An international law enforcement operation involving 16 countries has resulted in the arrest of 20 individuals suspected of belonging to the QQAAZZ criminal network which attempted to launder tens of millions of euros on behalf of the world’s foremost cybercriminals.
Some 40 house searches were carried out in Latvia, Bulgaria, the U.K., Spain and Italy, with criminal proceedings initiated against those arrested by the U.S., Portugal, the U.K. and Spain. The largest number of searches in the case were carried out in Latvia in operations led by the Latvian State Police (Latvijas Valsts Policija). Bitcoin mining equipment was also seized in Bulgaria.
This international sweep follows a complex investigation led by the Portuguese Judicial Police (Polícia Judiciária) together with the United States Attorney Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office, alongside the Spanish National Police (Policia Nacional) and the regional Catalan police (Mossos D’esquadra) and law enforcement authorities from the U.K., Latvia, Bulgaria, Georgia, Italy, Germany, Switzerland, Poland, Czech Republic, Australia, Sweden, Austria and Belgium with coordination efforts led by Europol.
Criminal indictments returned by federal grand juries in Pittsburgh, United States, set forth allegations of how this criminal network operated. It is estimated that the QQAAZZ network laundered, or attempted to launder, tens of millions of euros in stolen funds since 2016.
Comprised of several layers of members mainly from Latvia, Georgia, Bulgaria, Romania, and Belgium, the QQAAZZ network opened and maintained hundreds of corporate and personal bank accounts at financial institutions throughout the world to receive money from cybercriminals who stole it from accounts of victims. The funds were then transferred to other QQAAZZ-controlled bank accounts and sometimes converted to cryptocurrency using ‘tumbling’ services designed to hide the original source of the funds. After taking a fee of up to 50-percent, QQAAZZ returned the balance of the stolen funds to their cybercriminal clientele.
The QQAAZZ members secured these bank accounts by using both legitimate and fraudulent Polish and Bulgarian identification documents to create and register dozens of shell companies which conducted no legitimate business activity. Using these registration documents, the QQAAZZ members then opened corporate bank accounts in the names of the shell companies at numerous financial institutions within each country, thereby generating hundreds of QQAAZZ-controlled bank accounts available to receive stolen funds from cyber thieves.
QQAAZZ advertised its services as a “global, complicit bank drops service” on Russian-speaking online cybercriminal forums where cybercriminals gather to offer or seek specialized skills or services needed to engage in a variety of cybercriminal activities. The criminal gangs behind some of the world’s most harmful malware families (e.g.: Dridex, Trickbot, GozNym, etc.) feature among those having benefited from the services provided by QQAAZZ.
The international law enforcement operation was coordinated by Europol whose specialists were also deployed to Latvia and the U.K. to support local authorities during the action days.