Carbanak leader who is also a member of Cobalt is arrested in Spain

Europol has arrested the mastermind behind billion-dollar hacking attacks

The leader of Carbanak and Cobalt has been arrested

Law enforcement has announced that the supposed leader of one of the most famous hacking groups known as Carbanak and Cobalt has been arrested in Alicante, Spain. The malware attacks conducted by these cyber gangs generated more than one billion dollar profit for the crooks[1].

Europol has reported that the arrest was a result of a complex investigation which has been supported by private cybersecurity firms, Spanish National Police, FBI, Taiwanese, Romanian, Belarussian, and Moldovan authorities. The attackers have targeted over 100 financial institutions across 40 different countries[2].

In the official press release, Europol authorities provide the following information[3]:

Since 2013, the cybercrime gang has attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. <…> The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.

Hackers used three different malware infections which were developed by themselves

The infamous cyber gang has been first spotted by the law enforcement in late 2013 when they had started targeting ATMs and financial institutions with Anunak malware. In 2014, the attackers upgraded the Anunak to a new and more sophisticated variant, called Carbanak malware.

While the previous virus has been used until 2016, hackers created an even more advanced cyber infection version of a popular Cobalt Strike software which is used for penetration testing. Law enforcement has analyzed the attacks and found undeniable similarities[4]:

In all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies.

Unfortunately, as soon as the person downloads the infected attachment, his/her computer becomes accessible by the hacker group remotely. They then are able to collect information from the banking network and take over the servers which are controlling ATMs.

Cybercriminals had multiple options to cash out the stolen money

IT experts report that Cobalt and Carbanak members were able to get the illegally gained money three ways. One of them is to take the cash spit by the ATM at the pre-set time by programming the machine to give the money automatically. Likewise, someone from the group had to go and collect the stolen money from the hijacked ATMs.

Another technique the criminals had employed was to take advantage of the remote access to the banking network. In other terms, they have automatically transferred the money from the e-payment servers of the financial institutions to their accounts.

And finally, Europol indicates the last cash out technique used by the attackers[5]:

Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions