Professor
Professional
- Messages
- 653
- Reaction score
- 649
- Points
- 93
HOW A UKRAINIAN STOLE A BILLION FROM THE RUSSIANS.
Hello! Today we have a new topic for you - HOW A UKRAINIAN STOLE A BILLION FROM THE RUSSIANS. The topic is about the brilliant group "Karbanak". What is the secret of "Carbanak"? How did they manage to steal a billion dollars? How did the authorities get them? The answers to these questions will be in this topic!
Contents:
July 10, 2016. Two men walk into a bank in Taipei. They are wearing surgical masks and fishing hats. One of them guards the entrance, and the other stands in front of the ATM. He does nothing. He does not withdraw money from his card or try to blow up the ATM. He just waits. And then something curious happens. The ATM starts firing out banknote after banknote. All he has to do is take the money.
After a while, the stranger will find that the cash is just sitting there, although that is not quite true. He has just become part of a large-scale robbery. While these two men were taking their money, 20 more people did the same at other branches. This is just one fragment of a larger operation, a two-year, sophisticated attack that has shaken the global financial system.
More than 100 banks in 30 countries and about $1 billion in stolen funds, one of the largest bank heists in history, organized by hackers from carbonacs. They are led by one elusive genius. But one night in Taipei, he and his team made a fatal mistake for which they will pay dearly.
Chapter I. Maxim got distracted.
In fact, the events of this hack are known, but the names of the attacked banks and the employees involved have never been revealed. So, to tell this story, I created Maxim. It is April 8th, an ordinary Tuesday. He works in one of the Ukrainian banks. He is a respected employee, but he has a bad habit of not installing Windows updates. While he sips coffee and thinks about the secretary, he receives an email.
It is an email from Sergey and his colleague. Attached to the email is a Word document. It talks about compliance with federal law 1.1.5 dated 21.07.14 and sounds quite important. Maxim clicks on it. He reads it, closes it and continues his ordinary working day. A few months later, Maxim is sitting in a meeting, his boss looks upset.
Some of his bank's ATMs started spitting out banknotes at completely random times of day. It seems that whoever was lucky enough to show up at the right time could simply take the money. Perhaps the bank was the victim of a cyber attack. Employees should be careful and avoid suspicious emails. Email, meetings, stress, colossal hacks - for many, it's the same story every day.
What to do if you want to drop everything and build something of your own? For this, I can show you a new level place where you can get information on your business or learn something from scratch. There is a telegram channel where more than 10 thousand paid courses are merged, in more than 200 categories. You no longer need to pay crazy money for courses directly to the authors. Literally half the Internet is available here. Earnings on neural networks, sales funnels, advertising settings, Avito, p2p, programming languages, game development, earnings in telegram, editing, photoshop, marketing and much more.
Courses have been collected for more than 200 thousand dollars, some cost 100 thousand rubles. No successful success or marathon of desires, only specialized normal courses. I personally use this database and am incredibly happy. You will find a link to the site for access in the description. The bank hired Kaspersky Lab to study their problem.
This is Jorn VanderWeel, he was part of the team that worked on this case. He checked the hard drives of hacked ATMs for malware and found nothing. No suspicious activity, no traces to follow. A few months later, VanderWeel gets a call at 3 am. It's a customer service manager working for a large Russian bank. He says that VanderWeel and his team need to urgently call their IT specialist.
A few minutes later, a colleague from Kaspersky Lab shows up at the bank in Russia. The bank's IT specialist is in a panic, someone has taken control of the domain controller, the heart of their server network. If you control the domain controller in a Windows environment, you essentially control everything. For no good reason, it sends data to China. The Kaspersky specialist immediately starts looking for malware.
He ends up finding a program that allows you to monitor the computer and control it remotely. Could it be that the attacker is watching him right now? He gets an idea. He opens a Word document and types the word hello. They wait a few minutes. Nothing happens. Then suddenly the cursor moves and letters appear. The hacker has responded. He adds, “You won’t catch us.”
To which the Kaspersky employee replies, “We will catch you.” No, you won’t catch us. It will take some time, but eventually the Kaspersky team will discover the malware. It is similar to the Garber Trojan. One of the malware’s configuration files is called anunak. So the team decides to call it Carbonak.
This incident at the Russian bank gave VanderWille and his colleagues a clue about what was going on and they linked it all to the hacked ATMs. Now they can reconstruct how the Carbonak hackers operate, so let's rewind. It's the same Carbonak hacker again. April 8, 2014. He has already gained access to Sergey's email, but he needs access to Maxim's computer, so he sends out this email with an attachment.
The Word file uses a vulnerability in Microsoft Word to download malware containing Backdoor. The hacker now has remote access to Maxim's computer. The next step is to gain access to the entire network, and he knows exactly how to do that. The hacker installs a special program on the computer that slows down the PC, which in turn upsets Maxim. So he calls the company to come and check everything.
By the time the IT specialist arrives, the hacker has already installed a logger. This way, he will be able to see everything the person types on Maxim's keyboard. The IT specialist starts investigating. To do this, he needs to enter the administrator password. And bingo. The hacker has the administrator password. He tries it on the redomain control, and the password is exactly the same. Now he can go looking for the computer on this network that manages the money transfers and ATMs.
But he doesn’t attack right away. Instead, for several months, he silently watches the employees who manage the transactions. Only when he fully understands the process can he begin to steal the money. The Carbonac group has developed three different methods. One is to transfer money from so-called transaction management accounts to their own accounts to avoid suspicion. They increase the balance by the stolen amount in advance, keeping the total unchanged.
Since banks only check the accounts every 10 hours, the transfers go unnoticed. Another method is to take control of certain ATMs in order to put them to use. Bank notes end up in the hands of money mules. These are people hired by the Moldovan mafia who collect the money and send it to their bosses, in exchange for a small cut.
The third method is the most sophisticated. The hacker opens several bank accounts in the names of their money mules, including debit cards. Then they make sure they all have the same small amount, say $3.33. Then they update the bank's database, exchanging that $3.33 for $1 million. Suddenly, all the money mules have a million dollars in their bank account, now they just use their debit cards to withdraw the cash.
As a side effect of the database update, some of the bank’s customers suddenly become millionaires. The more Kaspersky’s team understands the Carbonak group’s methods, the more they begin to understand how sophisticated this operation is. Kaspersky joins forces with Europol, major European banks, and various national law enforcement agencies to track down Carbonak.
They manage to disable some of their servers, but then the hackers start using other tools and continue to operate undetected. By early 2015, Carbonak has robbed at least 100 financial institutions in nearly 30 countries. Most of the victims are in Russia, but also in the US, China, and Europe.
Over the course of two years, they have stolen approximately $1 billion, and it seems they can’t be stopped unless someone screws up.
Chapter II: Bobby Hides His Money.
In July 2016, Carbonak attacks the so-called First Bank in Taipei, but Taiwanese police quickly begin.
Pursuit. 22 money mules, most of them Russian, the rest from Eastern Europe. 19 of them successfully escape from Taiwan, but three remain in the country with the money. Their faces are all over the media. In order to escape, they need to get rid of the money somehow. One of them hides two duffel bags with some of the money in a park, then he runs to Yilan County and hides there, but he is caught and leads the police to the duffel bags, but instead of two, there is only one left.
An elderly man finds one of the bags and takes it home. The police find the second bag and look for other money mules. A man named Bobby hides the remaining money in two suitcases and puts them in two lockers at Taipei Central Station. Soon, two more men from Eastern Europe arrive in Taiwan and take the suitcases from the station.
They go to a hotel to have lunch. As they sit down at the table, they are caught by the police. In their hotel room, law enforcement finds banknotes worth about one and a half million US dollars.
Taiwanese police managed to recover 90% of the stolen money. Three money mules were sentenced to just over 4 years in prison. These guys are just flunkies, but on the phone of one of them, Taiwanese police found photos of stacks of money in different currencies. They also found emails from the alleged head of Carbonak.
Europol, the FBI, cybersecurity companies and government officials from different countries worked tirelessly to find the head of Carbonak. But they did not know that he was hiding around the world and living in luxury.
Chapter III. The Fall of a Genius.
March 6, 2018. This is Denis, he is Ukrainian, but now lives with his wife and son in Alicante, Spain.
He is a rather private person, he hardly leaves his house now. As usual, he is developing new malware. Denis is one of the best in his field and he is very good at keeping a low profile. He spends most of his money in Bitcoin. In 2018, his fortune was estimated at 15 thousand Bitcoin, which is about 162 million dollars. Today, it would be more than a billion, but there are things that Bitcoin can’t buy.
Few sellers of cars or houses like to accept cryptocurrency, so real money has to be used to make purchases, which leaves traces, and this alerts the police. They start following the money and, eventually, they realize who he is. His laptop is still on and unlocked.
The forensics team immediately begins collecting evidence. The authorities confiscate two BMWs, jewelry worth half a million dollars and, of course, his Bitcoin. But the vast majority of the stolen billion dollars remains missing to this day. Denis Ka may have been the mastermind behind the Carbonak operation, but he certainly wasn’t working alone.
Three Ukrainians were arrested in late 2018 for allegedly being involved.
Conclusion
The Carbanak malware is still around today. The hackers who use it go by various names, Fin7, Joker Stash, Carbone, and Cobalt Spider. Experts suspect that these Russian hackers were given free rein by the Russian government to cause trouble in the Western world.
Maxim’s bank lost millions. As we now know, it could have easily been avoided. The Carbonak group exploited a Microsoft Word vulnerability that had been patched three years ago. But Maxim was too distracted to install a Windows update. So, don’t forget to update your systems. It could save you and your employer a few million.
Hello! Today we have a new topic for you - HOW A UKRAINIAN STOLE A BILLION FROM THE RUSSIANS. The topic is about the brilliant group "Karbanak". What is the secret of "Carbanak"? How did they manage to steal a billion dollars? How did the authorities get them? The answers to these questions will be in this topic!
Contents:
- Chapter I. Maxim was distracted.
- Chapter II. Bobby Hides His Money.
- Chapter III. The Fall of Genius.
- Conclusion
July 10, 2016. Two men walk into a bank in Taipei. They are wearing surgical masks and fishing hats. One of them guards the entrance, and the other stands in front of the ATM. He does nothing. He does not withdraw money from his card or try to blow up the ATM. He just waits. And then something curious happens. The ATM starts firing out banknote after banknote. All he has to do is take the money.
After a while, the stranger will find that the cash is just sitting there, although that is not quite true. He has just become part of a large-scale robbery. While these two men were taking their money, 20 more people did the same at other branches. This is just one fragment of a larger operation, a two-year, sophisticated attack that has shaken the global financial system.
More than 100 banks in 30 countries and about $1 billion in stolen funds, one of the largest bank heists in history, organized by hackers from carbonacs. They are led by one elusive genius. But one night in Taipei, he and his team made a fatal mistake for which they will pay dearly.
Chapter I. Maxim got distracted.
In fact, the events of this hack are known, but the names of the attacked banks and the employees involved have never been revealed. So, to tell this story, I created Maxim. It is April 8th, an ordinary Tuesday. He works in one of the Ukrainian banks. He is a respected employee, but he has a bad habit of not installing Windows updates. While he sips coffee and thinks about the secretary, he receives an email.
It is an email from Sergey and his colleague. Attached to the email is a Word document. It talks about compliance with federal law 1.1.5 dated 21.07.14 and sounds quite important. Maxim clicks on it. He reads it, closes it and continues his ordinary working day. A few months later, Maxim is sitting in a meeting, his boss looks upset.
Some of his bank's ATMs started spitting out banknotes at completely random times of day. It seems that whoever was lucky enough to show up at the right time could simply take the money. Perhaps the bank was the victim of a cyber attack. Employees should be careful and avoid suspicious emails. Email, meetings, stress, colossal hacks - for many, it's the same story every day.
What to do if you want to drop everything and build something of your own? For this, I can show you a new level place where you can get information on your business or learn something from scratch. There is a telegram channel where more than 10 thousand paid courses are merged, in more than 200 categories. You no longer need to pay crazy money for courses directly to the authors. Literally half the Internet is available here. Earnings on neural networks, sales funnels, advertising settings, Avito, p2p, programming languages, game development, earnings in telegram, editing, photoshop, marketing and much more.
Courses have been collected for more than 200 thousand dollars, some cost 100 thousand rubles. No successful success or marathon of desires, only specialized normal courses. I personally use this database and am incredibly happy. You will find a link to the site for access in the description. The bank hired Kaspersky Lab to study their problem.
This is Jorn VanderWeel, he was part of the team that worked on this case. He checked the hard drives of hacked ATMs for malware and found nothing. No suspicious activity, no traces to follow. A few months later, VanderWeel gets a call at 3 am. It's a customer service manager working for a large Russian bank. He says that VanderWeel and his team need to urgently call their IT specialist.
A few minutes later, a colleague from Kaspersky Lab shows up at the bank in Russia. The bank's IT specialist is in a panic, someone has taken control of the domain controller, the heart of their server network. If you control the domain controller in a Windows environment, you essentially control everything. For no good reason, it sends data to China. The Kaspersky specialist immediately starts looking for malware.
He ends up finding a program that allows you to monitor the computer and control it remotely. Could it be that the attacker is watching him right now? He gets an idea. He opens a Word document and types the word hello. They wait a few minutes. Nothing happens. Then suddenly the cursor moves and letters appear. The hacker has responded. He adds, “You won’t catch us.”
To which the Kaspersky employee replies, “We will catch you.” No, you won’t catch us. It will take some time, but eventually the Kaspersky team will discover the malware. It is similar to the Garber Trojan. One of the malware’s configuration files is called anunak. So the team decides to call it Carbonak.
This incident at the Russian bank gave VanderWille and his colleagues a clue about what was going on and they linked it all to the hacked ATMs. Now they can reconstruct how the Carbonak hackers operate, so let's rewind. It's the same Carbonak hacker again. April 8, 2014. He has already gained access to Sergey's email, but he needs access to Maxim's computer, so he sends out this email with an attachment.
The Word file uses a vulnerability in Microsoft Word to download malware containing Backdoor. The hacker now has remote access to Maxim's computer. The next step is to gain access to the entire network, and he knows exactly how to do that. The hacker installs a special program on the computer that slows down the PC, which in turn upsets Maxim. So he calls the company to come and check everything.
By the time the IT specialist arrives, the hacker has already installed a logger. This way, he will be able to see everything the person types on Maxim's keyboard. The IT specialist starts investigating. To do this, he needs to enter the administrator password. And bingo. The hacker has the administrator password. He tries it on the redomain control, and the password is exactly the same. Now he can go looking for the computer on this network that manages the money transfers and ATMs.
But he doesn’t attack right away. Instead, for several months, he silently watches the employees who manage the transactions. Only when he fully understands the process can he begin to steal the money. The Carbonac group has developed three different methods. One is to transfer money from so-called transaction management accounts to their own accounts to avoid suspicion. They increase the balance by the stolen amount in advance, keeping the total unchanged.
Since banks only check the accounts every 10 hours, the transfers go unnoticed. Another method is to take control of certain ATMs in order to put them to use. Bank notes end up in the hands of money mules. These are people hired by the Moldovan mafia who collect the money and send it to their bosses, in exchange for a small cut.
The third method is the most sophisticated. The hacker opens several bank accounts in the names of their money mules, including debit cards. Then they make sure they all have the same small amount, say $3.33. Then they update the bank's database, exchanging that $3.33 for $1 million. Suddenly, all the money mules have a million dollars in their bank account, now they just use their debit cards to withdraw the cash.
As a side effect of the database update, some of the bank’s customers suddenly become millionaires. The more Kaspersky’s team understands the Carbonak group’s methods, the more they begin to understand how sophisticated this operation is. Kaspersky joins forces with Europol, major European banks, and various national law enforcement agencies to track down Carbonak.
They manage to disable some of their servers, but then the hackers start using other tools and continue to operate undetected. By early 2015, Carbonak has robbed at least 100 financial institutions in nearly 30 countries. Most of the victims are in Russia, but also in the US, China, and Europe.
Over the course of two years, they have stolen approximately $1 billion, and it seems they can’t be stopped unless someone screws up.
Chapter II: Bobby Hides His Money.
In July 2016, Carbonak attacks the so-called First Bank in Taipei, but Taiwanese police quickly begin.
Pursuit. 22 money mules, most of them Russian, the rest from Eastern Europe. 19 of them successfully escape from Taiwan, but three remain in the country with the money. Their faces are all over the media. In order to escape, they need to get rid of the money somehow. One of them hides two duffel bags with some of the money in a park, then he runs to Yilan County and hides there, but he is caught and leads the police to the duffel bags, but instead of two, there is only one left.
An elderly man finds one of the bags and takes it home. The police find the second bag and look for other money mules. A man named Bobby hides the remaining money in two suitcases and puts them in two lockers at Taipei Central Station. Soon, two more men from Eastern Europe arrive in Taiwan and take the suitcases from the station.
They go to a hotel to have lunch. As they sit down at the table, they are caught by the police. In their hotel room, law enforcement finds banknotes worth about one and a half million US dollars.
Taiwanese police managed to recover 90% of the stolen money. Three money mules were sentenced to just over 4 years in prison. These guys are just flunkies, but on the phone of one of them, Taiwanese police found photos of stacks of money in different currencies. They also found emails from the alleged head of Carbonak.
Europol, the FBI, cybersecurity companies and government officials from different countries worked tirelessly to find the head of Carbonak. But they did not know that he was hiding around the world and living in luxury.
Chapter III. The Fall of a Genius.
March 6, 2018. This is Denis, he is Ukrainian, but now lives with his wife and son in Alicante, Spain.
He is a rather private person, he hardly leaves his house now. As usual, he is developing new malware. Denis is one of the best in his field and he is very good at keeping a low profile. He spends most of his money in Bitcoin. In 2018, his fortune was estimated at 15 thousand Bitcoin, which is about 162 million dollars. Today, it would be more than a billion, but there are things that Bitcoin can’t buy.
Few sellers of cars or houses like to accept cryptocurrency, so real money has to be used to make purchases, which leaves traces, and this alerts the police. They start following the money and, eventually, they realize who he is. His laptop is still on and unlocked.
The forensics team immediately begins collecting evidence. The authorities confiscate two BMWs, jewelry worth half a million dollars and, of course, his Bitcoin. But the vast majority of the stolen billion dollars remains missing to this day. Denis Ka may have been the mastermind behind the Carbonak operation, but he certainly wasn’t working alone.
Three Ukrainians were arrested in late 2018 for allegedly being involved.
Conclusion
The Carbanak malware is still around today. The hackers who use it go by various names, Fin7, Joker Stash, Carbone, and Cobalt Spider. Experts suspect that these Russian hackers were given free rein by the Russian government to cause trouble in the Western world.
Maxim’s bank lost millions. As we now know, it could have easily been avoided. The Carbonak group exploited a Microsoft Word vulnerability that had been patched three years ago. But Maxim was too distracted to install a Windows update. So, don’t forget to update your systems. It could save you and your employer a few million.
