized internet domains that were used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers. Federal authorities in Atlanta and Boston also unsealed indictments charging individuals in Malta and Nigeria, respectively, for their alleged involvement in selling the malware and supporting cybercriminals seeking to use the malware for malicious purposes. 

Federal authorities in Boston seized www.warzone.ws and three related domains, which together offered for sale the Warzone RAT malware – a sophisticated remote access trojan (RAT) capable of enabling cybercriminals to surreptitiously connect to victims’ computers for malicious purposes. According to the court documents authorizing the seizures, the Warzone RAT provided cybercriminals the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras, all without the victims’ knowledge or permission.

Additionally, two indictments have been unsealed against individuals involved in selling and supporting the Warzone RAT and other malware. 

Daniel Meli, 27, of Zabbar, Malta, was arrested on Feb. 7, and appeared for an initial appearance before Magistrate Judge in Valletta, Malta. Meli was indicted by a federal grand jury in the Northern District of Georgia on Dec. 12, 2023, with causing unauthorized damage to protected computers; illegally selling and advertising an electronic interception device; and participating in a conspiracy to commit several computer intrusion offenses. According to the charging documents, since at least 2012, Meli offered malware products and services for sale to cybercriminals on online computer-hacking forums. Specifically, Meli allegedly assisted cybercriminals seeking to use RATs for malicious purposes and offered teaching tools for sale, including an eBook. Meli also allegedly sold both the Warzone RAT and, before that, malware known as the Pegasus RAT, which he sold through an online criminal organization called Skynet-Corporation. He also provided online customer support to purchasers of both RATs. The Northern District of Georgia is seeking Meli’s extradition to the United States.

Separately, Prince Onyeoziri Odinakachi, 31, of Nigeria, was arrested by the Port Harcourt Zonal Command of Nigeria’s Economic and Financial Crimes Commission on Feb. 7. Odinakachi was indicted by a federal grand jury in the District of Massachusetts on Jan. 30 with conspiracy to commit multiple computer intrusion offenses, including to obtain authorized access to protected computers to obtain information and causing unauthorized damage to protected computers. According to the charging documents, between June 2019 and no earlier than March 2023, Odinakachi provided online customer support to individuals who purchased and used the Warzone RAT malware. 

According to court documents, in addition to discovering instances of the Warzone RAT being used to attack victim computers in Massachusetts, Warzone RAT malware was covertly purchased and analyzed confirming its multiple malicious functions. 

“This week's actions targeting the Warzone RAT infrastructure and personnel are another example of our tenacious and unwavering commitment to dismantling the malware tools used by cybercriminals,” said Acting U.S. Attorney Joshua S. Levy for the District of Massachusetts. “We will turn over every stone to prevent cybercriminals from attacking the integrity of our computer networks, and we will root out those who support such cybercriminals so they will be held accountable. Those who sell malware and support cybercriminals using it should know that they cannot hide behind their keyboards or international borders.” 

“Daniel Meli will no longer escape accountability for his actions selling malware,” said U.S. Attorney Ryan K. Buchanan for the Northern District of Georgia. “This alleged cybercriminal facilitated the takeover and infection of computers worldwide. Our office was proud to partner with our federal and international counterparts to find Meli and bring him to justice. We will continue to diligently investigate and prosecute cybercrime in the Northern District of Georgia, and in all parts of the globe where our district is impacted.” 
 
“Today, the FBI and our international law enforcement partners dismantled a sophisticated malware service that cybercriminals bought and utilized to infect the computer systems of unsuspecting victims here in Massachusetts, and around the world,” said Jodi Cohen, Special Agent in Charge of the FBI Boston Division. “This operation highlights the FBI’s ongoing commitment to unmask and bring to justice anyone who uses today’s technology nefariously. We urge anyone who is a victim of a Warzone RAT intrusion to report it to us at wzvictims.ic3.gov.”

The charges of conspiracy, obtaining authorized access to protected computers to obtain information, illegally selling an interception device, and illegally advertising an interception device each provide for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000, or twice the gross gain or loss, whichever is greater. The charge of causing unauthorized damage to protected computers provides for a sentence of up to 10 years in prison, three years of supervised release, and a fine of $250,000, or twice the gross gain or loss, whichever is greater. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
   
Acting U.S. Attorney Levy; FBI SAC Cohen; and U.S. Attorney Buchanan made the announcement today. Assistant U.S. Attorneys James R. Drabick and Carol E. Head for the District of Massachusetts obtained the seizure warrants and Drabick is handling the criminal prosecution of Odinakachi. Assistant U.S. Attorneys Bethany L. Rupert and Michael Herskowitz for the Northern District of Georgia are handling the criminal prosecution of Meli. 

The Justice Department’s Office of International Affairs provided substantial assistance during the investigation. Authorities also wish to acknowledge the cooperation and assistance of the Malta Police Force; Office of the Attorney General of Malta; Malta Ministry for Justice; Australian Federal Police; Croatian Ministry of the Interior Criminal Police Directorate; Dutch National Police; Europol European Cybercrime Center; Finland’s National Bureau of Investigation; State Police Force of Saxony, Germany; Japan Ministry of Justice; Port Harcourt Zonal Command of Nigeria’s Economic and Financial Crimes Commission (EFCC); Romanian National Police; and Royal Canadian Mounted Police. Law enforcement partners in Canada, Croatia, Finland, Germany, the Netherlands and Romania provided valuable assistance securing the servers hosting the Warzone RAT infrastructure.

Anyone who is a victim of a Warzone RAT computer intrusion is urged to report it to the FBI at https://wzvictims.ic3.gov. 

The details contained in the charging documents are allegations. The defendants are presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.