Europol on Monday announced the arrest of the leader of a gang that spear-phished bank staff to install the Carbanak malware and steal $1bn from more than 100 banks in 40 countries over four years.
Spanish National Police arrested the man in Alicante, a city on the east coast of Spain known for its beaches. Spain's interior ministry identified the suspect as Denis K, a Ukrainian national, and said he was working with three other members from Russia and Ukraine.
The group had been active since 2013 starting with Ananuk trojan, which stood out because it targeted PCs and servers within financial institutions instead of banking customers. The hackers used their access to compromise ATMs and payment systems to funnel out tens of millions at a time.
The group used network scanners, keyloggers, password crackers, SSH backdoors, remote access programs and penetration testing tools.
Bank employees were targeted by phishing email with malicious attachments, but the group also purchased compromised machines from botnet operators if the IP address was part of a bank or government agency.
By 2014 Anunak’s developers had upgraded the tool which by then was known as Carbanak. Kaspersky reported in 2015 that Carbanak gang members were suspected to be from Russia, Europe and China.
The gang hit Spanish authorities' radar after withdrawing half a million euros from ATMs in central Madrid in early 2017 after changing bank balances from accounts held at banks in Russia and Kazakhstan.
Over the years Carbanak has affected financial institutions in Australia, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Ireland, Morocco, Nepal, Norway, Poland, Pakistan, Romania, Russia, Spain, Switzerland, Taiwan, Ukraine, the U.K., the U.S.
The gang carefully studied each targeted financial institution to learn its wire transfer procedures, in some cases by watching admins computers over video to understand how to transfer money and cash it out. The group wired out $10m at most from a single financial institution, but on average managed to steal €1.5m per theft.
Carbanak was in use until 2016 when it was refined for sleeker attacks using custom malware based on the Cobalt Strike penetration testing kit.
Europol describes three cashing out techniques the group used, including using compromised bank networks to remotely instruct ATMs to dispense cash at a time and location other gang members knew.
The group also inflated bank account balances and used money mules to collect the money. Alternatively, they would use the e-payment network to transfer the money out of an organization and into criminal accounts.
The cash was then laundered by converting it into various cryptocurrencies that were stored in cryptocurrency wallets linked to prepaid payment cards. The funds were then used to buy luxury cars and houses.
Denis K accumulated 15,000 Bitcoin and used financial tools in the British territories Gibraltar and the UK to load the prepaid cards to make purchases in Spain.
Europol suggests other members have been arrested, including coders, mule networks, money launderers.