The mastermind behind malware attacks that programmed ATMs to spit out cash on demand and caused more than $1.2 billion (1 billion euros) in losses has been arrested in Spain.
The leader of a criminal gang that carried out the malware attacks known as Carbanak and Cobalt was detained in Alicante following an investigation by Spanish police, Europol and the U.S. Federal Bureau of Investigation. Spain’s Interior Ministry named the suspect as Denis K, a Ukrainian national. Europol, the European Union agency for law enforcement cooperation, said in a statement that Romanian, Belorussian and Taiwanese authorities also took part in the manhunt.
The organized crime group has been operating since 2013, targeting over 100 financial institutions around the world in heists of as much as 10 million euros per operation. The malware they created could instruct ATMs to dispense cash at a pre-determined time, with gang members waiting by the machines collecting the money.
They also used the e-payment network to transfer money from banks into criminal accounts, and used access to databases to inflate bank account balances in order to collect the money using mules, Europol said. Europol said the profits were laundered using cryptocurrencies to buy luxury houses and cars.
Neither Europol nor the Spanish police provided information about other members of the gang. Spain’s Interior Ministry said Denis K was operating from Spain and had accumulated about 15,000 bitcoins (about $120 million).
He accessed financial platforms in Gibraltar and the U.K. to charge prepaid cards that he then used in Spain to acquire luxury goods, including cars and houses. Spanish police believe that the amounts he had to spend on upgrading systems for new attacks and in disputes with Russian mafia mean that at one stage he may have held considerably more in cryptocurrency.
The cyberattacks mainly targeted banks in Russia, penetrating practically all of the country’s financial system, the Interior Ministry said in an emailed statement. In Spain, attacks took place in Madrid mainly in the first quarter of 2017, resulting in the theft of about 500,000 euros. The gang worked with Russian mafia until 2015 and then with criminal groups from Moldova after that, the ministry said.
Denis K, working with three other gang members, sent out malware-infected emails to bank employees. If the employees opened the emails, the gang was able to take control remotely of their computers and access banks’ internal databases and systems.
The gang members didn’t know each other and made contact through internet, said Carlos Yuste, a Spanish police chief inspector who helped lead the operation. Yuste said it’s unlikely that the rest of the gang will be able to continue operating after its mastermind was captured.
“The head has been cut off,” Yuste said by phone. “I’m sure there are other operations like this, but not many.”
The arrest marks at least the second time in a year that international cooperation in law enforcement has brought down a cybercrime operation. In July, Dutch police working with Europol, the FBI and the U.S. Drug Enforcement Agency shut down the operations of AlphaBay and Hansa, two markets for the sale of illegal substances, firearms and malware that operated on the so-called dark web.