After a four year investigation, Europol announced it has arrested the suspected leader of a crime syndicate that stole $1.2 billion from over 100 banks in more than 40 countries using malware. According to Europol, the suspect was arrested by the Spanish National Police in Alicante, Spain, with support from the FBI, Romanian, Belarusian, and Taiwanese authorities, along with cybersecurity companies.
The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies.
Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.
The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world. By the following year, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016. From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.
In all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
The money was then cashed out by one of the following means:
- ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the ATM;
- The e-payment network was used to transfer money out of the organisation and into criminal accounts;
- Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
The criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
International police cooperation
International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce was central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation.
Wim Mijs, Chief Executive Office of the European Banking Federation, said: “This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”
Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”