IELR Blog

OECD Issues Mandatory Disclosure Rules to Combat CRS Avoidance and Offshore Structures

January 10, 2018 by Bruce Zagaris Leave a Comment

In December, the OECD issued a public consultation document, requiring mandatory disclosure rules to combat CRS avoidance and offshore structures. Comments are due January 15, 2018.

The consultation document is prepared in response to the Bari Declaration, issued by the G7 Finance Ministers on 13 May, 2017. It calls on the OECD to start “discussing possible ways to address arrangements designed to circumvent reporting under the Common Reporting Standard or aimed at providing beneficial owners with the shelter of non-transparent structures.”

The Declaration states that these discussions should include consideration of “model mandatory disclosure rules inspired by the approach taken for avoidance arrangements outlined within the BEPS Action 12 Report.” The consultation document sets forth at the end of the document model legislation.

The reason for the consultation document is that the International Consortium for Investigative Journalists (ICIJ) has shown, especially through the publication of the Panama Papers and the Paradise Papers, certain professional advisers continue to design, market, or assist in the implementation of offshore structures and arrangements that can be used by non-compliant taxpayers to circumvent the correct reporting of relevant information to the tax administration of their jurisdiction of residence.

Due to these continuing offshore structures and arrangements and in response to the mandate from the G7 Finance Ministers, the OECD is currently considering a range of approaches that could be taken to address arrangements designed to circumvent or attempt to circumvent the CRS (“CRS Avoidance Arrangements”) and the use of non-transparent offshore structures to conceal actual beneficial ownership (“Offshore Structures”). Such approaches include measures focussed on improving intelligence for tax administrations within the existing information exchange and legislative framework (e.g. improved collaboration through JITSIC,as well as the use of group requests and spontaneous exchanges of information), as well as policy measures, such as additional regulatory intervention or additional disclosure obligation.

The proposed model rules contained in the consultation require an Intermediary (or taxpayer) to disclose certain relevant information to its tax administration regarding CRS Avoidance Arrangements an d Opaque Offshore Structures. Disclosures of such information can assist tax administrations in gathering intelligence on schemes that are being used or marketed to taxpayers in their respective jurisdictions. In addition, the model rules were designed to facilitate the spontaneous exchange of information where the information provided by Intermediaries relates to one or more specific Reportable Taxpayers.

It is contemplated that such information would be spontaneously exchanged with the tax administration(s) of the jurisdictions in which the concerned Reportable Taxpayer is resident for tax purposes pursuant to the applicable international legal instruments. The modalities, timing and form of the information to be spontaneously exchanged will be further defined in an operational agreement.

A mandatory disclosure regime contains five key elements:

(a) A description of the arrangements that are required to be disclosed (i.e. the hallmarks of a disclosable scheme).

(b) A description of the persons required to disclose such arrangements (i.e. the Intermediaries that are subject to reporting obligations under the rules);

(c) A trigger for the imposition of a disclosure obligation (i.e. the point in time when an obligation to disclose crystallises under the rules)

(d) A description of what information is required to be reported (including any exceptions from reporting).

(e) Appropriate penalties for non-compliance.

The hallmarks are very broadly worded.

In some cases the requirement to report is retroactive to July 15, 2014, the date the CRS became effective.

The consultation paper says the requirements respect legal professional privacy, but it appears narrowly defined.

Because the model law has penal provisions, the consultation paper has important potential consequences.

A fuller discussion of the consultation paper will appear in the January 2018 issue of the International Enforcement Law Reporter.

Use of Digital Currency to Evade U.S. Sanctions

January 5, 2018 by Bruce Zagaris 2 Comments

In the last month, the Venezuelan and Russian governments have discussed the use of digital currency to evade U.S. sanctions.

In particular, on December 3, 2017, Nicolas Maduro suggested the idea in a television speech. His plans are to create the Petro, which would be backed by Venezuela’s commodities (gold, oil, gas and diamond reserves) similar to the way gold has in the past supported the dollar.

Although the Russian government has expressed concern about the potential use of virtual currencies to commit crimes, more recently Russian President Vladimir Putin has indicated a willingness to explore the use of virtual currency to counteract U.S.. sanctions.

A recent book, Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction by Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller & Steven Goldfeder, addresses fundamental questions about the pros and cons of using virtual currency. How does virtual currency operate? What makes it different? How secure is virtual currency? How anonymous are virtual currency users? What applications can we build using virtual currency (i.e., Bitcoin) as a platform? Can cryptocurrencies be regulated? If we were to design a new cryptocurrency today, what would we change? What might the future hold?

One obstacle for users of virtual currency involves ensuring that the payments are made without having to use a third party, such as a government agency. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party (i.e., financial regulator) is still required to prevent double-spending.

Some experts have proposed a solution to the double-spending problem using a peer-to-peer network.

A recent article has mapped the design space for numerous proposed modifications, providing comparative analyses for alternative consensus mechanisms, currency allocation mechanisms, computational puzzles, and key management tools.

The same article surveys anonymity issues in Bitcoin and provides an evaluation framework for analyzing a variety of privacy-enhancing proposal.

In addition, the article provides new insights on what we term disintermediation protocols, which absolve the need for trusted intermediaries in an interesting set of applications.

As governments and other persons seek to evade sanctions regimes and otherwise circumvent international treaties and national laws, governments and stakeholders in those regimes, laws, and treaties will also seek to regulate virtual currency and crack the anonymity in order to implement and enforce the treaties and laws.

U.S. Private Investigative Firm Kroll Releases 2nd Report on the 2014 Moldovan Bank Scandal

January 3, 2018 by Zarine Kharazian Leave a Comment

On December 22, U.S. private investigative firm Kroll published its second report on the 2014 Moldovan bank fraud scandal. This blog post provides background on the scandal, as well as commentary on the contents of the report.

Background: The 2014 Moldovan Bank Scandal and the First Kroll Report

In November 2014, more than $750 million disappeared from three Moldovan banks over just two days. The three banks – Banca de Economii, Unibank and Banca Socială – declared bankruptcy that month, prompting the National Bank of Moldova to bail them out with $870 billion in loans. The bailout reportedly created a government deficit equivalent to roughly one-eighth of the entire country’s GDP.

In January 2015, the National Bank of Moldova commissioned the U.S. investigative firm Kroll to conduct a confidential investigation of the fraud. The Kroll report, which the speaker of the Moldovan Parliament, Andrian Candu, leaked to the public in May 2015, revealed what investigators believed to be a “co-ordinated effort within the banks to deliberately disguise” the nearly billion dollars’ worth of transactions and their beneficiaries. The investigators tie nearly all of the transactions to Ilan Shor, a Moldovan millionaire businessman and politician, or companies either directly owned by or connected to him.

According to the first Kroll Report, between 2012 and 2014, the three banks paid out more than three billion dollars in loans to companies linked to Shor. The funds were funneled through a convoluted international money laundering scheme that primarily involved using UK limited partnerships with Latvian bank accounts as “shell” companies.

The Second Kroll Report

In their second report, Kroll investigators provide more details on the profiles of the scheme’s beneficiaries. They report that at least 77 companies make up what they term the “Shor Group:” a group of companies linked to Ilan Shor all of which documentary evidence suggests participated to some degree the coordinated fraud effort.

Over a period of two years, the companies reportedly increased their ownership stake in the three banks, thereby increasing their control over the loan approval process within each bank. Loans are approved by the Board of Directors of each bank. Kroll reported that its investigators contacted two government-appointed members of the board for one of the banks, BEM, and both members stated that had not been invited to any board meetings in November 2015, and were not informed of any loans granted during that month.

In November 2014, the companies comprising the Shor Group concentrated their loan exposure, which had up until then been spread across the three banks, into one bank – BEM. According to the Kroll report, this move “allowed the Three Moldovan Banks to pool their liquidity into BEM and enabled BEM to increase lending.”

The Core Laundering Mechanism

A series of companies were then established. These companies held a total of 81 bank accounts at two Latvian banks. The majority of the accounts were held either by UK limited partnerships or offshore companies registered in offshore tax jurisdictions, such as Belize and Panama. Investigators believe most of these accounts were established solely for the purpose of laundering money. The report describes the primary laundering mechanism in detail:

The laundering mechanisms included the frequent transfer of funds between linked accounts, the splitting of funds and layering through other accounts, simultaneous issuing and repaying of an overdraft by two linked companies to disguise the onward flow and the frequent and apparently arbitrary switching of currencies between accounts.

The investigators consider both the complexity as well as timing of the laundering mechanism to be indicative of a “highly coordinated professional laundering operation.” At one point, they point to “numerous examples” in the operation where money “flowed through a series of accounts within seconds.”

Fore more commentary on the 2nd Kroll report, see the upcoming January 2018 issue of the International Enforcement Law Reporter.

OECD Global Forum on Tax Transparency Highlights Enforcement Initiatives in Annual Report

January 2, 2018 by Bruce Zagaris Leave a Comment

On December 20, 2017, the OECD Global Forum on Transparency and Exchange of Information for Tax Purposes issued its annual report.

It noted the fact that 50 jurisdictions have committed to starting Automatic Exchange of Information in September 2017 pursuant to the OECD Common Reporting Standard (CRS). As the jurisdictions that participated in the 2017 exchanges are preparing to use the data for enforcement purposes, most of the remaining jurisdictions are preparing now to make their initial exchanges in September 2018. Already the report on the 2017 implementation period is ready. The Global Forum is preparing to conduct full reviews of the implementation of automatic exchange of information (AEOI) by 2020.

The OECD has developed a plan of action to expand AEOI to developing countries.

The Global Forum has finished the first round of peer reviews on exchange of information on request (EOIR). Almost all the jurisdictions have received a satisfactory level of implementation. The GF will now conduct a second round of peer reviews against the 2016 Terms of Reference.

As of November 2017, the number of countries participating in the Multilateral Convention on Assistance in Tax Matters (CAM) reached 115. An additional 11 countries have requested to join.

More than 96% of the jurisdictions that have committed to implement the AEOI Standard also have decided to join the CRS Multilateral Competent Authority Agreement (the CRS MCAA) for putting in place necessary arrangements for exchanging financial account information. Hence, multilateralism on exchange of information is gaining momentum.

The GF’s annual report highlights the progress made in exchange of information and the targets set for 2018.

Clearly, EOIR and AEOI have developed gateways to facilitating the access to financial information by tax authorities. The authorities are increasingly using the data to develop enforcement cases against taxpayers and tax intermediaries.

The January issue of the IELR will have an article on these developments.

North Korea calls U.N. Sanctions an “Act of War” and Threatens Retaliation

December 28, 2017 by Madeline Henshaw-Greene Leave a Comment

On December 22, the U.N. Security Council voted unanimously to tighten economic sanctions on North Korea in response to its sixth nuclear test on November 29, which involved the launching of a missile that the regime warns could reach the United States. This is the Council’s third attempt this year to exert enough pressure on Kim Jong-Un to force him to halt his country’s nuclear weapons program and come to the table for negotiations. According to U.S. Secretary of State Rex Tillerson, in order for talks to begin North Korea must show “a sustained cessation” of its aggressive behavior, while Pyongyang vows that it will not consider joining the negotiations until the United States ends its practice of hostility towards the DPRK.

Until said negotiations take place, the Council has voted to drastically cut the number of crude oil and refined petroleum imports to North Korea by nearly 90 percent, which will likely be devastating to the North Korean military and nuclear programs. Furthermore, the Council called on its members to expel all North Korean guest workers within the next two years. Russia and China, both members of the Security Council and the closest nations North Korea has as allies, are two of the biggest employers of North Koreans working abroad and a major source of foreign income for the DPRK. On December 26, the United States put in place further sanctions against two North Korean individuals who are believed to be instrumental in the country’s development of ballistic missiles.

North Korea has not responded favorably to the tightened sanctions, referring to them as tantamount to an economic blockade and an “act of war”. In a statement from the North Korean foreign ministry, the government promised to “further consolidate [its] self-defensive nuclear deterrence”, in direct violation of the Council’s ostensible goal of eventual denuclearization. The foreign ministry in Pyongyang called on the United States to “wake up from its pipe dream of our country giving up nuclear weapons” if it “wishes to live safely”. North Korea also threatened retaliation against the member nations of the Security Council, saying that all those in favor of the resolution “will pay a heavy price for what they have done”.

For more on this, click the following links:

U.N. Security Council Cracks Down on North Korea After November Missile Launch – The Wall Street Journal

North Korea Calls U.N. Sanctions an “Act of War” – The New York Times

U.S. imposes sanctions on two key figures in North Korea’s weapons program – The Washington Post

“INTERPOL Reviewing 40,000 Wanted Notices for Political Abuse” – What’s Behind the Message?

December 27, 2017 by Yuriy Nemets Leave a Comment

On December 1, 2017, the Associated Press reported that according to a confidential memorandum INTERPOL was reviewing 40,000 red notices to ensure they were not politically motivated. A red notice is a request any of the 192 member countries can disseminate via INTERPOL’s channels to seek the location and arrest of a wanted person for the purposes of his or her extradition. Article 3 of the INTERPOL Constitution strictly forbids the organization to undertake any intervention or activities of a political, military, religious or racial character. However, in a number of cases INTERPOL has found that some of its member countries have used the organization’s resources to persecute political opponents and other victims of unlawful criminal prosecutions.

The memorandum reflects the November 20 meeting between INTERPOL and European Union officials held after two European Union citizens, Dogan Akhanli, a German-Turkish writer, and Hamza Yalcin, a Swedish-Turkish journalist, were detained in Spain at Turkey’s request disseminated via INTERPOL’s channels. Akhanli and Yalcin fled Turkey years ago and were granted refugee status in Europe. Unfortunately, like many reports and studies behind INTERPOL’s policies and regulations, the full text of the memorandum is not available to the general public. If INTERPOL does indeed strive to observe human rights, as it must under its Constitution, it should be transparent about such initiatives. So far, the reports in the media leave more questions than answers.

It is unclear how exactly INTERPOL is planning on conducting such a massive review in an effective and objective manner. To thoroughly examine 40,000 red notices to ensure they are not politically motivated would be a colossal undertaking. The volume of information requiring careful and comprehensive consideration would be enormous, even if INTERPOL’s staff and funding were significantly increased. In this regard, it is important to remember that in many cases INTERPOL would have to go far beyond what’s already recorded in its files, that is, the minimum information a government must produce to have its request disseminated, such as the nature of the charge behind the red notice, the identity particulars, the description of the facts of the case, and a reference to the country’s criminal statute and a valid arrest warrant. To determine whether the red notice is politically motivated or not, INTERPOL would often need objective information about all the circumstances of the case. In this regard, the high volume of information is not the only reason to question the effectiveness and objectivity of such a review. Because INTERPOL’s rules prohibit the organization from sharing any information it receives from a government about a particular case without the government’s consent, INTERPOL would often have to look to that government alone for any objective information.

The report, citing the memorandum, rightfully points to the reforms INTERPOL recently undertook to expand the rights of individuals. However, despite the reforms, the existing redress mechanism for individuals still lacks some crucial safeguards inherent to the modern democratic due process, such as the right to a hearing, the right to examine the evidence produced by the government, and the right to appeal. In June 2014, the INTERPOL Executive Committee endorsed a new policy on refugees. The policy, however, does not guarantee any refugee the right to have the red notice deleted. It is formulated in such a way that it allows INTERPOL to make exceptions and deny a refugee the relief whenever the organization deems proper. Another important gap is that the policy doesn’t grant refugees an exception to the general rule that INTERPOL doesn’t disclose whether there is information about the individual in its databases without the government’s consent. As a result, refugees, like other individuals, often learn that their names are recorded in the organization’s databases after they are detained due to the INTERPOL alert. This is one of the main reasons why the detention of individuals, like Akhanli and Yalcin, continues despite the fact that the policy has been in place for several years.

To its credit, INTERPOL continues to engage in a dialogue with human rights advocates who seek to ensure that the organization isn’t used to persecute political opponents or aid an otherwise unlawful prosecution. INTERPOL is in need of further reforms to guarantee individuals due process. It should actively work towards achieving this goal while staying fully transparent about its activities in this area.

Yuriy Nemets is the managing member at NEMETS, a law firm based in Washington, DC. Yuriy is an attorney with over fifteen years of experience in domestic and international litigation and arbitration, international extradition, corporate, banking, transportation, international trade and investments, and intellectual property law. He has authored publications about international extradition, corporate, banking, and intellectual property law.

The Latest on WannaCry: North Korea Decries Accusations; U.S. Comments on Marcus Hutchins’ Arrest

December 27, 2017 by Zarine Kharazian Leave a Comment

At a White House press briefing on December 19, 2017, President Donald Trump’s Homeland Security Advisor Tom Bossert publicly attributed the destructive WannaCry cyberattack to North Korea.

Over a period of several days in May 2017, the WannaCry ransomware crippled hundreds of thousands of personal and corporate computer networks in over 150 countries, until a UK computer security researcher, Marcus Hutchins, inadvertently discovered a “kill-switch” in the malware’s code that disabled the attack. Until Tuesday, the attack had not been publicly attributed to any particular state or non-state actor.

“After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea,” Bossert said during the briefing. “We do not make this allegation lightly. We do so with evidence, and we do so with partners.”

Bossert went on to praise corporate partners, in particular Microsoft and Facebook, for their role in disabling North Korean hacking and cyber operations directed towards the U.S. “Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe. They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.”

Bossert then introduced Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity for DHS. Bossert and Manfra went on to repeatedly stress the importance of public-private sector cooperation in cybersecurity matters. “In many ways, WannaCry was a defining moment and an inspiring one,” Manfra said. “It demonstrated the tireless commitment of our industry partners, a moment that showed how the government and private sector got it right; that our preparation, our investments in cybersecurity, keeping our systems up to date, and sharing information paid off.”

The Assistant Secretary also called for strengthening international cooperation with regards to cyber: “To prevent another attack like WannaCry, we are calling on all companies to commit to the collective defense of our nation. And this commitment does not end on our borders… it is only through international partnerships that the United States had time to prepare.”

On December 26, 2017, North Korea’s envoy in charge of U.S. affairs at the UN, Pak Song Il, demanded that the U.S. prove that the North Koreans were behind WannaCry. North Korea’s state-controlled media denounced the U.S.’s allegations as “reckless.”

Comments on the Recent Indictment of Marcus Hutchins

During the briefing, a reporter asked Bossert for comments on the recent DOJ indictment of Marcus Hutchins on unrelated computer fraud charges in early August. The DOJ has charged Hutchins for his alleged involvement of the Kronos banking Trojan, which experts believe was created in 2014 and distributed via the now-defunct cryptocurrency exchange AlphaBay. Hutchins is currently awaiting a court date, and has pleaded not guilty to the charges.

Bossert declined to comment on the ongoing criminal prosecution. He did acknowledge Hutchins’ role in disabling WannaCry, saying that “we… had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it. He took a risk, it worked, and it caused a lot of benefit. So we’ll give him that.”

Bossert did not give Hutchins all, or even most, of the credit, however. “[I]t wasn’t luck — it was preparation,” he clarified. [I]t was partnership with private companies, and so forth.”

Hutchins’ indictment had come as a shock to the cybersecurity community, which considered him somewhat of a hero for his role in disabling WannaCry. Immediately following his arrest, many of his colleagues took to Twitter to voice their skepticism of the charges. In September, however, Brian Krebs, an American investigative reporter and cybersecurity blogger, published an in-depth investigative piece titled, “Who is Marcus Hutchins” on his popular cybersecurity blog, KrebsonSecurity. In intricate detail, complete with screenshots of his process as well as a mindmap of his data points, Krebs excavates the dozens of online pseudonyms, email addresses, and posts in hacker forums linked to Hutchins’ early online accounts. He manages to link Hutchins to several online personas involved in selling malicious software on hacker forums.

A Look at the European Commission’s Amicus Brief in United States v. Microsoft Corp

December 15, 2017 by Zarine Kharazian Leave a Comment

On December 13, 2017, the European Commission filed an amicus brief in the United States v. Microsoft Corp case set to go before the U.S. Supreme Court in the 2018 term. The case concerns the U.S. Justice Department’s access to an individual’s private emails stored at Microsoft’s Dublin data center. In December 2013, the DOJ served Microsoft a warrant compelling it to disclose the private communications of an individual the government had reason to believe was engaged in criminal drug activity. When Microsoft turned over the account information stored on its U.S. servers, but refused to disclose the information stored at its Dublin center, the legal battle ensued.

At Issue: The Extraterritorial Application of the Stored Communications Act’s Warrant Provisions

The Stored Communications Act (SCA) – which is part of the broader Electronic Communications Privacy Act (ECPA) of 1986 – allows the government to require that an electronic communications provider disclose information about a particular communication upon being served a probable-cause-based warrant. At issue in this case is whether the warrant provisions of the Stored Communications Act (SCA) apply extraterritorially, such that they compel Microsoft, an electronic service provider, to produce private electronic communications stored on servers in Ireland for the United States government.

The European Commission’s Brief

While the Commission stresses that the EU takes “no position on the ultimate question of the Stored Communication Act’s proper construction under U.S. law,” it nevertheless implores that the Supreme Court consider EU data protection laws, particularly the General Data Protection Regulation (GDPR) set to go into effect in May 2018, when making its decision. The Commission argues that the GDPR applies in this case because the actions Microsoft must take to fully comply with the Justice Department’s warrant constitutes data “processing” to and from the European Union.

Chapter 5 of the GDPR explicitly addresses the transfer of data from the EU to a non-member state. The GDPR specifies two main circumstances under which personal data may be transferred from the European Union to a non-member state:

Article 47 allows transfers in cases in which the Commission has ruled that the third party’s data protection laws provide an “adequate level of protection.” In determining the adequacy of a particular data protection regime, the Commission examines the third party’s rule of law and the presence and functioning of relevant regulatory authorities, among other elements.
In the absence of the provisions in Article 47 being satisfied, Article 48 allows transfers to a third party if the data controller or processor has ensured “appropriate safeguards,” which many include standard data protection clauses, binding enforcement authority, and legal recourse for data subjects, among other guarantees.

In cases that do not resemble either of the above circumstances, Article 49 outlines “derogations for specific situations.” In its brief, the Commission identifies two provisions that are most relevant to the case at hand:

When a transfer is “necessary for important reasons of public interest;” and
When a transfer is “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interest or rights and freedoms of the data subject.”

With regards to the first provision, the Commission concedes that the Justice Department’s request for data generally would be seen as meant to further an “objective general interest:” the “fight against serious crime, a well as “criminal law enforcement and international cooperation in that respect.”

With regards to the second provision, however, the Commission is vaguer. It remains an open question whether the interests, however legitimate, underlying the Justice Department’s request for data override “the interests or rights and freedoms of the data subject.” Thus, while the Commission abstains from siding with either party explicitly, its implication is clear: should the Court rule in favor of the U.S. Justice Department, the U.S. may run afoul of the EU data protection regime, and face EU states’ national regulatory authorities’ ire.

The Commission’s brief: European Commission Amicus Brief in Support of Neither Party

An Update on the IELR Media Presence: Connect with us on Facebook!

December 8, 2017 by Zarine Kharazian Leave a Comment

After 32 years and 33 volumes, the International Enforcement Law Reporter is delighted to have vamped up its online presence! We just launched a Facebook page, where we will be regularly posting updates and exclusive offers. You can check out our Facebook here.

In addition to following our new Facebook page, here are all of the ways you may now connect with the IELR online:

Our website, http://ielr.com/, provides analysis on the latest developments in the international enforcement law field. This companion blog supplements that analysis.

Also, don’t forget to connect with us on Twitter: https://twitter.com/IELR.

And for free blog post updates, exclusive promotional offers, and more, make sure to sign up for our mailing list here: http://eepurl.com/c5dqFn.

Like our blog posts, and want more content? Check out our print and online subscription options here: http://ielr.com/content/subscribe.

From the editorial team at the International Enforcement Law Reporter, thank you for your support!

International Cyber Operation Dismantles Andromeda Botnet

December 4, 2017 by Zarine Kharazian Leave a Comment

On Monday, Europol announced that, the Federal Bureau of Investigation (FBI), in cooperation with several European government and private sector partners, had dismantled the Andromeda botnet, the longest-running botnet in existence.

What is a botnet?

The term “botnet” is a portmanteau of the words “robot” and “network.” A botnet is a network of connected computers infected with malware. Botnets allow malicious actors to remotely control a large network of infected computers. Whoever is in control of the botnet can remotely direct the infected computers to send spam emails and viruses, mine Bitcoins, and record sensitive information by downloading keyloggers.

Botnets are also often employed by cybercriminals to launch denial of service (DoS) attacks. DoS attacks result in an interruption in the target’s services, and the owner of the targeted website must often pay the attackers a fee, or comply with some other demand, to regain control of their site.

The Andromeda Malware

According to the Europol press release, the Andromeda malware was detected or blocked on an average of over one million machines each month. Discovered in 2011, this malware is modular and dynamic. It does not have one particular use, but rather, can be modified for many uses through freely-available modules that function as keyloggers, form grabbers, rootkits, etc. The malware is often used to remotely direct computers on the botnet to install additional malicious software. There are many different versions of Andromeda, and they use a variety of infection methods, among them illegal downloads, phishing campaigns, and malicious attachments.

Connection to the Avalanche Platform

Andromeda was infamously used in the Avalanche network, an international criminal infrastructure platform that was dismantled by an international cyber operation in November 2016. Avalanche was used to launch massive malware attacks across the globe, and caused an estimated EUR 6 million in damages to the online banking system in Germany alone. In addition, experts estimate the malware attacks conducted via Avalanche cost hundreds of millions of euros worldwide.

In the end, taking down Avalanche for good demanded close cooperation from the prosecutorial and investigative arms of 30 national governments. The collaborators used a method called sinkholing to ultimately disable the platform. Sinkholing involves redirecting traffic between infected computers to servers controlled by law enforcement authorities or a security company, usually by assuming the domains used by the criminals.

Information obtained during the Avalanche investigation was shared with the appropriate authorities via Europol during the Andromeda case. Andromeda was subject to 48 hours of sinkholing, during which authorities collected approximately 2 million unique victim IP addresses from 233 countries.

Law enforcement authorities have arrested a suspect in Belarus, but have yet to reveal the suspect’s identity.