U.S. Department of Justice Charges Russian and Chinese Hackers

• The U.S. DoJ has unsealed indictments that go against five Chinese hackers of the “Winnti” group.
• The same agency has identified two Russian hackers who stole about $17 million by defrauding Americans.
• Bringing these people over to the United States for the deliverance of justice is an insurmountable challenge.

The U.S. Department of Justice (DoJ) has charged Russian and Chinese hackers in two separate cases that saw the light yesterday. The Russians, named Danil Potekhin and Dmitrii Karasavidi, face criminal charges and financial sanctions, as they are accused of having pocketed $17 million worth of crypto from a large number of victims through phishing.

The Chinese hackers, on the other side, are facing indictments that include computer intrusions in over a hundred companies in the United States and other countries. The five hackers are allegedly members of the APT41 group, also known as “Winnti”.

Starting from the two Russian hackers whose identities are known, they apparently created a large number of phishing websites that mimicked legitimate crypto-exchange platforms, tricking internet users into trusting them and entering their login information. The hackers then logged in to their victims’ accounts and moved the virtual currency through multiple intermediary addresses, swapped cryptocurrency types, and generally followed sophisticated methods in order to obscure their traces.

The U.S. Secret Service identified the signs of the laundering process, as the $17 million ended up in Karasavidi’s account in USD. This amount has been seized now, and the law enforcement authorities will do the same with all assets confirmed to be in possession of the two individuals. Since the two men defrauded American citizens and businesses (among others), their actions had resulted in U.S. sanctions.

The five hackers of the APT41 group pertain to a more complicated case that had and still has the FBI occupied for years now. Having the names and identities of these highly-skillful and knowledgeable hackers is a feat on its own, so here they are:

• Zhang Haoran (张浩然), 35
• Tan Dailin (谭戴林), 35
• Jiang Lizhi (蒋立志), 35
• Qian Chuan (钱川), 39
• Fu Qiang (付强), 37

The first two face 25 counts, while the last three face nine counts. They are all residents of the People’s Republic of China, so seeing them in front of a U.S. Judge is entirely unlikely. In the unsealed documents, there are details about how the hackers moved, what CVEs they exploited, and what targets they preferred to hit. In general, we see amazing diversity from “Winnti”, as these are not actors who are limited by their knowledge or toolset.

Hank Schless, Senior Manager, Security Solutions at Lookout, has provided us the following comment on the above:

“These indictments indicate how malicious actors are diversifying their tactics to achieve a broader range of outcomes. In particular, breaching gaming companies to steal in-game items and currency for real-world profit rather than stealing corporate data means security teams need to be sure their efforts are well-distributed across both internal and external systems.”