Skip to Main Content
It started with a phish - and ended with over 1 billion Euro

It started with a phish – and ended with over 1 billion Euro

The mastermind behind the Carbanak and Cobalt malware attacks has been arrested in Spain. He and his gang are suspected of running a bank robbery scheme that caused losses of over 1 billion Euro in the past five years. The scheme was truly international in its scope. Early estimates are that the gang hit financial institutions in over 40 countries across Europe and Asia, making up to 10 million Euro in each robbery. Joining forces to catch these criminals were law enforcement agents from the Spanish National Police, with support from Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities, and additional private cybersecurity companies.

It started small – with a phish

Apart from the large sums, the robbery scheme was remarkable for its small beginning – well-crafted phishing emails.

These were sent to bank employees along with a malicious attachment that impersonated legitimate companies. Once the victim clicked on or downloaded the attachment, this malicious software enabled the cybercriminals to remotely control the victims’ device. From here, the cybercriminals snuck into the bank’s internal network and infected the servers controlling the ATMs. During the five years that this gang was successfully robbing banks, they went through two major upgrades in their malicious software, expanding their geographic range as they went.

Europol arrested the mastermind behind a 1 billion Euro bank robbery – and it started with a #phish. #phishing


Three primary ways to success

The police listed three primary ways that the criminals removed money from the bank.

  • Reprogramed ATMs: selected bank ATMs were reprogrammed to spit out the cash at certain times and locations. There, a gang member would be waiting to catch the cash as it came out.
  • E-payment network: money was transferred from various accounts into and then out of accounts controlled by the cybercriminals.
  • Database modification: account balances were modified with the gang sending in selected people to physically collect the funds.

These profits were subsequently laundered through various cryptocurrencies and prepaid cards as the crooks purchased large items such as houses and cars. The takedown of the operation was the first ever cooperation between the European Banking Federation and Europol. It probably won’t be the last.

Tips to recognize a phish

So here are some tips to recognize a phishing attempt:

  • If it sounds like a steal, it’s you they’re stealing from! Emails with offers that are too good to be true, or promise easy money are usually phishing.
  • Look out for the spelling and keywords! Phishers tend to have horrible spelling. And watch out for terms such as “Dear customer” or “Update account”.
  • Look for consistency! Check whether the name in the sign off matches the sender’s email.
  • Hover before you click! Hover the pointer over the links and you will see the URL appear. Make sure that this matches the expected destination and that the website is correctly spelled.

For additional information…

…take a look at our video and subscribe to our YouTube channel.

Please accept personalization cookies to watch this video.

This post is also available in: FrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.