Europol announced today that Spanish police has arrested a man suspect of being the mastermind behind the Carbanak hacking group, known for some of the biggest bank cyber-heists in recent years.
Europol said the Carbanak gang —also known as Cobalt— had carried out over 100 hacks across 40 different countries, stealing over €1 billion ($1.24 billion), with a hack average of €10 million ($12.4 million) per heist.
The Carbanak gang is infamous because it only attacked banks, e-payment systems, and financial institutions. The gang's activities can be split in three main phases, depending on the malware they used for attacks:
While the group's malware varied, the Carbanak gang always followed the same modus operandi when carrying out the attacks, a modus operandi that has now been copied by many other groups.
All attacks would start with hackers sending spear-phishing emails to their targets. Emails used domain spoofing to impersonate legitimate business partners or collaborators and contained a file attachment with malicious software.
Attackers usually relied on infecting one target and then spreading to the rest of the internal network, looking for computers that had access to software used for managing the target's funds. This included software that controlled ATMs, bank accounts, money transfers, and more.
Once they gained access to these systems, hackers choose one of three methods of stealing money.
The first was to coordinate with money mule groups and make ATMs spit out cash at a predetermined hour and day. Money mules would pick up the funds, some of which would end up back with the Carbanak group after intermediaries took their cuts.
Second, the Carbanak group would transfer money from legitimate accounts to the ones they or their money mules owned, who would then empty accounts at ATMs, or use the accounts to buy expensive products and launder the money.
Third, crooks would use their access to the bank's internal network to artificially inflate the money balance of accounts created by money mules in advance, without transferring funds from other accounts. Same as before, money mules would empty accounts as soon as possible.
Some of the criminal profits were also laundered via cryptocurrencies. Investigators said hackers also used prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
The arrest of the Carbanak leader is expected to hinder the group's operations, if not kill it entirely. Authorities have not released the man's name, but only said he's been arrested in the city of Alicante, Spain, after a massive and lengthy investigation that included officers and support from Europol, the FBI, the private cyber-security sector, the banking sector, and the Spanish, Romanian, Belarussian, and Taiwanese national police forces.
UPDATE: Post-publication, Ukrainian police also posted details about arresting another member of the Carbanak/Cobalt crew. Spanish police have also released a video from the arrest.
El líder de una organización #cibercriminal que robó más de 1.000 millones de dólares de bancos de todo el mundo con ataques informáticos ha sido detenido en Alicante en una operación de la @policia con el apoyo de @Europol, @INTERPOL_HQ y @FBI. pic.twitter.com/XozX00sIzZ— Juan Ignacio Zoido (@zoidoJI) March 26, 2018