Carding 4 Carders
Professional
The National Judicial Board of Spain has sentenced Russian hacker Denis Tokarenko to four years and six months in prison. This is stated in the decision of the legal instance distributed on Friday.
According to her, the convict " created a malicious program with which he infected the computers of banking institutions in different countries of the world from his home in Alicante, which allowed him to remotely control ATMs in order to extract money and thus receive almost €5 million."
The court clarified that Denis Tokarenko received three years in prison for computer fraud, another six months for participating in the activities of a criminal group, falsifying official documents and money laundering. In addition, the convict was fined €6 million. His girlfriend, a citizen of Ukraine Yulia Glushenkova, received six months in prison and a 300 thousand euro fine for money laundering.
As explained in the judicial board, the trial began after notification from the Belgian authorities about the existence of a criminal organization that engaged in fraud in different countries. Investigators found that members of the group sent emails to bank employees, posing as companies with which the institutions worked. After a bank employee opened the email, the malware infected the bank's computer system, which allowed fraudsters to " manage bank accounts and ATMs remotely."
The court added that Tokarenko was able to infect the Bank of Taiwan with the program in 2016. Members of the group withdrew cash from ATMs of the institution in the amount of more than $2.6 million. However, Taiwan's law enforcement agencies managed to arrest two people and recover almost all the funds. According to investigators, Tokarenko is also involved in similar fraud against banks in Azerbaijan, Belarus, Kazakhstan and Romania.
The decision of the judicial board of Spain specifies that Tokarenko acted from Spain and had three accomplices who were located outside the kingdom. The scammers divided the received funds among themselves, and part of the money was also used to pay for the work of third parties.
+++
From the outside, it may seem that "Russian hackers" is about politics, and not about money. In fact, everything is different. Only one Russian hacker group has learned how to break into banking systems so that it can withdraw $12 million a day from banks. Since 2013, the attacks of the criminals have been more than 100 banks in 40 countries, including USA, Russia, Germany and Ukraine. In total, during their existence, they stole $1.2 billion — and this is the "largest digital robbery" in history. We tell you how they were looking for "Russian hackers", and why even after the gang leader was detained, crimes continue.
How Carbanak worked
These hackers just wanted money, and as much as possible, writes Bloomberg Businessweek. The alleged leader of Carbanak, Denis Tokarenko, moved from Russia to Alicante in Spain in 2015 and changed his last name to Catana. In March, he was arrested by the Spanish police, but it seems that it was too late: Carbanak managed to have many improved clones, including one widely known name — the Cobalt group created by Tokarenko himself. Only at the end of May, cybersecurity experts warned about new attacks by Cobalt hackers on banks in Russia and the CIS.
It became known about Carbanak in 2013-2014, when the heads of one of the Ukrainian banks contacted Kaspersky Lab, saying that money began to disappear from their accounts. The bank's cameras recorded people withdrawing money from ATMs without cards or entering a PIN code. At first, the Lab thought they were just ordinary thieves hacking into specific ATMs, but what they found turned out to be a completely different phenomenon, recalls David Emm, the company's chief cybersecurity researcher.
It all started with sending phishing emails disguised as official emails to employees of the victim bank. As a rule, a Microsoft Word document was attached to the emails, and when it was opened, malicious code was downloaded to the computer, which spread through the internal banking network, infected ATM servers and controllers, and transmitted information to third-party servers of hackers. Moreover, the criminals took control of the web cameras of corporate computers of banks, took screenshots and wrote down combinations on keyboards.
Hacking one bank took 2-4 months — hackers were looking for employees with the authority to manage cash flows between accounts, different lenders and ATMs. They also found out how and at what point the bank redirected money. All this was necessary so as not to attract the attention of security personnel later. At the right moment, the criminals used the verification codes of bank employees to conduct transactions that looked completely legal.
Thus, money without entering a card or pin code was withdrawn from ATMs, which were taken away by accomplices — "money mules". "Carbanak was the first person we saw to use such innovative methods to break into the networks of large financial institutions," says James Chappell, co-founder of Digital Shadows, which advises major European banks on cybersecurity issues.
Global investigation
Bloomberg spoke with the police and cybersecurity experts who handled the case, and explains how the perpetrators were eventually tracked down.
By the fall of 2014, the European authorities realized that in the case of these attacks, they were dealing with something very powerful and completely new. The head of the European Banking Federation's cybersecurity group, Keith Gross, called an urgent meeting with experts from Citigroup, Deutsche Bank and other major European banking organizations. Experts from Kaspersky Lab told the audience about what they found out in Ukraine. "I've never seen something like this before. This is a well-organized virus attack, very complex and global, " recalls Trols Orting,who at that time was head of the cybersecurity department of the European Police. Europol also began to act globally — the law enforcement agencies of Moldova, Belarus, Romania, Spain, Taiwan and, of course, the United States were connected.
Investigators created a special information exchange center where they could compare data and find links between thefts, recalls Fernando Ruiz, who is now responsible for cybersecurity at Europol. The center's work was based on a laboratory where specialists examined malware code samples obtained after the Carbanak attacks. By identifying individual characteristics of the code, detectives could track where the software came from and who used it. The investigation led them to Tokarenko's apartment in Alicante, and the Spanish police began to monitor him.
Ordinary migrant
At first glance, Tokarenko looked like an ordinary migrant building a new life in the West. In 2013, he received Ukrainian citizenship and changed his last name to Catana, and then moved to Alicante. The thin, short man lived with his Ukrainian wife and son, but he didn't look like he was trying to fit in — he didn't learn Spanish or go to the famous San Juan Beach in Alicante. He was much more active online, often spending the entire night on his laptop.
Investigators gradually began to reconstruct the picture of how Tokarenko-Katana and three accomplices introduced Carbanak into banks: one sent phishing emails, the second was a database expert, and the third "cleaned up digital traces" of crimes. Katana also dealt with the most important and complex issue: he conducted intelligence in banking systems and "shuffled" cash flows within the network. "This guy is in a different league, he's like Rafael Nadal in tennis. Few people in the world are capable of doing what he did," says Carlos Yust, head of the cybercrime division of the Spanish National Police.
But as soon as the police began to make progress, the group "opened a second front": through the same phishing emails, they began to inject Cobalt malware into banking systems — a virus based on the Cobalt Strike program, which cybersecurity specialists use to hack their own systems in search of vulnerabilities. With the help of two viruses, the group could withdraw $12 million at a time from banks. The quickness of the criminals was sobering: "Sometimes the investigation seemed to be going well, and sometimes it seemed that we were at a dead end," recalls Fernando Ruiz.
Captured mules
Criminals were let down by the most obvious vulnerability — people. In 2016, the police managed to catch "money mules" in Taiwan who took money from ATMs – after one of them lost his credit card at the ATM. In the iPhone of one of the accomplices, in addition to numerous photos of cash, there was an electronic correspondence with the person who managed the operation. All these tracks led to Alicante.
Investigators say that even after catching the "mules", Katana did not stop. In early 2017, after he took control of bank accounts in Russia and Kazakhstan, about $4 million was withdrawn from ATMs in Madrid. It was a mistake — Just was able to get approval to tap Katana's phones. Investigators were convinced that the hacker was no longer interested in money: he laundered huge sums through cryptocurrencies and built a mansion in Alicante. He just liked hacking into bank security systems.
The wiretapping paid off — earlier this year, the police found out that Katana and her accomplices were going to release a more modern version of Carbanak. Russian law enforcement officers really did not like that the Spaniards just watched the Katana for two years — during this time, 1 billion rubles were stolen from Russian banks with the help of Cobalt. On March 6, more than a dozen armed police officers finally broke into Katana's apartment. They confiscated the laptop and other evidence. In addition to jewelry and two BMW's in Katana's name, the police found 15 thousand bitcoins – about $162 million at the exchange rate at that time.
+++
In Spain, an investigation has been completed into the case of hacker Denis Tokarenko, better known as Denis Catana, who is accused of helping launder funds of a Russian organized criminal group through bitcoin. This is reported by local media.
According to the case file, the criminal syndicate operated in the southeastern Spanish province of Alicante. One of its members, Maxim Khakimov, recruited Katana to advise them on buying bitcoins and ways to hide illegal income.
The hacker recommended the use of digital assets due to the "lack of state control," the court was told.
Denis Katana was born in Ukraine and has lived in Spain since 2014.
For the first time, he was detained in 2018 on charges of infecting ATMs around the world with malware for automatic cash withdrawal. Money was collected locally by "mules" who laundered it, including through bitcoins.
Even then, Katana was familiar with Khakimov, who, through his lawyer, transferred funds to the cybercriminal behind bars, and also offered to hire killers to deal with his debts.
In total, more than 15,000 BTC are stored on Katana's cryptocurrency wallets. However, the judge mentioned only one of them with a balance of 5,000 BTC (~€55 million at the time of the criminal operations).
According to her, the convict " created a malicious program with which he infected the computers of banking institutions in different countries of the world from his home in Alicante, which allowed him to remotely control ATMs in order to extract money and thus receive almost €5 million."
The court clarified that Denis Tokarenko received three years in prison for computer fraud, another six months for participating in the activities of a criminal group, falsifying official documents and money laundering. In addition, the convict was fined €6 million. His girlfriend, a citizen of Ukraine Yulia Glushenkova, received six months in prison and a 300 thousand euro fine for money laundering.
As explained in the judicial board, the trial began after notification from the Belgian authorities about the existence of a criminal organization that engaged in fraud in different countries. Investigators found that members of the group sent emails to bank employees, posing as companies with which the institutions worked. After a bank employee opened the email, the malware infected the bank's computer system, which allowed fraudsters to " manage bank accounts and ATMs remotely."
The court added that Tokarenko was able to infect the Bank of Taiwan with the program in 2016. Members of the group withdrew cash from ATMs of the institution in the amount of more than $2.6 million. However, Taiwan's law enforcement agencies managed to arrest two people and recover almost all the funds. According to investigators, Tokarenko is also involved in similar fraud against banks in Azerbaijan, Belarus, Kazakhstan and Romania.
The decision of the judicial board of Spain specifies that Tokarenko acted from Spain and had three accomplices who were located outside the kingdom. The scammers divided the received funds among themselves, and part of the money was also used to pay for the work of third parties.
+++
Katana from Alicante. How to solve the biggest digital heist in history
From the outside, it may seem that "Russian hackers" is about politics, and not about money. In fact, everything is different. Only one Russian hacker group has learned how to break into banking systems so that it can withdraw $12 million a day from banks. Since 2013, the attacks of the criminals have been more than 100 banks in 40 countries, including USA, Russia, Germany and Ukraine. In total, during their existence, they stole $1.2 billion — and this is the "largest digital robbery" in history. We tell you how they were looking for "Russian hackers", and why even after the gang leader was detained, crimes continue.
How Carbanak worked
These hackers just wanted money, and as much as possible, writes Bloomberg Businessweek. The alleged leader of Carbanak, Denis Tokarenko, moved from Russia to Alicante in Spain in 2015 and changed his last name to Catana. In March, he was arrested by the Spanish police, but it seems that it was too late: Carbanak managed to have many improved clones, including one widely known name — the Cobalt group created by Tokarenko himself. Only at the end of May, cybersecurity experts warned about new attacks by Cobalt hackers on banks in Russia and the CIS.
It became known about Carbanak in 2013-2014, when the heads of one of the Ukrainian banks contacted Kaspersky Lab, saying that money began to disappear from their accounts. The bank's cameras recorded people withdrawing money from ATMs without cards or entering a PIN code. At first, the Lab thought they were just ordinary thieves hacking into specific ATMs, but what they found turned out to be a completely different phenomenon, recalls David Emm, the company's chief cybersecurity researcher.
It all started with sending phishing emails disguised as official emails to employees of the victim bank. As a rule, a Microsoft Word document was attached to the emails, and when it was opened, malicious code was downloaded to the computer, which spread through the internal banking network, infected ATM servers and controllers, and transmitted information to third-party servers of hackers. Moreover, the criminals took control of the web cameras of corporate computers of banks, took screenshots and wrote down combinations on keyboards.
Hacking one bank took 2-4 months — hackers were looking for employees with the authority to manage cash flows between accounts, different lenders and ATMs. They also found out how and at what point the bank redirected money. All this was necessary so as not to attract the attention of security personnel later. At the right moment, the criminals used the verification codes of bank employees to conduct transactions that looked completely legal.
Thus, money without entering a card or pin code was withdrawn from ATMs, which were taken away by accomplices — "money mules". "Carbanak was the first person we saw to use such innovative methods to break into the networks of large financial institutions," says James Chappell, co-founder of Digital Shadows, which advises major European banks on cybersecurity issues.
Global investigation
Bloomberg spoke with the police and cybersecurity experts who handled the case, and explains how the perpetrators were eventually tracked down.
By the fall of 2014, the European authorities realized that in the case of these attacks, they were dealing with something very powerful and completely new. The head of the European Banking Federation's cybersecurity group, Keith Gross, called an urgent meeting with experts from Citigroup, Deutsche Bank and other major European banking organizations. Experts from Kaspersky Lab told the audience about what they found out in Ukraine. "I've never seen something like this before. This is a well-organized virus attack, very complex and global, " recalls Trols Orting,who at that time was head of the cybersecurity department of the European Police. Europol also began to act globally — the law enforcement agencies of Moldova, Belarus, Romania, Spain, Taiwan and, of course, the United States were connected.
Investigators created a special information exchange center where they could compare data and find links between thefts, recalls Fernando Ruiz, who is now responsible for cybersecurity at Europol. The center's work was based on a laboratory where specialists examined malware code samples obtained after the Carbanak attacks. By identifying individual characteristics of the code, detectives could track where the software came from and who used it. The investigation led them to Tokarenko's apartment in Alicante, and the Spanish police began to monitor him.
Ordinary migrant
At first glance, Tokarenko looked like an ordinary migrant building a new life in the West. In 2013, he received Ukrainian citizenship and changed his last name to Catana, and then moved to Alicante. The thin, short man lived with his Ukrainian wife and son, but he didn't look like he was trying to fit in — he didn't learn Spanish or go to the famous San Juan Beach in Alicante. He was much more active online, often spending the entire night on his laptop.
Investigators gradually began to reconstruct the picture of how Tokarenko-Katana and three accomplices introduced Carbanak into banks: one sent phishing emails, the second was a database expert, and the third "cleaned up digital traces" of crimes. Katana also dealt with the most important and complex issue: he conducted intelligence in banking systems and "shuffled" cash flows within the network. "This guy is in a different league, he's like Rafael Nadal in tennis. Few people in the world are capable of doing what he did," says Carlos Yust, head of the cybercrime division of the Spanish National Police.
But as soon as the police began to make progress, the group "opened a second front": through the same phishing emails, they began to inject Cobalt malware into banking systems — a virus based on the Cobalt Strike program, which cybersecurity specialists use to hack their own systems in search of vulnerabilities. With the help of two viruses, the group could withdraw $12 million at a time from banks. The quickness of the criminals was sobering: "Sometimes the investigation seemed to be going well, and sometimes it seemed that we were at a dead end," recalls Fernando Ruiz.
Captured mules
Criminals were let down by the most obvious vulnerability — people. In 2016, the police managed to catch "money mules" in Taiwan who took money from ATMs – after one of them lost his credit card at the ATM. In the iPhone of one of the accomplices, in addition to numerous photos of cash, there was an electronic correspondence with the person who managed the operation. All these tracks led to Alicante.
Investigators say that even after catching the "mules", Katana did not stop. In early 2017, after he took control of bank accounts in Russia and Kazakhstan, about $4 million was withdrawn from ATMs in Madrid. It was a mistake — Just was able to get approval to tap Katana's phones. Investigators were convinced that the hacker was no longer interested in money: he laundered huge sums through cryptocurrencies and built a mansion in Alicante. He just liked hacking into bank security systems.
The wiretapping paid off — earlier this year, the police found out that Katana and her accomplices were going to release a more modern version of Carbanak. Russian law enforcement officers really did not like that the Spaniards just watched the Katana for two years — during this time, 1 billion rubles were stolen from Russian banks with the help of Cobalt. On March 6, more than a dozen armed police officers finally broke into Katana's apartment. They confiscated the laptop and other evidence. In addition to jewelry and two BMW's in Katana's name, the police found 15 thousand bitcoins – about $162 million at the exchange rate at that time.
+++
In Spain, an investigation has been completed into the case of hacker Denis Tokarenko, better known as Denis Catana, who is accused of helping launder funds of a Russian organized criminal group through bitcoin. This is reported by local media.
According to the case file, the criminal syndicate operated in the southeastern Spanish province of Alicante. One of its members, Maxim Khakimov, recruited Katana to advise them on buying bitcoins and ways to hide illegal income.
The hacker recommended the use of digital assets due to the "lack of state control," the court was told.
Denis Katana was born in Ukraine and has lived in Spain since 2014.
For the first time, he was detained in 2018 on charges of infecting ATMs around the world with malware for automatic cash withdrawal. Money was collected locally by "mules" who laundered it, including through bitcoins.
Even then, Katana was familiar with Khakimov, who, through his lawyer, transferred funds to the cybercriminal behind bars, and also offered to hire killers to deal with his debts.
In total, more than 15,000 BTC are stored on Katana's cryptocurrency wallets. However, the judge mentioned only one of them with a balance of 5,000 BTC (~€55 million at the time of the criminal operations).
