€1 billion bank robbery malware head arrestedThe head of a cybercrime family that made €1 billion from banks through its own malware has been arrested in Alicante, Spain. The Carbanak and Cobalt malware has been used to attack international banks in over 40 countries since 2013.

The investigation was led by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.

Steven Wilson, Head of Europols European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top level cybercriminal organisation.

“The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”

How did the malware campaign work?

Steven Wilson, Head of Europol’s European Cybercrime Centre
Steven Wilson, Head of Europol’s European Cybercrime Centre

The attacks were simple and effective. To get the malware into the bank systems:

  • Spear phishing emails were sent to bank employees. If they opened the emails then malware was installed on their computers.
  • The malware then migrated from the local computer to the banks internal network. This allows the hackers to take control of the servers and to control the behaviour of ATMs.

There were three ways the money was stolen:

  • Money was transferred into bank accounts controlled by the criminals. Some were local and some were international.
  • Individual bank accounts were given very high balances. Money mules used cloned ATM cards to withdraw the cash.
  • ATMs were instructed to spit out money at a given time. Money mules would be waiting to scoop up the money and take it away.

Once the money was taken it had to be laundered. This was done by converting it into cryptocurrencies. This allowed the criminals to then buy goods with the money including cars and houses.

Bring public and private crime fighting resources together

The investigation of cybercrimes is one of the best examples of public-private cooperation. Despite investing in training, equipment and software, police forces lack the skills and often the intelligence networks to investigate a lot of cybercrime. Private companies, such as vendors selling cyber security software have the skills and the global networks to trace the spread of malware and its use.

The assistance by the FBI and other national authorities in several countries was also important. The operation was coordinated by Europol’s European Cybercrime Centre (EC3). Using the skills and intelligence from everyone, they tracked the movement of the stolen money. This helped identify key money launderers and money mules and ultimately the person behind the Carbanak and Cobalt malware.

Ross Rustici, senior director, intelligence services, Cybereason
Ross Rustici, senior director, intelligence services, Cybereason

Many cybercrime investigations fail to get to the person at the top. This is because the cybercrime families are very sophisticated and secretive. The persistence to get the person at the centre of this €1 billion theft is good news. However, there are many more widespread cybercrimes that do not get the resources required to solve them. One wonders if the size of the theft and the fact this was against the banks contributed to the willingness to deploy the necessary personnel.

Ross Rustici, senior director, intelligence services, Cybereason, comments: “The recent Europol arrest of the alleged leader of the Carbanak crime ring is positive news for cybersecurity across the globe. The manner in which this individual was caught continues to demonstrate the importance of public-private partnerships and the global nature of cybercrime. The inclusion of police agencies in at least five different countries demonstrate how difficult it can be to track a single actor through all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals.”

What does this mean?

For now it means that the core network behind Carbanak and Cobalt is dead. However, there are a lot of copies of the malware in circulation. Many cybercrime organisations have multiple copies of their infrastructure. It would be surprising, therefore, if the malware didn’t resurface either as is or as a new variant.

For the police, intelligence and security companies this is a big win. It is more than just the taking down of a crime family. There will be a lot of intelligence to sift through which will provide leads and data for other investigations. It is also probable that source code and even code for new attacks and vulnerabilities was recovered. The latter will only become public once software companies have patched their systems.

For now, the big banks will heave a sigh of relief.


Please enter your comment!
Please enter your name here