EBF helps global police probe into ‘Carbanak’ bank robberies

Published 26.03.2018

The arrest in Spain of a key member of a global cybercrime syndicate responsible for more than one hundred digital bank robberies worldwide was also made possible thanks to the engagement of the Cybersecurity Working Group of the European Banking Federation.

European and Spanish police authorities today announced that the leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.

The international police cooperation was coordinated by Europol. Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.  The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation.

Says Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3):

“This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality. This global operation is a significant success for international police cooperation against a top-level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.”

Says Wim Mijs, Chief Executive Officer of the European Banking Federation:

“This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”

At the request of Europol’s EC3 unit, the Cybersecurity Working Group of the EBF coordinated the engagement of the European banking sector with police investigators and leveraged its network of cybersecurity specialists in the European banking sector to help banks identify the cyber robberies and trace the financial flows.

Says Keith Gross, Chair of the EBF Cybersecurity Working Group:

“Let me congratulate Europol and its partners, particularly the Spanish authorities who made the arrest, as well as the banks that placed their trust in this cooperation. It shows what can be achieved by cooperating with police investigators at an industry-level. We all know too well that cybercrime increasingly is a global issue that can only be dealt with through international cooperation and trusted networks.”

Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over €1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to €10 million per heist.

Modus operandi

The organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world. By the following year, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016. From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.

In all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.

Cashing out

The money was then cashed out by one of the following means:

  • ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the ATM;
  • The e-payment network was used to transfer money out of the organisation and into criminal accounts;
  • Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.

Europol said that the criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.

The author of this article is solely responsible for the content published.


Association des Banques et Banquiers, Luxembourg


12, Rue Erasme L-1468 Luxembourg

Phone Fax
Opening hours

Monday to Friday from 8:00 to 17:30.