Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world


European cyber-cops have felt the collar of a bloke suspected of running a network of crims that used malware to pinch €1bn (£874.8m, $1.24bn) from cash machines and other banking systems.

The crew developed the software nasty Anunak, later updated to Carbanak, as well as cyber-weapons based on Cobalt Strike's penetration testing toolkit. The gang lobbed this malicious code at more than 100 financial institutions around the globe from 2013 until 2016, we're told.

The crooks are said to have kicked off their activities with the Anunak malware in 2013, which was sent in spear-phishing emails to bank employees to infect their Windows PCs when opened. Once compromised, the zombie machines were used to access the bank's internal network and hijack ATMs.

These compromised cash machines then spat out notes at a predetermined time and location, presumably into the nondescript holdall of a gang member. Other activities of the gang included hijacking global electronic payment networks to shuffle money out of infected institutions and into the accounts of criminals.

Because it wouldn't be a financial crime story without them, cryptocurrencies played a part in the money-laundering process: prepaid cards linked to online alt-coin wallets were used to buy flash motors and nice houses, effectively shifting the criminals' cyber-loot, the plod claim.

The Anunak malware evolved into a nastier version known as Carbanak, which was used until 2016. The rogue programmers from then on used the Cobalt Strike penetration testing software to create tailored nasties.

On Monday, Europol made much of the international cooperation that led to the arrest in Alicante, Spain, giving credit to the FBI, police forces from Romania, Belarus, and Taiwan, and private infosec outfits, as well as its own officers.

The Register has asked Europol to comment on how much of the €1bn has been recovered. ®

Broader topics


Other stories you might like

  • Clipminer rakes in $1.7m in crypto hijacking scam
    Crooks divert transactions to own wallets while running mining on the side

    A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.

    The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.

    The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading

Biting the hand that feeds IT © 1998–2022