Multi-agency investigation leads to arrest of €1bn hacker

The criminal operation that hit banks across Europe and Asia, resulting in the loss of more than one billion euros since 2013, started from phishing emails sent to employees.

Spanish National Police detained the hacker in Alicante following a complex investigation supported by Europol, the FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities.

In 2013, the organised crime group launched the Anunak malware that targeted financial transfers and ATM networks around the world.

Just a year later, the same coders improved the software into the more sophisticated Carbanak, which was used until 2016.

The gang then focused its work on the Cobalt Strike penetration testing software. Europol says this allowed ten million euros to be stolen per heist.

Banks were infected with the malware after employees were sent phishing emails with a malicious attachment impersonating legitimate companies.

Once the email was opened, the malware was deployed through the internal network, infecting the servers and controlling ATMs.

The criminals had three methods of stealing the money, one of which included sending a command to specific ATMs to spit out cash where money mules had been sent to collect it.

Money mules were also told to withdraw money from their own accounts after the hacker had increased their bank balance, or the criminal will simply transfer the money into his own account.

The profits were laundered via cryptocurrencies and linked to wallets that were used to buy luxury cars and houses.

International cooperation coordinated by Europol was essential in bringing the criminals to justice, as the mastermind behind the operation, the launderers and the money mules all resided in different locations across the world.

Europol’s European Cybercrime Centre facilitated the sharing of information, hosted operational meetings, and provided digital forensic and malware analysis support.

Wim Mijs, CEO of the European Banking Federation, said: “This is the first time that we have actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at

Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”

Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top-level cybercriminal organisation.

“The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.

“This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top-level cybercriminality.”