Skip to content ↓ | Skip to navigation ↓

The Spanish National Police has arrested the leader of a criminal group responsible for developing sophisticated banking malware including Cobalt and Carbanak.

On 26 March, EUROPOL announced the arrest of the yet-unnamed computer criminal mastermind in Alicante, Spain. That individual is responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.

The criminal operation has been in operation since at least 2013. In its first year alone, the group targeted 50 Russian financial institutions and five payment systems, stealing over one billion rubles ($17 million) in the process. It perpetrated these heists using a sophisticated piece of malware called Anunak.

Some time later, the computer criminals developed an even more advanced threat called Carbanak. They used this malware to steal one billion dollars in what many described at the time as the “most sophisticated attack the world has seen.”

The group then evolved once again to conduct customized malware campaigns using the Cobalt Strike penetration tool. In these operations, the bad actors use numerous tactics, techniques and procedures (TTPs), including spoofed Securities and Exchange Commission (SEC) emails and the exploitation of a 17-year-old Microsoft vulnerability.

Most of the group’s campaigns involve the use of spear-phishing emails as an attack vector. Upon successful infection by Anunak, Carbanak or Cobalt Strike, the attackers infect other parts of a target institution’s network in an effort to gain control of its servers and ATM processes. With that level of access, the nefarious individuals authorize fraudulent bank transfers, raise the balances of money mule accounts or command affected ATMs to spit out the money for them. They then take the money and convert it into cryptocurrencies.

Here’s an infographic with more on how the group operates:

The arrest by the Spanish National Police is the result of international police cooperation led by EUROPOL and the Joint Cybercrime Action Taskforce with the FBI and law enforcement counterparts in Romania, Belarus, Taiwan, and Spain.

Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said in Europol’s press release that he’s pleased by the success of the investigation, which worked closely in a public-private partnership with the European Banking Federation (EBF):

This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.

News of this arrest comes nearly one year after Mark Vartanyan, the Russian author of the notorious Citadel malware which infected over 11 million PCs and stole an astonishing $500 million from bank accounts, pleaded guilty to his crimes.