Carbanak and Cobalt crime crew caught
The European Banking Federation’s (EBF) Cybersecurity Working Group has played a part in the arrest of a key member of a global cybercrime syndicate responsible for more than 100 digital bank robberies in 40 countries.
European and Spanish police authorities say the leader of the crime gang behind the Carbanak and Cobalt malware attacks has been arrested in Alicante, Spain, after a “complex” investigation conducted by the Spanish National Police, with the support of Europol, the FBI, the Romanian, Belarussian and Taiwanese authorities and private cybersecurity companies.
Wim Mijs, CEO of the European Banking Federation, says: “This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol.”
The international police cooperation was coordinated by Europol. Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The private-public partnership with the EBF was also “paramount in the success”.
At the request of Europol’s EC3 unit, the EBF’s Cybersecurity Working Group coordinated the engagement of the European banking sector with police investigators and used its network of cybersecurity specialists to help banks identify the cyber robberies and trace the financial flows.
Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt.
The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over €1 billion for the financial industry. The “magnitude of the losses is significant”: the Cobalt malware alone allowed criminals to steal up to €10 million per heist.
Dirty deeds done dirt cheap
If you want more information or just like crime stories, then read on.
According to the EBF, the organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.
By the following year, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016.
From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.
In all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies.
Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
The money was then cashed out by one of the following means:
- ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being “voluntarily” spit out by the ATM;
- The e-payment network was used to transfer money out of the organisation and into criminal accounts;
- Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
Europol said that the criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.