The leader of a cybercriminal gang who spearheaded the Carbanak and Cobalt malware attacks that targeted over 100 financial institutions worldwide has been arrested in Alicante, Spain. The Spanish National Police worked in partnership with Europol, the FBI, Romanian, Moldovan, Belarussian and Taiwanese authorities along with several private cybersecurity firms.
The cybercrime gang has been active since 2013 using Carbanak and Cobalt, two pieces of malware it designed. They have been active in over forty countries, targeting banks, e-payment systems and financial institutions leading to cumulative losses of over 1 billion Euros for the financial sector. The Colbalt malware alone saw the group stealing up to 10 million Euros per heist.
The first malware the organized crime group launched was called Anunak back in late 2013. Anunak targeted financial transfers and ATM networks worldwide. In 2014, the coders developed a more sophisticated version of the malware known as Carbanak, which was in deployment until 2016; at which point, the group focused their efforts on making an even more sophisticated type of malware based on the Cobalt Strike penetration testing software.
A similar modus operandi was used in all their operations. A spear phishing email would be sent to bank employees impersonating a legitimate company, which came along with a malicious attachment. Once the employee had downloaded the attachment, the malicious software allowed the gang to remotely control the target machine, then providing them access to the wider network of the bank, allowing them to infect the servers controlling the ATMs.
The money was then cashed out in one of three ways: (i) The ATMs were programmed to dispense cash at a certain time, with the money then collected by organized crime groups supporting the main cybercriminal gang; (ii) the gang used the e-payment network to transfer money into their accounts; (iii) they would modify databases with account information, inflating bank balances then using money mules to collect the money.
Profits were often laundered via cryptocurrencies. Prepaid cards were linked to cryptocurrency wallets and then used to purchase luxury goods.
The investigation into the perpetrators involved significant international collaboration. Europol and the Joint Cybercrime Action Taskforce worked to locate all the different strands of the criminal network: the mastermind, coders, mule networks, money launderers and victims each located in different geographical locations.
Europol’s European Cybercrime Centre (EC3) also worked with Spanish national authorities, as did the European Banking Federation.
Wim Mijs, Chief Executive Office of the European Banking Federation, said: “This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”
Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”