The Biggest Digital Heist in History Isn't Over Yet (bloomberg.com) 65
There are cyberheists, and then there's Carbanak, a cybercriminal gang that has stolen about $1.2 billion from more than 100 banks in 40 nations. The suspected 34-year-old ringleader is under arrest, but the whopping $1.2 billion amount remains missing. And to add insult to the injury, the malware attacks live on. Bloomberg Businessweek has an insightful story on this, which includes comments from none other than Europol itself, on the chase to catch Carabanak which has lasted for three years. Some excerpts from the story: Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn't created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it.
Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union's law enforcement agency. The string of thefts, collectively dubbed Carbanak -- a mashup of a hacking program and the word "bank" -- is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that's become the stuff of legend in the digital underworld.
Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses.
Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union's law enforcement agency. The string of thefts, collectively dubbed Carbanak -- a mashup of a hacking program and the word "bank" -- is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that's become the stuff of legend in the digital underworld.
Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses.
Waiting for the movie! (Score:3)
Wow. So, who will be playing Carbanak in the movie? Brad Pitt?
Re:Waiting for the movie! (Score:4, Informative)
"Given she's asian..."
He's Ukrainian:
"For years police and banking-industry sleuths doubted they’d ever catch the phantoms behind Carbanak. Then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana in the Mediterranean port city of Alicante. The authorities have held him since then on suspicion of being the brains of the operation. Katana’s lawyer, Jose Esteve Villaescusa, declined to comment, and his client’s alleged confederates couldn’t be reached for comment. While Katana hasn’t been charged with a crime, Spanish detectives say financial information, emails, and other data trails show he was the architect of a conspiracy that spanned three continents. And there are signs that the Carbanak gang is far from finished."
Explanation behind ongoing heist:
"Someone had sent emails to the bank’s employees with Microsoft Word attachments, purporting to be from suppliers such as ATM manufacturers. It was a classic spear-phishing gambit. When opened, the attachments downloaded a piece of malicious code based on Carberp, a so-called Trojan that unlocked a secret backdoor to the bank’s network. The malware siphoned confidential data from bank employees and relayed the information to a server the hackers controlled. Delving deeper, the Kaspersky team found that intruders were taking control of the cameras on hundreds of PCs inside the organization, capturing screenshots and recording keystrokes. Soon, the researchers learned that other banks in Russia and Ukraine had been hacked the same way."
-https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet
Katana [Re:Waiting for the movie!] (Score:3)
...then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana...
Wait... he's named katana?! Really?
No way. That has got to be a pseudonym.
Re: (Score:2)
That has got to be a pseudonym.
Of course. His real name is Weaboo.
Re: (Score:3)
Re: (Score:1)
Re: (Score:3)
Given she's asian, that would be a weird choice.
So, Scarlett Johansson then.
Re: (Score:1)
Tom Sellick
Re: (Score:2, Insightful)
I'd like to steal one US citizenship for a day and vote Trump (who I dislike) just to piss this annoying fella off.
Re:You mean when Russia hacked voting equipment? (Score:4, Funny)
They mean social engineering... duh.
But it sounds way better when they call it "espionage methods used by intelligence agencies" instead of "abusive communication methods used daily by banking employees to sell you loans you don't need".
Thanks NSA! (Score:5, Insightful)
You really protected us from the bad guys by building these tools and NOT plugging the holes they use
Re: (Score:2)
I wish that it all gets out in the open.
And also, popcorn. Lots of it. I think I'll be needing it.
Re: Thanks NSA! (Score:1)
Re: (Score:2)
Actually the 2nd biggest digital heist in history (Score:5, Insightful)
The biggest digital heist was when the banks took billions in public money to bail themselves out in 2008.
Can you heist a heist?
Re:Actually the 2nd biggest digital heist in histo (Score:5, Insightful)
Actually the heist which immediately preceded that ... packaging junk debt as AAA and selling it to other people.
Essentially some greedy American assholes stole billions of dollars from the entire fucking world.
The banks got bailed out, the people around the world who got conned into buying garbage American debt, not so much.
How the people who rated that debt AAA didn't end up in prison, I have no idea. Because there is no way they didn't know they were part of a scam.
Comment removed (Score:5, Insightful)
Re: (Score:1)
Then we have draft people for public service, through a lottery. It would be a definite improvement over what we are doing now. Majority rule has hit the brick wall.
It's all pretend anyway (Score:1)
Since all this "money" is just pretend and not backed by anything with intrinsic value, why not just pretend it didn't happen? Set the balances back to where they were before the digital "theft" and call it good.
Any banks that got some magical, ridiculously high deposits from out of the blue, well, you're S.O.L.
Re: (Score:1)
Actually, I'm wondering why it's so hard to get the money back. Of course, if they take it out of an ATM, it's gone. But I don't suppose they took 1.2 billion out of ATMs. So most of it just went from bank account to bank account to bank account. How hard can it be to trace?
Re:It's all pretend anyway (Score:4, Interesting)
Extremely hard, actually.
Case in point, the heist of the Bangladesh Central Bank. They laundered that money through the casino's in the Philippines, who didn't track the money as well as they should have. So you enter with money, buy chips, lose a bit and then move your chips to your pal. He cashes out and now he has legit money.
They did catch the money mules, but they were very unwilling to talk. Later they discovered it was probably North Korea doing the robbing, so that was understandable. The money will never be recovered.
If the crooks were stupid (Score:3)
> But I don't suppose they took 1.2 billion out of ATMs. So most of it just went from bank account to bank account to bank account. How hard can it be to trace?
If the crooks were stupid, they would have transferred it from the victim bank into the crook's personal Wells Fargo account, and left it there. The crooks weren't stupid.
The move it around through several countries right away, then use burner accounts in whichever countries to buy goods, things like laptops, gold, diamonds, etc. Move the diamonds
Re: (Score:2)
If the crooks were stupid, they would have transferred it from the victim bank into the crook's personal Wells Fargo account, and left it there. The crooks weren't stupid.
I used to work in a bank and even if you put it in your own account it would take a lot of time and effort including a court order to get it back.
Banks are in the business of protecting their customer's money, even if their customer is a crook.
The move it around through several countries right away, then use burner accounts in whichever countries to buy goods, things like laptops, gold, diamonds, etc. Move the diamonds, laptops, gold, whatever to another country where the government officials are part of a fencing operation, etc.
Casinos are the easy option. Transfer to a foreign bank, withdraw the cash and buy chips, lose a little to wash it, come out with clean money. We had a case here where one guy washed $90M at the local casino and no-one batted an eyelid until it was too late.
Re: (Score:2)
Actually, I'm wondering why it's so hard to get the money back. Of course, if they take it out of an ATM, it's gone. But I don't suppose they took 1.2 billion out of ATMs. So most of it just went from bank account to bank account to bank account. How hard can it be to trace?
They hire mules and send them forged ATM cards who then extract the money as cash and send it back for a percentage.
But will we know a heist when we see it? (Score:3)
A primary concern is ensuring the science is strong enough to distinguish a normal transaction from a transaction masquerading as one.
Kaspersky discovered this? (Score:2)
Band of cybercriminals penetrated bank digital san (Score:2)