nito - Fotolia

Police arrest €1bn cyber heist mastermind

Police have arrested a key member of the Carbanak gang believed to be responsible for more than 100 cyber heists worldwide

The leader of the crime gang behind malware attacks targeting over 100 financial institutions worldwide has been arrested in Alicante, Spain.

The arrest follows a complex investigation conducted by the Spanish National Police, with the support of Europol, the FBI, the Romanian, Belarussian and Taiwanese authorities, private cyber security companies, and the European Banking Federation (EBF).

Since 2013, the cyber crime gang has attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt.

The criminal operation has targeted banks in more than 40 countries and has resulted in cumulative losses of more than €1bn for the financial industry, according to Europol, with the Cobalt malware enabling criminals to steal up to €10m per heist.

The international police cooperation was coordinated by Europol and the international Joint Cybercrime Action Taskforce, with Europol’s European Cybercrime Centre (EC3) facilitating the exchange of information, hosting operational meetings, providing digital forensic and malware analysis support, and deploying experts in Spain. The close private-public partnership with the EBF, the banking industry as a whole and the private security companies was also key to the success of this investigation.

Steven Wilson, head of EC3, said the operation is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top-level cyber criminality.

“This global operation is a significant success for international police cooperation against a top-level cyber criminal organisation. The arrest of the key figure in this crime group illustrates that cyber criminals can no longer hide behind perceived international anonymity,” he said.

Read more about cyber crime

Wim Mijs, chief executive officer of the EBF, said it was the first time the organisation had actively cooperated with Europol on a specific investigation.

“It clearly goes beyond raising awareness on cyber security and demonstrates the value of our partnership with the cyber crime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross-border crimes like the one we are seeing here with the Carbanak gang,” he said.

At the request of Europol’s EC3 unit, Mijs said the Cyber Security Working Group of the EBF coordinated the engagement of the European banking sector with police investigators and leveraged its network of cyber security specialists in the European banking sector to help banks identify the cyber robberies and trace the financial flows.

Cooperating with police at industry level

Keith Gross, chair of the EBF Cyber Security Working Group, said the operation shows what can be achieved by cooperating with police investigators at an industry level. “We all know too well that cyber crime increasingly is a global issue that can only be dealt with through international cooperation and trusted networks,” he said.

The Carbanak gang has been linked to the Anunak malware campaign dating back to late 2013 that targeted financial transfers and ATM networks of financial institutions around the world.

By 2014, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used until 2016. From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.

Spear phishing

In all these attacks, a similar modus operandi was used, according to Europol. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies.

Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.

The money was then cashed out in various ways:

  1. ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate.
  2. The e-payment network was used to transfer money out of the organisation and into criminal accounts.
  3. Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.

Europol said the criminal profits were also laundered via cryptocurrencies using prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.

Read more on Hackers and cybercrime prevention

Data Center
Data Management