For the past five years, a gang of hackers known as Carbanak has been targeting banks around the world, stealing well over $1 billion in total. Now, thanks to a coordinated international investigation, the as-yet-unnamed leader of the gang has been caught in Spain.
According to the European Union Agency for Law Enforcement Cooperation (Europol), the gang targeted financial transfers and ATM networks from late 2013 by using a series of malware attacks called Anunak and Carbanak, before more recently adapting security-testing software called Cobalt Strike into heist-ready malware.
The malware was spread across networks by duping bank employees with “spear phishing” emails containing malicious attachments. It instructed ATMs to spew out money at pre-determined times, prompted the transfer of money into the gang’s accounts, and modified bank databases to inflate the balances of certain accounts.
“The criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses,” Europol said in a statement.
Europol said a host of organizations had been involved in the investigation, including the U.S. Federal Bureau of Investigation (FBI), the European Banking Federation (EBF), and the authorities in Spain, Romania, Belarus, and Taiwan.
“Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang,” said EBF chief Wim Mijs.
It doesn’t seem to be very clear how much money the Carbanak gang stole. It is now more than three years since the cybersecurity firm Kaspersky said the gang had stolen $1 billion. Europol said on Monday that the figure was “over €1 billion,” which equates to at least $1.24 billion.
Given that the gang’s sophisticated Cobalt malware campaign only began in 2016, it is “fair to say” that the total amount stolen must be significantly above €1 billion at this point, an EBF spokesman told Fortune.