Europol tracks down suspected leader of Carbanak malware campaigns

The suspect is potentially behind cyberattacks against over 100 financial institutions worldwide.
Written by Charlie Osborne, Contributing Writer

The suspected leader of a criminal ring responsible for the theft of over €1 billion from financial institutions has been arrested.

The suspect, arrested in Alicante, Spain, is potentially the mastermind behind Carbanak and Cobalt malware campaigns which accounted for over 100 banks and financial organizations as victims.

According to Europol, the cybercriminals have been active since 2013, striking banks in over 40 countries in order to steal at least €1 billion, estimated at roughly €10 million per successful heist.

The arrest was made following an investigation by Europol, the Spanish National Police, the FBI, the Romanian, Belarusian and Taiwanese authorities, and third-party cybersecurity firms.

Europol says the group first made its way into the financial crime scene by spreading Anunak malware (.PDF), a Trojan which provided some of the Carbanak source code for targeted attacks against banks.

This malware later evolved into the now well-known Carbanak strain, which was used until 2016.

The group behind the malware, labeled as FIN7, infected systems through spear phishing in order to spy on staff, watch how they transferred cash, and then mimic the techniques to transfer funds fraudulently without being discovered.

After 2016, the threat actors extended their reach to include malware based on the Cobalt Strike penetration testing software, which also permitted the remote control of victim PCs, leading to the infection of servers which control ATMs.

Stolen funds were cashed out through the remote control of ATMs, in which dispensers were forced to spew out cash at particular times -- when money mules would be waiting nearby to collect the money.

E-payment networks were used to transfer money out of the victim organization and into accounts controlled by the attackers, and databases with account information were also modified to inflate bank balances.

See also: Cisco, Interpol team up to share cybercriminal threat data

Profits were laundered through the purchase and exchange of cryptocurrencies. According to law enforcement, virtual coins were linked to prepaid cards to buy luxury goods including vehicles and property.

"This global operation is a significant success for international police cooperation against a top level cybercriminal organization," said Steven Wilson, Head of Europol's European Cybercrime Centre (EC3). "The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality."

Facebook alternatives: Social apps you need to try

Previous and related coverage

Editorial standards