Europol, the EU's law enforcement intelligence agency, helped to coordinate an investigation led by the Spanish National Police, with assistance from Europol, the FBI, Interpol, authorities in Romania, Belarus and Taiwan, as well as private cybersecurity firms. According to Europol's press release, the cyber criminals nabbed the funds from banks and financial institutions in more than 40 countries, laundering their loot with cryptocurrencies to hide it from local and worldwide authorities. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to Euro 10 million per heist.
Carbanak affected financial institutions in Australia, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Ireland, Morocco, Nepal, Norway, Poland, Pakistan, Romania, Russia, Spain, Switzerland, Taiwan, Ukraine, the United Kingdom, the U.S.
The gang used three separate malware, each one more sophisticated than the last, to penetrate and then loot the financial networks.
Anunak malware first appeared in 2013, and later developed into a more sophisticated strain called Carbanak, which remained in use through at least 2016 (see Sophisticated Carbanak Banking Malware Returns, With Upgrades).
The cyber-thieves got their malware injected into bank networks by sending the key staff of the banks booby-trapped phishing emails, said Europol. The software gave the gang remote control of infected machines, providing them with access to the internal banking network and infecting servers controlling ATMs. The malware would infect the bank's servers and provide the attackers with the ability to control ATMs operated by the bank. Alternatively, they would use the e-payment network to transfer the money out of an organization and into criminal accounts.
Databases with account information were modified so account balances would be inflated, with money mules collecting the money.
According to law enforcement, virtual coins were linked to prepaid cards to buy luxury goods including vehicles and property.
Europol says this investigation was one tangled bowl of spaghetti: with the mastermind, coders, mule networks, money launderers and victims all located in different locations around the world, it involved global police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce.
"It clearly goes beyond raising awareness on cyber security and demonstrates the value of our partnership with the cyber crime specialists at Europol".
"Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang", said EBF chief Wim Mijs.