Carbanak Ring Steals $1 Billion from Banks

The Carbanak cybercrime gang could be responsible for stealing up to $1 billion from as many as 100 banks in 30 countries, researchers at Kaspersky Lab said.

CANCUN, Mexico – Hackers in Eastern Europe are bleeding banks dry, stealing as much as $1 billion from more than 100 financial institutions in a string of attacks that borrow heavily from targeted attacks against sensitive government and industrial targets.

Researchers from Kaspersky Lab on Monday will present details on the Carbanak criminal gang, which is also targeting financial organizations in the United States, Germany and China with expansion into Asia possible. The details will come during the company’s Security Analyst Summit here.

Unlike most attacks against banks where fraud is the No. 1 means of stealing from customer accounts, the Carbanak gang targets banks directly.

Gathering data from their own research and from law enforcement agencies, including INTERPOL and Europol, Kaspersky pins the losses at anywhere from $2.5 million to $10 million per bank. The attacks are ongoing, and a list of indicators of compromise will also be released Monday.


The attacks date back two years and as many as 100 banks have been in the crosshairs of the Carbanak gang, as well as e-payment systems and other organizations in as many as 30 countries.

The hackers lived on the bank networks for months after successfully gaining a network foothold, generally through a spearphishing email laced with a malicious .CPL attachment, and in some cases, Word documents. The attachments contained the backdoor named Carbanak which is capable of many of the same data stealing capabilities as notorious APT-style attacks, including remote control.

Once the backdoor is installed, the criminals are able to install other tools on victimized computers that allow the hackers to move laterally on the network before settling on their targets. But rather than data, the Carbanak gang is after money.

In sitting quietly on the network, the criminals study how the banks operate, using video possibly recorded by compromised computers.

“Even though the quality of the videos was relatively poor, they were still good enough for the attackers armed also with the keylogged data for that particular machine to understand what the victim was doing. This provided them with the knowledge they needed to cash out the money,” Kaspersky said in its report.


The criminals were able to manipulate their access to the respective banking networks in order to steal the money in a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact with the terminal. Money mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts, Kaspersky said. The Carbanak group went so far as to alter databases and pump up balances on existing accounts and pocketing the difference unbeknownst to the user whose original balance is still intact.

“These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team.

Suggested articles