Daily Interesting News

Brexit heartlands: pro-leave Havering – a photo essay

The London borough saw one of the biggest leave votes in Britain last June and Romford is the biggest town in the borough. Photojournalist Sean Smith and Lisa O’Carroll met some of the people behind the politicsThe London borough saw one of the biggest leave votes in Britain last June and Romford is the biggest town in the borough. Photojournalist Sean Smith and Lisa O’Carroll met some of the people behind the politics

Havering – sandwiched between Essex and London – was one of the strongest pro-Brexit boroughs in the country, with 69.7% voting to leave the EU.

Its population has remained relatively constant between the two past censuses in 2001 and 2011, with a 6% increase in residents compared with a 14% London average, but the population of the main town, Romford, has shot up by 21%, reflecting a glut of new apartment blocks attracting families squeezed out of the London market.

Two other things stand out from the censuses: it has an older population than average for the capital and is one of the two least diverse boroughs in London (the other being Bromley). But in the 10 years between both censuses the make-up of the population has changed, with the minority ethnic population having more than doubled.

Is that one of the reasons why the borough opted so emphatically to exit the EU?

We go to Romford to find out.

Social club
 Members enjoying the music of Larry and the Streamers, who play classic songs from the 1960s
Romford United Services and Social Club was set up in 1921 by the ex-servicemen of Romford, who were in the armed forces during the first world war. The present site was opened following the second world war.

Hillary and Paul Webster, line dance teacher and DJs - Voted: remain, leave

 Hillary Webster and her husband Paul
Married couple Paul and Hillary Webster had what she describes as “a massive fallout” over the referendum after he voted remain and she voted Brexit.

“I think I’ve made a terrible mistake. I’m deeply regretting my decision. I don’t think I was given the correct information. Given another chance in another referendum I’d vote in now,” says Hillary, 61, a line dance teacher at Romford United Services and Social Club.

“I thought we had good reasons for going out. We had a better chance for the future. We weren’t making much of being in Europe. My mother used to say, ‘A pot has to stand on its own base,’ and Britain wasn’t standing on its own base.”

I think I’ve made a terrible mistake. I’m deeply regretting my decision
Hillary Webster
Paul, 59, is more sure-footed: “I didn’t believe the propaganda being put forward by the pro-Brexiters. I didn’t believe them on the amount of money we were sending to Europe. One of the most preposterous things they said was we’d be opening the floodgates to Turkey and there’d be 40 million more in the country. I also felt we’d be more united in our fight against terrorism if we stayed in Europe.”

Nine months down the line, she says she wishes she had listened to her husband. “I think I just went along with the idea of coming out. I thought it would mean new horizons in industry if we were to start all over again. I didn’t think we’d end up with the pound so weak. Nobody said, ‘Be careful, if you vote out, sterling will become instantly weak.’ I’m frightened I made a terrible mistake.”

Snooker club
 The Romford Snooker Club, famous as the club where Steve Davies started his career
The Romford Snooker Club is famous as the club where Steve Davis started his career. We met some friends playing there

Tom Binder, firefighter, 24 - Voted: leave

Binder was born into a Romford family with a history of public service. His brother is a paramedic and both his grandparents on one side were in the police.

I’m a bit nervous about article 50 now being implemented
Tom Binder
He voted Conservative in the last election and in favour of leaving the EU. “My main reason was the point they made in their manifesto about the money we pay into Europe going to be put back into the health service, but straight away after the referendum they said they didn’t actually say that.

“I voted that way because I thought it was going into the public services. I’m a bit nervous about article 50 now being implemented. Does it mean more cuts to the public services? They said they were putting £350m into the NHS. Now we know they were lying. I think I should have voted remain instead, but at the moment I do have faith.”

 Geologist Daniel Jobson with his friend Tom Binder
Binder’s friend, Daniel Jobson, 25, a geologist, also from Romford – Voted: remain

I think a lot of people, especially the media, jumped the gun and said the country would suffer
Daniel Jobson
“At the end of the day there was nothing wrong with the EU, the country wasn’t in tatters. I feel that everybody, especially in this area, voted leave because there weren’t compelling reasons put to stay.”

Does he still think he made the right decision? “I think a lot of people, especially the media, jumped the gun and said the country would suffer. But nine months down the line nothing has happened and it will take a long time before anyone knows what the impact will be. I may have regrets in two years’ time, or I may not have regrets in two years time. Right now, it’s way too early to say.”

Friday night
 Outside the clubs and pubs in Romford on Saturday night
Romford has a night-time economy that is almost as significant as the daytime economy, which is larger than in any other metropolitan centre in Greater London, with more than 100,000 sq ft of bars and pubs.

 Police making an arrest
Police making an arrest
Controlling the huge numbers of people out on the town who might be drunk and getting into fights is no small task for the local police force.

 A young man who had been asked to leave the centre earlier in the evening later found uncouncious after getting in a fight and hitting his head on the pavement
 A man who had been asked to leave the centre earlier in the evening
Police found this young man, who had been asked to leave the centre earlier in the evening, unconscious after getting into a fight and hitting his head on the pavement.

 Back at the police station doing paper work
 A busker on the streets
Back at the police station, there is a lot of paperwork to be done. Right, a busker on the streets
 Police officers moving on homeless men from a shopping centre
PC Pete Kirk has been with the police for 12 years and Michael Price for two years. They have been asked by a shopping centre security guard to move on two homeless men.

The allotments
 Pete Ward at the allotment with Ken Foley. Both voted to leave the EU
We met members of the Hornchurch and District Allotments and Gardening Society. The society has been established for more than 60 years. The society now has 15 sites and almost 700 members.


The stories you need to read, in one handy email
 Read more
Ken Foley, 76, retired - Voted: leave but wavering

Ken Foley (above with Pete Ward) has a plot as large as a mini-farm, tilled and rotovated for the season. He has put 400 runner bean seeds in, with sweetcorn, onions, beetroot, carrots, potatoes all ready to go.

Born and bred in Mile End, east London, Foley worked for Barclays Bank for 20 years as security in hostels it used to house staff hired from northern England.

“I voted to come out, but I’m wavering now, I don’t know if I did the right thing. I think we could come out worse. I thought it would be OK, we’d still have access to the free market, and now we might not. I think it’s going to be very hard.

Kawa Amin, doctor - Voted: remain

 Dr Kawa Amin who grew up in Baghdad but is Kurdish
Kawa Amin, a consultant geriatrician at Queen’s hospital, Romford, came to Britain from Baghdad three years before Saddam Hussein was toppled. Three months ago he landed himself two plots in the local allotment off Fontayne Avenue. He had not gardened before, but luckily he inherited fig, apple and plum trees.

He voted to remain. “I think most of the doctors I work with prefer to stay in, but some of the nurses voted to stay out because of the competition from workers from Italy and Spain. They thought they were competing with them and taking their jobs.”

Having grown up in a dictatorship, Amin is sanguine about the future. “Britain is a very strong constitutional country. Democracy is very deep-rooted.”

I think Europe itself will need Britain. Even if Britain is out, they will find some way to keep Britain close
Kawa Amin
Jim Hamilton, 72, retired software executive - Voted: leave

 Jim Hamilton
Hamilton intended to vote remain, largely to protect his pension. He changed his mind in the last week during a car journey across London that took four hours. 

He has voted Labour for most of his life, but 12 years ago switched to the Conservatives. “I started to lean very much towards Ukip in the last few years,” he says. “We can’t let more and more people in here. It just doesn’t work. The infrastructure isn’t there,” he says.

I don’t think Hammond and May are the right quality of people to do this
Jim Hamilton
“I’m glad I voted Brexit. I think it’s going to be very contentious. One of the things that our Westminster politicians are going to have to do now is make a decision because Brussels does that now. I don’t think they [Hammond and May] are the right quality of people to do this. It’s been easy for them because they’ve been able to say, ‘Oh, Brussels won’t let us do this, Brussels won’t let us do that.’”

He says life has not got better as the country has prospered and he blames politicians. “All the talk was about the future being paperless, how we’d all be able to retire at 50 because we’d be able to afford to and machines would be doing most of the work. Well, now we’re talking about people not being able to retire at 65, young people barely able to get by or scrape enough together to get a home.”

Dot Spendiff, 55, full-time carer - Voted: remain

 Dot Spendiff
Although her family is from Havering and she moved back two years ago, Spendiff considers herself a blow-in. She spent most of her life in Stratford, east London, and says she still sometimes feels as if Havering is stuck in the 1950s. In Stratford, she helped run the estate as it was a co-op.

“I lived with people from all over the world. I’m used to mixing with different types of people. It’s a bit of a shock coming back here,” she says, telling me she heard a council worker use the phrase “darkie”.

“Havering has a got a very high population of elderly people, but it’s changing because people are coming out here because of the housing situation and some people find that a bit of a threat to be honest, but to me it’s normal.”

“I lived in France when I was 19 and I think it’s really educational to go out of your own country and see it from outside. I like the idea of being part of Europe. I’m glad I voted remain.”

Bingo
 Romford Mecca at the Mall bingo night
The 1930s art deco bingo hall in Hornchurch was taken over by Lidl in 2015, and Mecca bingo nights are now held at The Mall shopping centre in Romford. For many, such as Brenda Bargh, the bingo nights are a chance to socialise.

 Romford Mecca at the Mall Bingo night
It’s not generally a young crowd but bingo is fun for all
 Romford Mecca at the Mall Bingo
 Romford Mecca at the Mall Bingo
 Brenda Barge at the Mecca Bingo
Brenda Bargh, 76, retired - Voted: leave

In her broderie anglaise top, Brenda Bargh, 76, is all dressed up for bingo night. She’s been going to the Romford Mecca hall for 18 years.

“I come on Sundays, Mondays and Wednesdays, Fridays and Saturdays. Tuesday and Thursday I have to clean the house,” she jokes. “It’s not really about the money, it’s my social. The staff are lovely to me and you get to meet a lot of people, we have a laugh. On bingo days I jump out of bed and think, ‘Great, it’s bingo day.’ I don’t know what I’d do if it closed. I’d just sit and mope at home.”

She voted for Brexit because she sensed a decline in the town and its community cohesiveness.

Immigration? It is an issue for some people but not for me. What I don’t like is the people who do the muggings
Brenda Bargh
There’s “zero” in the historic market square now, she says, and the old brewery has been turned into a retail park. “Immigration? It is an issue for some people but not for me, everyone has been kind to me all my life. What I don’t like is the people who do the muggings.”

Market town
 Romford Saturday market
Romford has a large street market run by Havering council. Dave Davies, 57, has run a ladieswear stall in the historic market for the past 12 years and Brexit couldn’t come quick enough for him.

Dave Davies, market stallholder - Voted: leave

 Dave Davies who runs the ladieswear stall at the market
Davies voted Ukip in the general election and voted to exit the EU. Why? “I was fed up with everything really – all the different rules and regulations, immigration – I feel like we’re not in control of our own country,” he says, explaining that his anti-EU feelings hardened after 2004 when Poland joined the EU.

“When they came in it was just loads of people, legal and illegal, it started to get out of hand. The country’s over-populated. It’s too much overflow. I think it’s too late, I think the ones that are here are going to stay.”

I don’t think it’s going to make much that much difference for my generation, but hopefully for the younger generation
Dave Davies
 TJ’s South Side tattooing & Body Piercing. Terry Simpson working on Max ’s first tattoo having done on his birthday
Terry Simpson, 54, and John Norton, 57, tattooists - Voted: leave and leave

 Terry Simpson and John Norton
Simpson is confident Britain has made the right decision. He voted Ukip but says he is a “nationalist” and the party’s views are not strong enough for him. He voted to put a stop to the “open door” policy on immigration and blames Tony Blair for failing to put restrictions in place when the EU enlarged to include Poland in 2004.

“Immigrants have been coming to this country for thousands of years, it’s not about referring back to previous waves of immigration, to the Indians or the West Indians.

“This was just an open-door policy and the name of the people who wanted to come to the country and work and contribute is blackened by those who come and put nothing back, that’s not right, is it?”

His business partner, John, who voted Tory, says he voted out partly because of the European court of justice. “Take Abu Hamza,” he says, referring to theradical cleric who preached at Finsbury Park mosque, “it took us eight years to get him out because of the Human Rights Act.”.

He’s also angry at reports that Britain may have to pay an exit bill estimated up to €60bn (£52bn). “When you get divorced you split the assets 50/50. After 40 years of paying into the EU, Theresa May should be asking for a share of the assets back.”

For 2,000 years we didn’t need them. It’s only in the last 40 years we’ve had to be part of that stupid organisation.
John Norton

ON THE MORNING of December 30, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany. He spread some jam on a slice of rye bread, poured himself a cup of coffee, and settled in to check Twitter at his dining room table.

The news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm CrowdStrike, was still catching up on details. Following a link to an official statement, Werner saw that the White House had targeted a short parade’s worth of Russian names and institutions—two intelligence agencies, four senior intelligence officials, 35 diplomats, three tech companies, two hackers. Most of the details were a blur. Then Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich Bogachev.

Werner, as it happened, knew quite a bit about Evgeniy Bogachev. He knew in precise, technical detail how Bogachev had managed to loot and terrorize the world’s financial systems with impunity for years. He knew what it was like to do battle with him.

But Werner had no idea what role Bogachev might have played in the US election hack. Bogachev wasn’t like the other targets—he was a bank robber. Maybe the most prolific bank robber in the world. “What on earth is he doing on this list?” Werner wondered.



AMERICA’S WAR WITH Russia’s greatest cybercriminal began in the spring of 2009, when special agent James Craig, a rookie in the FBI’s Omaha, Nebraska, field office, began looking into a strange pair of electronic thefts. A square-jawed former marine, Craig had been an agent for just six months, but his superiors tapped him for the case anyway, because of his background: For years, he’d been an IT guy for the FBI. One of his nicknames in college was “the silent geek.”

While you log into seemingly secure websites, the malware modifies pages before they load, siphoning away your credentials and your account balance.
The leading victim in the case was a subsidiary of the payments-processing giant First Data, which lost $450,000 that May. That was quickly followed by a $100,000 theft from a client of the First National Bank of Omaha. What was odd, Craig noticed, was that the thefts seemed to have been executed from the victims’ own IP addresses, using their own logins and passwords. Examining their computers, he saw that they were infected with the same malware: something called the Zeus Trojan horse.

In online security circles, Craig discovered, Zeus was notorious. Having first appeared in 2006, the malware had a reputation among both criminals and security experts as a masterpiece—smooth, effective, versatile. Its author was a phantom. He was only known online, where he went by the handle Slavik, or lucky12345, or a half-dozen other names.


Zeus infected computers through fairly typical means: fake IRS emails, say, or illegitimate UPS shipping notices that tricked recipients into downloading a file. But once it was on your computer, Zeus let hackers play God: They could hijack websites and use a keystroke logger to record usernames, passwords, and PINs. Hackers could even modify login forms to request further valuable security information: a mother’s maiden name, a Social Security number. The ruse is known as a “man in the browser” attack. While you sit at your computer logging into seemingly secure websites, the malware modifies pages before they load, siphoning away your credentials and your account balance. Only when you log in from a different computer do you even realize the money is gone.

By the time Craig started his investigation, Zeus had become the digital underground’s malware of choice—the Microsoft Office of online fraud. Slavik was something rare in the malware world: a genuine professional. He regularly updated the Zeus code, beta-testing new features. His product was endlessly adaptable, with variants optimized for different kinds of attacks and targets. A computer infected with Zeus could even be folded into a botnet, a network of infected computers that can be harnessed together to run spam servers or distributed denial-of-service attacks, or send out more deceptive emails to spread the malware further.

But sometime shortly before Craig picked up his case in 2009, Slavik had begun to change tack. He started cultivating an inner circle of online criminals, providing a select group with a variant of his malware, called Jabber Zeus. It came equipped with a Jabber instant-message plug-in, allowing the group to communicate and coordinate attacks—like in the two Omaha thefts. Rather than rely on broad infection campaigns, they began to specifically target corporate accountants and people with access to financial systems.

As Slavik turned increasingly to organized crime, he dramatically narrowed his retail malware business. In 2010 he announced his “retirement” online and then released what security researchers came to call Zeus 2.1, an advanced version of his malware protected by an encryption key—effectively tying each copy to a specific user—with a price tag upwards of $10,000 per copy. Now, Slavik was only dealing with an elite, ambitious group of criminals.

“We had no idea how big this case was,” Craig says. “The amount of activity from these guys was phenomenal.” Other institutions began to come forward with losses and accounts of fraud. Lots of them. Craig realized that, from his desk in suburban Omaha, he was chasing a well-organized international criminal network. “The victims started falling out of the sky,” Craig says. It dwarfed any other cybercrime the FBI had tackled before.


CRAIG’S FIRST MAJOR break in the case came in September 2009. With the help of some industry experts, he identified a New York–based server that seemed to play some sort of role in the Zeus network. He obtained a search warrant, and an FBI forensics team copied the server’s data onto a hard drive, then overnighted it to Nebraska. When an engineer in Omaha examined the results, he sat in awe for a moment. The hard drive contained tens of thousands of lines of instant message chat logs in Russian and Ukrainian. Looking over at Craig, the engineer said: “You have their Jabber server.”

This was the gang’s whole digital operation—a road map to the entire case. The cybersecurity firm Mandiant dispatched an engineer to Omaha for months just to help untangle the Jabber Zeus code, while the FBI began cycling in agents from other regions on 30- or 90-day assignments. Linguists across the country pitched in to decipher the logs. “The slang was a challenge,” Craig says.

One woman explained that she’d become a money mule after a job at a grocery store fell through, telling an agent: “I could strip, or I could do this.”
The messages contained references to hundreds of victims, their stolen credentials scattered in English throughout the files. Craig and other agents started cold-calling institutions, telling them they had been hit by cyberfraud. He found that several businesses had terminated employees they suspected of the thefts—not realizing that the individuals’ computers had been infected by malware and their logins stolen.

The case also expanded beyond the virtual world. In New York one day in 2009, three young women from Kazakhstan walked into the FBI field office there with a strange story. The women had come to the States to look for work and found themselves participating in a curious scheme: A man would drive them to a local bank and tell them to go inside and open a new account. They were to explain to the teller that they were students visiting for the summer. A few days later, the man had them return to the bank and withdraw all of the money in the account; they kept a small cut and passed the rest on to him. Agents pieced together that the women were “money mules”: Their job was to cash out the funds that Slavik and his comrades had siphoned from legitimate accounts.

By the summer of 2010, New York investigators had put banks across the region on alert for suspicious cash-outs and told them to summon FBI agents as they occurred. The alert turned up dozens of mules withdrawing tens of thousands of dollars. Most were students or newly arrived immigrants in Brighton Beach. One woman explained that she’d become a mule after a job at a grocery store fell through, telling an agent: “I could strip, or I could do this.” Another man explained that he’d be picked up at 9 am, do cash-out runs until 3 pm, and then spend the rest of the day at the beach. Most cash-outs ran around $9,000, just enough to stay under federal reporting limits. The mule would receive 5 to 10 percent of the total, with another cut going to the recruiter. The rest of the money would be sent overseas.

“The amount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed any Fortune 100 company,” the FBI’s James Craig says.
The United States, moreover, was just one market in what investigators soon realized was a multinational reign of fraud. Officials traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia. All told, investigators could attribute around $70 million to $80 million in thefts to the group—but they suspected the total was far more than that.

Banks howled at the FBI to shut the fraud down and stanch the losses. Over the summer, New York agents began to close in on high-ranking recruiters and the scheme’s masterminds in the US. Two Moldovans were arrested at a Milwaukee hotel at 11 pm following a tip; one suspect in Boston tried to flee a raid on his girlfriend’s apartment and had to be rescued from the fire escape.

Meanwhile, Craig’s case in Omaha advanced against the broader Jabber Zeus gang. The FBI and the Justice Department had zeroed in on an area in eastern Ukraine around the city of Donetsk, where several of the Jabber Zeus leaders seemed to live. Alexey Bron, known online as “thehead,” specialized in moving the gang’s money around the world. Ivan Viktorvich Klepikov, who went by the moniker “petr0vich,” ran the group’s IT management, web hosting, and domain names. And Vyacheslav Igorevich Penchukov, a well-known local DJ who went by the nickname “tank,” managed the whole scheme, putting him second in command to Slavik. “The amount of organization these kids—they’re in their twenties—were able to pull together would’ve impressed any Fortune 100 company,” Craig says. The gang poured their huge profits into expensive cars (Penchukov had a penchant for high-end BMWs and Porsches, while Klepikov preferred Subaru WRX sports sedans), and the chat logs were filled with discussions of fancy vacations across Turkey, Crimea, and the United Arab Emirates.

By the fall of 2010, the FBI was ready to take down the network. As officials in Washington called a high-profile press conference, Craig found himself on a rickety 12-hour train ride across Ukraine to Donetsk, where he met up with agents from the country’s security service to raid tank’s and petr0­vich’s homes. Standing in petr0vich’s living room, a Ukrainian agent told Craig to flash his FBI badge. “Show him it’s not just us,” he urged. Craig was stunned by the scene: The hacker, wearing a purple velvet smoking jacket, seemed unperturbed as agents searched his messy apartment in a Soviet-­style concrete building; his wife held their baby in the kitchen, laughing with investigators. “This is the gang I’ve been chasing?” Craig thought. The raids lasted well into the night, and Craig didn’t return to his hotel until 3 am. He took nearly 20 terabytes of seized data back to Omaha.

With 39 arrests around the world—stretching across four nations—investigators managed to disrupt the network. But crucial players slipped away. One top mule recruiter in the US fled west, staying a step ahead of investigators in Las Vegas and Los Angeles before finally escaping the country inside a shipping container. More important, Slavik, the mastermind himself, remained almost a complete cipher. Investigators assumed he was based in Russia. And once, in an online chat, they saw him reference that he was married. Other than that, they had nothing. The formal indictment referred to the creator of the Zeus malware using his online pseu­do­nym. Craig didn’t even know what his prime suspect looked like. “We have thousands of photos from tank, petr0­vich—not once did we see Slavik’s mug,” Craig says. Soon even the criminal’s online traces vanished. Slavik, whoever he was, went dark. And after seven years of chasing Jabber Zeus, James Craig moved on to other cases.


ABOUT A YEAR after the FBI shut down the Jabber Zeus ring, the small community of online cybersecurity researchers who watch for malware and botnets began to notice a new variant of Zeus emerge. The malware’s source code had been leaked online in 2011—perhaps purposefully, perhaps not—effectively turning Zeus into an open source project and setting off an explosion of new variants. But the version that caught the eyes of researchers was different: more powerful and more sophisticated, particularly in its approach to assembling botnets.

Until then, most botnets used a hub-and-spoke system—a hacker would program a single command server to distribute orders directly to infected machines, known as zombie computers. The undead army could then be directed to send out spam emails, distribute malware, or target websites for denial­-of-service attacks. That hub-and-spoke design, though, made botnets relatively easy for law enforcement or security researchers to dismantle. If you could knock the command server offline, seize it, or disrupt a hacker’s ability to communicate with it, you could usually break the botnet.

The gang’s strategy represented an evolutionary leap in organized crime: Now they could do everything remotely, never touching a US jurisdiction.
This new Zeus variant, however, relied on both traditional command servers and peer-to-peer communication between zombie machines, making it extremely difficult to knock down. Infected machines kept a constantly updated list of other infected machines. If one device sensed that its connection with the command server had been interrupted, it would rely on the peer-to-peer network to find a new command server.

The network, in effect, was designed from the start to be takedown-proof; as soon as one command server was knocked offline, the botnet owner could just set up a new server somewhere else and redirect the peer-to-peer network to it. The new version became known as GameOver Zeus, after one of its file names, gameover2.php. The name also lent itself naturally to gallows humor: Once this thing infects your computer, went a joke among security experts, it’s game over for your bank accounts.

As far as anyone could tell, GameOver Zeus was controlled by a very elite group of hackers—and the group’s leader was Slavik. He had reemerged, more powerful than ever. Slavik’s new crime ring came to be called the Business Club. A September 2011 internal announcement to the group—introducing members to a new suite of online tools for organizing money transfers and mules—concluded with a warm welcome to Slavik’s select recipients: “We wish you all successful and productive work.”

Like the Jabber Zeus network, the Business Club’s prime directive was knocking over banks, which it did with even more ruthless inventiveness than its predecessor. The scheme was multipronged: First, the GameOver Zeus malware would steal a user’s banking credentials, intercepting them as soon as someone with an infected computer logged into an online account. Then the Business Club would drain the bank account, transferring its funds into other accounts they controlled overseas. With the theft complete, the group would use its powerful botnet to hit the targeted financial institutions with a denial-of-service attack to distract bank employees and prevent customers from realizing their accounts had been emptied until after the money had cleared. On November 6, 2012, the FBI watched as the GameOver network stole $6.9 million in a single transaction, then hit the bank with a multiday denial-of-­service attack.

Unlike the earlier Jabber Zeus gang, the more advanced network behind GameOver focused on larger six- and seven-figure bank thefts—a scale that made bank withdrawals in Brooklyn obsolete. Instead, they used the globe’s interconnected banking system against itself, hiding their massive thefts inside the trillions of dollars of legitimate commerce that slosh around the world each day. Investigators specifically identified two areas in far eastern China, close to the Russian city of Vladivostok, from which mules funneled huge amounts of stolen money into Business Club accounts. The strategy, investigators realized, represented an evolutionary leap in organized crime: Bank robbers no longer had to have a footprint inside the US. Now they could do everything remotely, never touching a US jurisdiction. “That’s all it takes to operate with impunity,” says Leo Taddeo, a former top FBI official.



BANKS WEREN’T THE gang’s only targets. They also raided the accounts of nonfinancial businesses large and small, nonprofits, and even individuals. In October 2013, Slavik’s group began deploying malware known as CryptoLocker, a form of ransomware that would encrypt the files upon an infected machine and force its owner to pay a small fee, say, $300 to $500, to unlock the files. It quickly became a favorite tool of the cybercrime ring, in part because it helped transform dead weight into profit. The trouble with building a massive botnet focused on high-level financial fraud, it turns out, is that most zombie computers don’t connect to fat corporate accounts; Slavik and his associates found themselves with tens of thousands of mostly idle zombie machines. Though ransomware didn’t yield huge amounts, it afforded the criminals a way to monetize these otherwise worthless infected computers.

The concept of ransomware had been around since the 1990s, but CryptoLocker took it mainstream. Typically arriving on a victim’s machine under the cover of an unassuming email attachment, the Business Club’s ransomware used strong encryption and forced victims to pay using bitcoin. It was embarrassing and inconvenient, but many relented. The Swansea, Massachusetts, police department grumpily ponied up $750 to get back one of its computers in November 2013; the virus “is so complicated and successful that you have to buy these bitcoins, which we had never heard of,” Swansea police lieutenant Gregory Ryan told his local newspaper.

“When a bank gets attacked en masse—100 transactions a week—you stop caring about the specific malware and the individual attacks; you just need to stop the bleeding,” says one Dutch security expert.
The following month, the security firm Dell SecureWorks estimated that as many as 250,000 machines worldwide had been infected with CryptoLocker that year. One researcher traced 771 ransoms that netted Slavik’s crew a total of $1.1 million. “He was one of the first to realize how desperate people would be to regain access to their files,” Brett Stone-Gross, a researcher with Dell SecureWorks at the time, says of Slavik. “He didn’t charge an exorbitant amount, but he made a lot of money and created a new type of online crime.”

As the GameOver network continued to gain strength, its operators kept adding revenue streams—renting out their network to other criminals to deliver malware and spam or to carry out projects like click fraud, ordering zombie machines to generate revenue by clicking on ads on fake websites.

With each passing week, the cost to banks, businesses, and individuals from GameOver grew. For businesses, the thefts could easily wipe out a year’s profits, or worse. Domestically, victims ranged from a regional bank in north Florida to a Native American tribe in Washington state. As it haunted large swathes of the private sector, GameOver absorbed more and more of the efforts of the private cybersecurity industry. The sums involved were staggering. “I don’t think anyone has a grasp of the full extent—one $5 million theft overshadows hundreds of smaller thefts,” explains Michael Sandee, a security expert at the Dutch firm Fox-IT. “When a bank gets attacked en masse—100 transactions a week—you stop caring about the specific malware and the individual attacks; you just need to stop the bleeding.”

Many tried. From 2011 through 2013, cybersecurity researchers and various firms mounted three attempts to take down GameOver Zeus. Three European security researchers teamed up to make a first assault in the spring of 2012. Slavik easily repelled their attack. Then, in March 2012, Microsoft’s Digital Crimes Unit took civil legal action against the network, relying upon US marshals to raid data centers in Illinois and Pennsylvania that housed Zeus command-­and-control servers and aiming legal action against 39 individuals thought to be associated with the Zeus networks. (Slavik was first on the list.) But Microsoft’s plan failed to put a dent in GameOver. Instead it merely clued Slavik in to what investigators knew about his network and allowed him to refine his tactics.



BOTNET FIGHTERS ARE a small, proud group of engineers and security researchers—self-proclaimed “internet janitors” who work to keep online networks running smoothly. Within that group, Tillmann Werner—the tall, lanky German researcher with the security firm CrowdStrike—had become known for his flair and enthusiasm for the work. In February 2013 he seized control of the Kelihos botnet, an infamous malware network built on Viagra spam, live onstage during a presentation at the cybersecurity industry’s biggest conference. But Kelihos, he knew, was no GameOver Zeus. Werner had been watching GameOver since its inception, marveling at its strength and resilience.

In 2012 he had linked up with Stone-Gross—who was just a few months out of graduate school and was based in California—plus a few other researchers to map out an effort to attack GameOver. Working across two continents largely in their spare time, the men plotted their attack via online chat. They carefully studied the previous European effort, identifying where it had failed, and spent a year preparing their offensive.

At the peak of their attack, the researchers controlled 99 percent of Slavik’s network—but they’d overlooked a critical source of resilience in GameOver’s structure.
In January 2013, they were ready: They stocked up on pizza, assuming they were in for a long siege against Slavik’s network. (When you go against a botnet, Werner says, “you have one shot. It either goes right or wrong.”) Their plan was to reroute GameOver’s peer-to-peer network, centralize it, and then redirect the traffic to a new server under their control—a process known as “sinkholing.” In doing so, they hoped to sever the botnet’s communication link to Slavik. And at first, everything went well. Slavik showed no signs of fighting back, and Werner and Stone-Gross watched as more and more infected computers connected to their sinkhole by the hour.

At the peak of their attack, the researchers controlled 99 percent of Slavik’s network—but they’d overlooked a critical source of resilience in GameOver’s structure: a small subset of infected computers were still secretly communicating with Slavik’s command servers. “We missed that there’s a second layer of control,” Stone-Gross says. By the second week, Slavik was able to push a software update to his whole network and reassert his authority. The researchers watched with dawning horror as a new version of GameOver Zeus propagated across the internet and Slavik’s peer-to-peer network began to reassemble. “We immediately saw what happened—we’d completely neglected this other channel of communication,” Werner says.

The researchers’ ploy—nine months in the making—had failed. Slavik had won. In a trollish online chat with a Polish security team, he crowed about how all the efforts to seize his network had come to naught. “I don’t think he thought it was possible to take down his botnet,” Werner says. Dejected, the two researchers were eager to try again. But they needed help—from Pittsburgh.


OVER THE PAST DECADE, the FBI’s Pittsburgh field office has emerged as the source of the government’s biggest cybercrime indictments, thanks in no small part to the head of the local cybersquad there, a onetime furniture salesman named J. Keith Mularski.

An excitable and gregarious agent who grew up around Pittsburgh, Mularski has become something of a celebrity in cyber­security circles. He joined the FBI in the late ’90s and spent his first seven years in the bureau working espionage and terrorism cases in Washington, DC. Jumping at the chance to return home to Pittsburgh, he joined a new cyber ­initiative there in 2005, despite the fact that he knew little about computers. Mularski trained on the job during a two-year undercover investigation chasing identity thieves deep in the online forum DarkMarket. Under the screen name Master Splyntr—a handle inspired by Teenage Mutant Ninja Turtles—Mularski managed to become a DarkMarket administrator, putting himself at the center of a burgeoning online criminal community. In his guise, he even chatted online with Slavik and reviewed an early version of the Zeus malware program. His DarkMarket access eventually helped investigators arrest 60 people across three continents.

Even after millions of dollars in thefts, neither the FBI nor the security industry had so much as a single Business Club member’s name.
In the years that followed, the head of the Pittsburgh office decided to invest aggressively in combating cybercrime—a bet on its increasing importance. By 2014, the FBI agents in Mularski’s squad, together with another squad assigned to a little-known Pittsburgh institution called the National Cyber-Forensics and Training Alliance, were prosecuting some of the Justice Department’s biggest cases. Two of Mularski’s agents, Elliott Peterson and Steven J. Lampo, were chasing the hackers behind GameOver Zeus, even as their desk-mates simultaneously investigated a case that would ultimately indict five Chinese army hackers who had penetrated computer systems at Westinghouse, US Steel, and other companies to benefit Chinese industry.

The FBI’s GameOver case had been under way for about a year by the time Werner and Stone-Gross offered to join forces with the Pittsburgh squad to take down Slavik’s botnet. If they had approached any other law-enforcement agency, the response might have been different. Government cooperation with industry was still a relatively rare phenomenon; the Feds’ style in cyber cases was, by reputation, to hoover up industry leads without sharing information. But the team in Pittsburgh was unusually practiced at collaboration, and they knew that the two researchers were the best in the field. “We jumped at the chance,” Mularski says.

Both sides realized that in order to tackle the botnet, they needed to work on three simultaneous fronts. First, they had to figure out once and for all who was running GameOver—what investigators call “attribution”—and build up a criminal prosecution; even after millions of dollars in thefts, neither the FBI nor the security industry had so much as a single Business Club member’s name. Second, they needed to take down the digital infrastructure of GameOver itself; that’s where Werner and Stone-Gross came in. And third, they needed to disable the botnet’s physical infrastructure by assembling court orders and enlisting the help of other governments to seize its servers across the globe. Once all that was done, they needed partners in the private sector to be ready with software updates and security patches to help recover infected computers the moment the good guys had control of the botnet. Absent any one of those moves, the next effort to take down GameOver Zeus was likely to fail just as the previous ones had.

The network was run through two password-protected British websites, which contained careful records, FAQs, and a “ticket” system for resolving technical issues.
With that, Mularski’s squad began to stitch together an international partnership unlike anything the US government had ever undertaken, enlisting the UK’s National Crime Agency, officials in Switzerland, the Netherlands, Ukraine, Luxembourg, and a dozen other countries, as well as industry experts at Microsoft, CrowdStrike, McAfee, Dell SecureWorks, and other companies.

First, to help nail down Slavik’s identity and get intelligence on the Business Club, the FBI teamed up with Fox-IT, a Dutch outfit renowned for its expertise in cyber-­forensics. The Dutch researchers got to work tracing old usernames and email addresses associated with Slavik’s ring to piece together an understanding of how the group operated.

The Business Club, it turned out, was a loose confederation of about 50 criminals, who each paid an initiation fee to access GameOver’s advanced control panels. The network was run through two password-protected British websites, ­Visitcoastweekend.com and Work.businessclub.so, which contained careful records, FAQs, and a “ticket” system for resolving technical issues. When investigators got legal permission to penetrate the Business Club server, they found a highly detailed ledger tracking the group’s various ongoing frauds. “Everything radiated professionalism,” Fox-IT’s Michael Sandee explains. When it came to pinpointing the precise timing of transactions between financial institutions, he says, “they probably knew better than the banks.”

goz3.jpg
CHAD HAGAN

ONE DAY, AFTER months of following leads, the investigators at Fox-IT got a tip from a source about an email address they might want to look into. It was one of many similar tips they’d chased down. “We had a lot of bread crumbs,” Mularski says. But this one led to something vital: The team was able to trace the email address to a British server that Slavik used to run the Business Club’s websites. More investigative work and more court orders eventually led authorities to Russian social media sites where the email address was connected to a real name: Evgeniy Mikhailovich Bogachev. At first it was meaningless to the group. It took weeks’ more effort to realize that the name actually belonged to the phantom who had invented Zeus and created the Business Club.

Slavik, it turned out, was a 30-year-old who lived an upper-middle-class existence in Anapa, a Russian resort city on the Black Sea. Online photos showed that he enjoyed boating with his wife. The couple had a young daughter. One photo showed Bogachev posing in leopard-print pajamas and dark sunglasses, holding a large cat. The investigative team realized that he had written the first draft of Zeus when he was just 22 years old.

The team couldn’t find specific evidence of a link between Bogachev and the Russian state, but some entity seemed to be feeding Slavik specific terms to search for in his vast network of zombie computers.
But that wasn’t the most astounding revelation that the Dutch investigators turned up. As they continued their analysis, they noticed that someone at the helm of GameOver had been regularly searching tens of thousands of the botnet’s infected computers in certain countries for things like email addresses belonging to Georgian intelligence officers or leaders of elite Turkish police units, or documents that bore markings designating classified Ukrainian secrets. Whoever it was was also searching for classified ­material linked to the Syrian conflict and Russian arms dealing. At some point, a light bulb went off. “These are espionage commands,” Sandee says.

GameOver wasn’t merely a sophisticated piece of criminal malware; it was a sophisticated intelligence-­gathering tool. And as best as the investigators could determine, Bogachev was the only member of the Business Club who knew about this particular feature of the botnet. He appeared to be running a covert operation right under the noses of the world’s most prolific bank robbers. The FBI and Fox-IT team couldn’t find specific evidence of a link between Bogachev and the Russian state, but some entity seemed to be feeding Slavik specific terms to search for in his vast network of zombie computers. Bogachev, it appeared, was a Russian intelligence asset.

In March 2014, investigators could even watch as an international crisis played out live inside the snow globe of Bogachev’s criminal botnet. Weeks after the Sochi Olympics, Russian forces seized the Ukrainian region of Crimea and began efforts to destabilize the country’s eastern border. Right in step with the Russian campaign, Bogachev redirected a section of his botnet to search for politically sensitive information on infected Ukrainian computers—trawling for intelligence that might help the Russians anticipate their adversaries’ next moves.

The team was able to construct a tentative theory and history of Bogachev’s spycraft. The apparent state connection helped explain why Bogachev had been able to operate a major criminal enterprise with such impunity, but it also shed new light on some of the milestones in the life of Zeus. The system that Slavik used to make his intelligence queries dated back approximately to the moment in 2010 when he faked his retirement and made access to his malware far more exclusive. Perhaps Slavik had appeared on the radar of the Russian security services at some point that year, and in exchange for a license to commit fraud without prosecution—outside Russia, of course—the state made certain demands. To carry them out with maximum efficacy and secrecy, Slavik asserted tighter control over his criminal network.

The discovery of Bogachev’s likely intelligence ties introduced some trickiness to the operation to take down GameOver—especially when it came to the prospect of enlisting Russian cooperation. Otherwise, the plan was rumbling along. Now that the investigators had zeroed in on Bogachev, a grand jury could finally indict him as the mastermind behind GameOver Zeus. American prosecutors scrambled to bring together civil court orders to seize and disrupt the network. “When we were really running, we had nine people working this—and we only have 55 total,” says Michael Comber of the US Attorney’s office in Pittsburgh. Over a span of months, the team painstakingly went to internet service providers to ask permission to seize GameOver’s existing proxy servers, ensuring that at the right moment, they could flip those servers and disable Slavik’s control. Meanwhile, the Department of Homeland Security, Carnegie Mellon, and a number of antivirus companies readied themselves to help customers regain access to their infected computers. Weekly conference calls spanned continents as officials coordinated action in Britain, the US, and elsewhere.

By late spring 2014, as pro-Russian forces fought in Ukraine proper, the American-­led forces got ready to move in on GameOver. They’d been plotting to take down the network for more than a year, carefully reverse-engineering the malware, covertly reading the criminal gang’s chat logs to understand the group’s psychology, and tracing the physical infrastructure of servers that allowed the network to propagate around the globe. “By this point, these researchers knew the malware better than the author,” says Elliott Peterson, one of the lead FBI agents on the case. As Mularski recalls, the team checked off all the crucial boxes: “Criminally, we can do it. Civilly, we can do it. Technically we can do it.” Working with a cast of dozens, communicating with more than 70 internet service providers and a dozen other law enforcement agencies from Canada to the United Kingdom to Japan to Italy, the team readied an attack to commence on Friday, May 30.

8-takedown-1.svg
THE WEEK LEADING up to the attack was a frantic scramble. When Werner and Stone-Gross arrived in Pittsburgh, Peterson had them over to his family’s apartment, where his kids gawked at Werner and his German accent. Over dinner and Fathead beer, they took stock of their looming attempt. They were running way behind—Werner’s code wasn’t close to being ready. Over the rest of the week, as Werner and Stone-Gross raced to finish writing, another team assembled the last court orders, and still others ran herd on the ad hoc group of two dozen governments, companies, and consultants who were helping to take GameOver Zeus down. The White House had been briefed on the plan and was waiting for results. But the effort seemed to be coming apart at the seams.

For instance, the team had known for months that the GameOver botnet was controlled by a server in Canada. But then, just days before the attack, they discovered that there was a second command server in Ukraine. The realization made hearts drop. “If you’re not even aware of the second box,” Werner says, “how sure are you that there’s not a third box?”

Bogachev readied for battle—wrestling for control of his network, testing it, redirecting traffic to new servers, and deciphering the Pittsburgh team’s method of attack.
On Thursday, Stone-Gross carefully talked more than a dozen internet service providers through the procedures they needed to follow as the attack launched. At the last minute, one key service provider backed out, fearful that it would incur Slavik’s wrath. Then, on Friday morning, Werner and Stone-Gross arrived at their office building on the banks of the Monongahela River to find that one of the operation’s partners, McAfee, had prematurely published a blog post announcing the attack on the botnet, titled “It’s ‘Game Over’ for Zeus and Cryptolocker.”

After frantic calls to get the post taken down, the attack finally began. Canadian and Ukrainian authorities shut down GameOver’s command servers, knocking each offline in turn. And Werner and Stone-Gross began redirecting the zombie computers into a carefully built “sinkhole” that would absorb the nefarious traffic, blocking the Business Club’s access to its own systems. For hours, the attack went nowhere; the researchers struggled to figure out where the bugs lay in their code.

By 1 pm, their sinkhole had drawn in only about a hundred infected computers, an infinitesimal percentage of the botnet that had grown to as many as half a million machines. A line of officials stood behind Werner and Stone-Gross in a conference room, literally watching over their shoulders as the two engineers debugged their code. “Not to put any pressure on you,” Mularski urged at one point, “but it’d be great if you could get it running.”

Finally, by evening Pittsburgh time, the traffic to their sinkhole began to climb. On the other side of the world, Bogachev came online. The attack had interrupted his weekend. Perhaps he didn’t think much of it at first, given that he had easily weathered other attempts to seize control of his botnet. “Right away, he’s kicking the tires. He doesn’t know what we’ve done,” Peterson recalls. That night, yet again, Bogachev readied for battle—wrestling for control of his network, testing it, redirecting traffic to new servers, and deciphering the Pittsburgh team’s method of attack. “It was cyber-hand-to-hand combat,” recalls Pittsburgh US attorney David Hickton. “It was amazing to watch.”

The team was able to monitor Bogachev’s communication channels without his knowledge and knock out his Turkish proxy server. Then they watched as he tried to come back online using the anonymizing service Tor, desperate to get some visibility into his losses. Finally, after hours of losing battles, Slavik went silent. The attack, it appeared, was more than he had bargained for. The Pittsburgh team powered on through the night. “He must’ve realized it was law enforcement. It wasn’t just the normal researcher attack,” Stone-Gross says.

By Sunday night, nearly 60 hours in, the Pittsburgh team knew they’d won. On Monday, June 2, the FBI and Justice Department announced the takedown and unsealed a 14-count indictment against Bogachev.

Over the coming weeks, Slavik and the researchers continued to do occasional ­battle—Slavik timed one counter­attack for a moment when Werner and Stone-Gross were presenting at a conference in Montreal—but ultimately the duo prevailed. Amazingly, more than two years later, the success has largely stuck: The botnet has never reassembled, though about 5,000 computers worldwide remain infected with Zeus malware. The industry partners are still maintaining the server sinkhole that’s swallowing up the traffic from those infected computers.

For about a year after the attack, so-called account-takeover fraud all but disappeared in the US. Researchers and investigators had long assumed that dozens of gangs must have been responsible for the criminal onslaught that the industry endured between 2012 and 2014. But nearly all of the thefts came from just a small group of highly skilled criminals—the so-called Business Club. “You come into this and hear they’re everywhere,” Peterson says, “and actually it’s a very tiny network, and they’re much easier to disrupt than you think.”



IN 2015, THE State Department put a $3 million bounty on Bogachev’s head, the highest reward the US has ever posted for a cyber­criminal. But he remains at large. According to US intelligence sources, the government does not, in fact, suspect that Bogachev took part in the Russian campaign to influence the US election. Rather, the Obama administration included him in the sanctions to put pressure on the Russian government. The hope is that the Russians might be willing to hand over Bogachev as a sign of good faith, since the botnet that made him so useful to them is defunct. Or maybe, with the added attention, someone will decide they want the $3 million reward and tip off the FBI.

The uncomfortable truth is that Bogachev and other Russian cybercriminals lie pretty far beyond America’s reach.
But the uncomfortable truth is that Bogachev and other Russian cybercriminals lie pretty far beyond America’s reach. The huge questions that linger over the GameOver case—like those surrounding Bogachev’s precise relationship to Russian intelligence and the full tally of his thefts, which officials can only round to the nearest $100 million or so—foreshadow the challenges that face the analysts looking into the election hacks. Fortunately, the agents on the case have experience to draw from: The DNC breach is reportedly being investigated by the FBI’s Pittsburgh office.

In the meantime, Mularski’s squad and the cybersecurity industry have also moved on to new threats. The criminal tactics that were so novel when Bogachev helped pioneer them have now grown commonplace. The spread of ransomware is accelerating. And today’s botnets—especially Mirai, a network of infected Internet of Things devices—are even more dangerous than Bogachev’s creations.

Nobody knows what Bogachev himself might be cooking up next. Tips continue to arrive regularly in Pittsburgh regarding his whereabouts. But there are no real signs he has reemerged. At least not yet