The case involved a phishing scheme operated by an organized criminal group of which the defendant was a member.

The key figure of the phishing system in question, which was used from 2007 onwards, was a person called "H3" or "H4". He coordinated the organized criminal group, assigned the members their specific tasks and took care of the finances. He calculated the shares of the profits the members were entitled to and made sure they were transferred to them. He was also in charge of reimbursing the members for any expenses incurred on behalf of the group, including the rent for the servers from which the pishing scheme was operated. H3, together with a person called B5, provided “drops” (accounts of financial agents) and communicated with the “drop leaders” and “nalers”. H3 was further in charge of registering and creating websites used to recruit financial agents, in particular the websites "G1 D.com", "T2.com" and "T4 .com". The domain names were registered by L on behalf of H3.

The malware necessary for the phishing operations quickly became outdated due to adaptions of anti-virus software, hence, a new version of the malware, in this case mainly trojans, had to be created several times in one week. The updated versions were partially developed by members of the organized criminal group and partially purchased from external service providers. During the time period considered by the court in this case, the updated versions were developed by persons outside the group.

The spamming, meaning the dissemination of the malware, was undertaken by four to five different members of the group via e-mails and banner advertisements. The so-called “spammer”, also known as A1, was the main person in charge of this task. Other members that were also involved were W1 and M2.

The computers infected by the malware via spamming were integrated in a bot net, which was controlled by a so-called log-server. This server could send commands to the infected computer, i.e. to download a key logger, or information on what data should be “phished”. Using this scheme, the members of the organized criminal group illicitly retrieved online-banking data, including account number and name, bank codes, Personal identification numbers (PINs) and transaction authentication numbers (TANs), as well as data to access various other online services. Moreover, the server was used as a “drop zone”, meaning that the infected computers transferred the retrieved data to the log server and where saved on a database on this server. The database entailed the folders "D7 1/logs" to "D7 5/logs", each of which was assigned to a different member of the group. For the purpose of managing and processing the data, each folder contained the application "D8 Stats". The victims of this scheme did not notice the retrieval of various data sets, since these processes ran in the background of the computer.

The members W1 and A1 were mainly tasked with bank transfers for which they used the data saved on the log-server. They sorted the retrieved sets of data, checked their validity and entered the online accounts of their victims, where they checked the account balance. In case the account had a high balance and a high transfer limit, W1 and A1 chose one of the “drops” provided by H3 and B5. They made sure that account of the recipient belonged to the same banking association as the account of the victim, to minimize the time of the transfer. Once a match was found, W1 and A1 transferred money to the financial agents by using the phished TANs from the database. This way, approximately 150 transfers were made per week. The members transferring the amounts informed H3 or B5 about which drops they used and how much they transferred. This information was then forwarded to the “drop leaders”.

The “drop leaders” then contacted the financial agents and gave them detailed instructions on when to withdraw the money and which account to forward it to. In cases where the agents acted too slowly or refused to act, the drop leaders pressured them. This could go as far as threatening them by phone or putting the agents on so-called “protection lists”, where they were denounced as fraudsters.

In the time frame relevant to court, the financial agents were mostly recruited via the websites "G1 D.com", "T2.com" and "T4 .com". Those websites were similar in design and business model, as they all aimed at suggesting that the group was a serious financial service provider trying to minimize the time needed for transfers abroad. The financial agents were allowed to keep 5 to 10% of the amount of each transfer they made. They got an employment contract and personal access to the recruitment website, where they could access training documents and receive messages from the drop leaders.

Independently from the recruitment websites, the group recruited agents via the “N6 complex”, a scheme where agents were told they would work for the firm N6 and had to forward calls. Once the money was illegally transferred to the accounts of the “employees”, they were told the transfer was a mistake and that they should withdraw the money as soon as possible and that the firm would send a courier to pick it up.

In cases where the money was successfully transferred to foreign accounts, the recipients (“naler”) withdrew the money under a false name and reintroduced it in the banking system via a method unknown at the time of the proceedings. Via internet-based transfer systems, which converted fiat money into cryptocurrencies, the amount was transferred back to H3 at a later point in time. However, the amount could still be withdrawn or used to pay online, thereby converting it back to fiat money.

The defendant of the case, I, came into contact with H3 in the end of 2006. In the course of 2007, he became a member of the organized criminal group. He held the position of technical coordinator, which entailed maintaining and improving the necessary systems as well as damage control in case problems occurred. His most important task was the administration and maintenance of the log server and the bot net. The defendant could directly access the server from his computer at home. He was also tasked with deleting data that was not up to date. He generated, installed and shared security certificates regarding the log server with the various members of the organized criminal group, which allowed the members to access the server. The certificates were regularly changed for security reasons. Moreover, he took care of extending the rental contract of the servers and coordinated the further development of the trojans and other malware, so-called “builds”, which he tested subsequently. Regarding the new “builds”, he was assisted by W1 and A1. In case the new versions worked, he ordered a “spam wave” of the updated malware.

Additionally, the defendant was also tasked with money transfers, for which he was assigned the folder "D7 2"of the log server database. He tasked W1 with some of the transfers assigned to him due to a lack of time. He was also in charged of dealing with any transfer problems of H3.

In relation to the financial agents, the defendant rented the servers that hosted the recruitment websites, to which the defendant had a direct admin-access. He also took care of Voice-Over-IP-Systems for the drop leaders, which was used to call the financial agents via the internet directly on their landline without the possibility of tracing the call. He instructed A1 to rent a Virtual-Dedicated-Server for this purpose and to get a refund for the expenses from H3.

Financially, the defendant received 20% of the amounts he transferred himself. He also received compensation for the other responsibilities, the amount of which is, however, unknown to the court.

The organized criminal group continued their phishing operations from the end of 2005 until the arrest of the defendant in 2008. On 13 January 2009, the prosecutor’s office pressed charges against I and L on the grounds of computer fraud, data manipulation, and forming a criminal organization. On 10 June 2009, the proceedings of the two alleged were severed in order to speed up the judgment regarding the defendant I.