The leader of the crime gang behind the Carbanak and Cobalt malware attacks that targeted more than 100 financial institutions worldwide and stole more than €1 billion from banks, e-payment systems and financial institutions in more than 40 countries has been arrested in Alicante, Spain.
In a press release today, Europol said the arrest followed a complex investigation conducted by the Spanish National Police, with the support of Europol; the U.S. FBI; the Romanian, Belarussian and Taiwanese authorities; and private cybersecurity companies.
In 2013 the gang launched the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world. A year later it had been improved, and as Carbanak, it was used in until 2016. Then an even more sophisticated wave of attacks was launched using tailor-made malware based on the Cobalt Strike penetration testing software. Cobalt malware alone was responsible for thefts of up to € 10 million per heist.
In each of the attacks the criminals would spearphish bank employees with a n email containing a malicious attachment impersonating legitimate companies. Once downloaded, the malware allowed the criminals to remotely control the victims' infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
The money was cashed out in various ways:
- ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily' spit out by the ATM;
- The e-payment network was used to transfer money out of the organisation and into criminal accounts;
- Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
The criminal profits were also laundered via cryptocurrencies using prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce is reported to have been central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Europol's European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation according to a Europol statement.
Wim Mijs, chief executive officer of the European Banking Federation, said: "This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cyber-security and demonstrates the value of our partnership with the cyber-crime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang."
Steven Wilson, head of Europol's European Cybercrime Centre (EC3), said: "This global operation is a significant success for international police cooperation against a top level cyber-criminal organisation. The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cyber-criminality."