175: Bayrob

Summary of 175: Bayrob

by Jack Rhysider

1h 36mJune 2, 2026
Listen to Episode

Overview of Darknet Diaries Episode 175: Bayrob

This episode tells the long, intricate story of BayRob, a sophisticated malware-fueled eBay fraud operation that began as a relatively small scam and grew into a massive international cybercrime ring. What makes the story remarkable is not just the scale of the fraud, but the 10-year investigation required to dismantle it. The case involved malware reverse engineering, proxy chains, encrypted communications, undercover-style buying, forensic analysis, law enforcement coordination across countries, and a rare courtroom victory against highly disciplined cybercriminals.

What BayRob Did

BayRob was malware that infected victims’ computers and hijacked their eBay sessions. When a victim went to eBay, the malware could:

  • inject fake auction information into the page
  • make fake pages look legitimate by appearing to come from eBay’s real URL
  • impersonate support through an injected chat window
  • trick victims into sending money to money mules instead of real sellers

The early version targeted users trying to buy cars on eBay. Liam O’Murchu of Symantec named it BayRob because it was “robbing eBay customers.”

How the Malware and Fraud Operation Worked

BayRob became much more than a simple browser hijacker. The group built a layered criminal infrastructure:

Infection and delivery

  • Victims were lured in through phishing emails and Craigslist posts
  • The malware was often distributed through scams involving fake car sales

Obfuscation and routing

The operators hid their identity using a complex routing system:

  • stolen Wi-Fi via directional antennas
  • Tor
  • infected victim machines used as proxies
  • commercial services and open relays
  • encrypted chats and emails

Advanced operational security

The group took extraordinary precautions:

  • multiple layers of encryption on their laptops
  • custom encryption software
  • TrueCrypt containers
  • no direct communication from home networks
  • screenshot checks before using infected machines in their proxy chain
  • geofencing fraud activity to specific countries and regions
  • turning logging on and off as needed

At its peak, the botnet grew to around 450,000 infected machines.

Liam O’Murchu’s Investigation at Symantec

Liam O’Murchu, a malware analyst at Symantec and one of the key people behind the early Stuxnet analysis, became the central technical investigator in this case.

Key discoveries

  • BayRob was not ordinary malware; it was built for eBay fraud
  • The attackers used infected machines as a distributed proxy network
  • Their traffic could be traced only if Liam patiently monitored it over long periods
  • A major breakthrough came when he infected a machine in Romania and began seeing traffic from the attackers’ side of the proxy chain
  • He discovered that the malware only evolved after 30 days on an infected machine
  • He captured a critical unencrypted attachment in Jabber that revealed:
    • victim names
    • money mule information
    • transaction breakdowns
    • revenue splits among group members
  • One screenshot exposed an attacker’s desktop, showing:
    • the botnet control panel
    • a Facebook campaign
    • a hacked account
    • malware operations in progress

Liam’s work produced signatures, indicators, and a public write-up that helped others recognize and detect the threat.

The FBI Investigation

The FBI got involved after a victim reported being scammed and then realized her machine was infected. Special Agent Stacey Whitaker opened the case in Cleveland and stuck with it for years.

Major investigative challenges

  • most communications were encrypted
  • the attackers used multiple proxy layers
  • money was moved through a global network of money mules
  • the group kept changing infrastructure and locations
  • the FBI initially lacked sufficient legal and technical leverage

Key investigative partners

  • Stacey Whitaker — FBI
  • Ryan McFarlane — FBI cyber agent
  • Brian Levine — DOJ prosecutor
  • Liam O’Murchu — Symantec
  • Owen Miller — AOL CERT

Why AOL mattered

Owen Miller at AOL helped because the criminals used AOL accounts and network access as part of their routing and communication strategy. A critical slip-up occurred when one attacker accidentally typed an email address into an unencrypted login form, which helped connect the dots to a real identity.

How the Case Broke Open

The investigation turned on tiny mistakes and patient, long-term collection.

Breakthroughs included:

  • a rare unencrypted Jabber attachment
  • logs from an attacker’s phone
  • a travel/photo pattern that matched account activity
  • direct evidence linking one suspect to “Master Fraud”
  • surveillance and device imaging at U.S. border entry
  • evidence from Romanian searches of homes and equipment

The three main operators were ultimately identified as:

  • Bogdan Nicolescu — “Master Fraud”
  • Tiberiu Dinette / Dinet — “A Mighty SA”
  • Radu Miclaus — “Minolta” / “Radu SPR”

The Takedown

The U.S. and Romanian authorities coordinated a synchronized arrest and extradition operation.

What they found

  • stolen Wi-Fi setups
  • directional antennas
  • fully hardened laptops
  • multiple encrypted partitions and containers
  • custom-built encryption software
  • a highly organized cybercrime toolkit

Even after seizure, some systems remained too encrypted to crack. In particular, the FBI still has crypto-related data locked in those machines that may contain significant value.

Trial, Sentencing, and Outcome

The prosecution built a jury-friendly narrative from years of technical evidence, victim statements, infrastructure data, and testimony from former co-conspirators.

Sentences

  • Tiberiu Dinet — 10 years
  • Radu Miclaus — 18 years
  • Bogdan Nicolescu / Master Fraud — 20 years

Scale of the crime

  • over 1,000 victims identified from the eBay fraud alone
  • approximately $4 million directly defrauded from victims
  • estimated $40 million total over the life of the operation
  • botnet of up to 450,000 computers

Key Takeaways

  • Good OPSEC slows investigators down, but doesn’t make a case impossible.
  • Tiny mistakes — an unencrypted attachment, a login slip, a travel-photo mismatch — can unravel years of secrecy.
  • Cybercrime investigations often require multi-agency, multi-country persistence.
  • Victims can be highly intelligent and still be deceived by convincing social engineering.
  • Money mule networks are a crucial part of many fraud operations, and they blur the line between victim and participant.
  • The FBI’s success here came from patience, long-term monitoring, and collaboration more than any single breakthrough.

Final Reflection

This episode is a standout example of how a cybercrime case can evolve from a single malware sample into a full international criminal prosecution. What began as eBay fraud became a lesson in investigative persistence, technical attribution, and the reality that even the most careful attackers eventually leak enough information to be caught.