The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer.
The botnet's activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the "business club", which was primarily based in Russia and Eastern Europe.
The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.
In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar.
[10] Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts.
[22] The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts.
[26] Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.
[20] GOZ was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies.
[36] Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to create a diversion.
[25] The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the Russia-China border.
[39] In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key.
[41] Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.
[35] The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen.
[43] Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.
[44] Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine,[45] and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government.
It is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret.
[48] Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended,[49] despite living openly and under his own name in Russia.
[50] Jabber Zeus was run by an organized crime syndicate, of which Bogachev was a key member, that had largely dissolved in 2010 due to police action.
Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus.
[27] Planning for Operation Tovar began in 2012, with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ.
[57] By 2014,[28] authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions.
The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure.
[1][d] Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails.
Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies.