The Avalanche Takedown: Landslide for Law Enforcement

Black Hat USA 2017

Presented by: Tom Grasso
Date: Wednesday July 26, 2017
Time: 11:15 - 12:05
Location: South Seas CDF

It was a highly secure infrastructure of servers that allegedly offered cyber criminals an unfettered platform from which to conduct malware campaigns and "money mule" money laundering schemes, targeting victims in the U.S. and around the world. Estimates of the scope of network put the dollar losses in the hundreds of million and the number of systems infected at more than 500,000.

But the Avalanche network, which was specifically designed to thwart detection by law enforcement, turned out to be not so impenetrable after all. In December 2016, the FBI took part in a successful multi-national operation to dismantle Avalanche, alongside law enforcement partners representing 40 countries and with the cooperation of private sector partners. The investigation involved arrests and searches in four countries, the seizing of servers, and the unprecedented effort to sinkhole more than 800,000 malicious domains associated with the network.

The types of malware and money mule schemes operating over the Avalanche network varied. Ransomware such as Nymain, for example, encrypted victims' computer files until the victim paid a ransom (typically in a form of electronic currency) to the cybercriminal. Other malware, such as GozNym, was designed to steal victims' sensitive banking credentials and use those credentials to initiate fraudulent wire transfers. The money mule schemes operating over Avalanche involved highly organized networks of "mules" who purchased goods with stolen funds, enabling cybercriminals to launder the money they acquired through the malware attacks or other illegal means.

Come hear about how the FBI worked jointly with other agencies, international organizations, foreign government partners, and the private sector to conduct the successful Avalanche takedown, and what the operations means for the future of cyber crime.

Tom Grasso

Tom Grasso has been an FBI Agent since 1998 and has worked for the FBI's Regional Computer Crime Squad in Chicago and the High Technology Crimes Task Force in Pittsburgh. He has also served as the FBI Liaison to the CERT/CC at Carnegie Mellon University. Mr. Grasso is now part of the FBI's Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. He recently served as the FBI liaison to Italy for cyber matters while living in Rome.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats