Next-level bank robbery: Hackers capture over € 1 billion

Europol has recently arrested a gang of Russian and Ukrainian hackers around Denis K. in Spain, who have looted about 1.24 billion euros with their malware. The cash was exchanged by the cybercriminals after the capture in Bitcoin and later invested in Spanish real estate or expensive cars.

In Alicante, Spain, employees of Europol have recently arrested several suspects who have attacked around 100 banks with malware on an international basis for more than five years. The cybercriminals’ mesh was always the same: they sent e-mails to bank employees with an unsuspecting attachment contaminated with the malicious software Carbanak or Cobalt. It employed its own programmers who improved the malware or adapted it to the requirements of each bank. After opening the attachment, the malware automatically installed itself on the bank servers and spread from branch to branch. The criminals wanted to get full access to the bank accounts and ATMs of the bank. Checking accounts were artificially charged by the hackers with a credit balance, so that messengers could empty the ATMs after taking over the technical infrastructure. Immediately thereafter, the cash was exchanged into Bitcoin to complicate the work of the investigators.

Almost every bank was affected

In Spain, there was practically no financial institution, according to the Ministry of Interior there, which was not affected by the attack of hackers. At ATMs in Madrid alone, around half a million euros were withdrawn without authorization by helpers. The attacks were not local, however, according to Kaspersky Lab they took place in about 30 countries. The gang members even employed their own money launderers to cover their tracks. In addition to the FBI, policemen from Spain, Romania, Belarus and Taiwan were involved in identifying the backers for several years. Europol coordinated the action, which was actively supported by several IT security companies.

Signal effect for other hackers?

Europol wants to get some signal from the arrest. The perpetrators should be aware that cybercriminals can no longer feel safe in international anonymity. Europol cybercrime investigator Steven Wilson commented on the arrest. There were already several imitators in this regard. For example, security researchers from Kaspersky Lab discovered two groups in 2016 that were very similar to Carbanak: Metel and GCMAN. The two groups attacked financial organizations with covert intelligence and malware, as well as new, innovative money-pay systems. Other actors also use techniques, tactics and procedures modeled after Carbanak, such as Lazarus and Silence.