A Ukrainian national who is a suspected leader of a group behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide is now under arrest in Alicante, Spain, police said.
Since 2013, this group attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt, police said.
The operation has struck banks in more than 40 countries and resulted in cumulative losses of over $1.25 billion for the financial industry.
The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to $12.5 million per heist, police said.
The arrest occurred after an investigation conducted by the Spanish National Police, with the support of Europol, the FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.
Spain’s interior ministry identified the suspect as Ukrainian national “Denis K” and noted he ran the operation with help from three Russian and Ukrainian nationals.
The group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world, police said. By the following year, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which saw action until 2016. From then onwards, the group focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.
In all these attacks, a similar attack mode ended up used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
The money was then cashed out by one of the following means:
• ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organized crime groups supporting the main crime syndicate. When the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the ATM
• The e-payment network was used to transfer money out of the organization and into criminal accounts
• Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
The criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce was central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also vital.
“This is the first time that the EBF has actively cooperated with Europol on a specific investigation,” said Wim Mijs, chief executive of the European Banking Federation. “It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”
“This global operation is a significant success for international police cooperation against a top level cybercriminal organization,” said Steven Wilson, head of Europol’s European Cybercrime Centre (EC3). “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”