Cobalt/Carbanak bank malware gang’s alleged leader arrested

Police have arrested the alleged mastermind behind the Carbanak gang: a group of cybercrooks that’s targeted banks since late 2013, phishing their way into networks, infecting servers and gaining control of automated teller machines (ATMs) that they’ve caused to spew cash to waiting money mules.

According to Europol, the alleged crime boss, whom it didn’t name, was arrested in Alicante, Spain, following a joint investigation by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cybersecurity companies.

Since 2013, the gang has gone after banks, e-payment systems and financial institutions using their malware, which is known as Carbanak and Cobalt. They’ve hit banks in more than 40 countries: attacks that have resulted in cumulative losses of over €1 billion (USD $1.24 billion).

Europol said in an announcement on Monday that just the Cobalt malware alone allowed the crooks to steal up to €10 million per heist.

A spokesman for the European Banking Federation (EBF) noted in a conversation with Fortune that the gang’s sophisticated Cobalt malware campaign only began in 2016, making it “fair to say” that the total amount stolen must be significantly above €1 billion at this point.

The gang’s malware evolution started with the launch of the Anunak malware campaign.

As security journalist Brian Krebs noted when, in December 2014, he wrote up the gang’s technique of hacking ATMs from within the banks themselves, the hackers didn’t go after bank account passwords or other information. Rather, they cored out the banks by starting with phishing attacks on bank employees, got control of the ATMs, transferred money into their own accounts, and inflated account balances that money mules then picked up at ATMs.

Europol provided this infographic that shows how the criminal network, and their malware, work.

First, they targeted financial transfers and ATM networks of financial institutions around the world. Within their first year, they’d improved the initial Anunak malware into a more sophisticated version, known as Carbanak, which was used until 2016. After that they focused on developing an even more sophisticated wave of attacks with tailor-made malware based on the Cobalt Strike penetration testing software, which emulates threats.

In spite of all the malware coders’ tweaks, the modus operandi stayed the same:

  1. Send spear-phishing emails, purporting to come from legitimate companies but bearing malicious attachments, to bank employees.
  2. Once bank employees fell for it and clicked on the attachments, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network.
  3. From there, the attackers infected servers controlling the ATMs. They’d send commands to specific ATMs to spit out cash, and money mules would be waiting to pick it up.

Besides having money mules pick up the cash from ATMs, the crooks also had these tricks up their sleeves:

  1. They’d use the e-payment network to transfer money into criminal accounts.
  2. Databases with account information were modified so account balances would be inflated, with money mules collecting the money.
  3. They laundered some stolen funds via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets that they used to buy things like luxury cars and houses.

Europol says this investigation was one tangled bowl of spaghetti: with the mastermind, coders, mule networks, money launderers and victims all located in different locations around the world, it involved international police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce.

It was the first time that EBF worked in partnership with Europol on an investigation, according to EBF CEO Wim Mijs:

It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.