The Coreflood Report

In 2003, we analyzed a trojan named "Autoproxy", which was designed to create a botnet of proxy machines for purposes of online anonymity for criminals. We later found that this trojan was related to an older trojan known as Coreflood, or AFcore. This was an IRC trojan that had been around since at least 2002. By 2004, Autoproxy had been rolled into the Coreflood codebase, and the trojan ceased using IRC as a control mechanism, and moved to HTTP. Around the same time, the trojan began to be used to steal data from infected users, leading to a high-profile case where over $90,000 was taken from one individual's bank account.

The victim was Joe Lopez, a Miami businessman, who according to press reports ran a small printer ink and toner business called Ahlo Inc. in Miami. Lopez regularly used wire transfers both to send and receive money from business contacts in US and Latin America. On April 6, 2004, an unauthorized wire transfer of $90,348 was made to Parex Bank in Riga, Latvia. Around $20,000 was withdrawn before the account was frozen and the US Secret Service began investigating. A forensic investigation was done of the PC used by Lopez and his business, and it was discovered to be infected by the Coreflood Trojan. Joe Lopez filed suit against his bank, alleging that the bank was negligent in failing to protect his account from compromise through known risks. The case is thought to be the first time a customer has sued a bank over cybercrime losses in the US.