BadB
Professional
- Messages
- 1,636
- Reaction score
- 1,536
- Points
- 113
In this topic, you will learn how one person was able to control banking systems in dozens of countries, launch ATMs without a card and steal more than a billion dollars.
This is not fiction, but a real story of a hacker nicknamed Katana and the Carbanak group, which terrified the financial world.
Who is he, how did they act - we will find out today.
Imagine a warm summer evening, you were late at work and are already returning home. Deciding to go to an ATM on the way to withdraw some bills. You take out your card and are about to cash it. When suddenly the ATM shows a blue error window, and thousands of dollars fly out of it in a wave right onto the floor, scatter around you, and you stand there and do not understand at all what is happening now. You ask yourself the most important question, what to do at all?
Grab and run, call the police or silently go in search of another ATM. But what's more, at this very moment, such money fountains are happening in dozens of other ATMs across the country. And the people involved, covering their faces with masks and caps, fill their bags with wads of bills, and then quickly leave, hiding from surveillance cameras. And what's said above is not an excerpt from some blockbuster of the 2000s, it's a description of real events that took place between 2014 and 2016 in Taipei, the capital of Taiwan, and other cities around the world.
During this time, more than 100 banks in 30 countries were attacked, and the amount of stolen funds amounted to more than $1 billion. In this episode, you will learn about the largest and most significant hacker attack, due to which banks suffered losses of billions of dollars. I will tell you how the hacking took place, how the criminals acted, and what law enforcement agencies had to do to expose this criminal group.
And most importantly, you will find out who is behind it. And believe me, this will definitely surprise you. So watch this video to the end and write your comments if you have heard about this story before. And also subscribe to my telegram channel, there are more interesting stories and exclusive content. Well, now let's go! Let's go back to the events that took place in the summer of 2016.
This period became a real disaster for many banks. It is unknown how the criminals hacked the First Bank system, which allowed them to disable many ATMs and issue huge amounts of cash without cards or any manipulation of banking equipment directly. This has already happened in many cities in Europe, America and Asia, and all these times the criminals were never found. This was not the first case of hacker hacking in Taiwanese banks.
So law enforcement agencies expected a repeat of the events. And for good reason. On the night of July 11, several dozen ATMs in Taiwan malfunctioned. At the same time, they all began to dispense all the bills they had. The criminals were already there, wearing masks and caps. And as soon as the money rained down on them, the men began to collect the bills, put them in their bags and fled.
That night, 83.5 million Taiwan dollars were stolen from 41 ATMs in 22 NTS branches. Dollars. That's about 2.5 million US dollars. As soon as the bank received a signal about another ATM hack and theft of money, all law enforcement agencies immediately began searching for the criminals. This operation differed from others in its quick response and scale.
More than five hundred police officers were involved and they studied the surveillance footage, tracked the suspects' routes and tracked the group, which consisted of 22 people. Most of the participants were from Eastern Europe, including Latvia, Estonia, Romania, Moldova, Russia, Belarus, France and Australia. Immediately after the robbery, most of the participants in the crime, namely 19 people, quickly managed to leave the country.
The remaining three were closely watched. The thing is that the police understood very well that these people were the so-called drops, roughly speaking, pawns who took on all the dirty work, while the organizers of the crime could be anywhere in the world. Noticing that he was being followed, one of the suspects decided to get rid of the money and went for a walk in the park, as if by accident, dropped a bag there, completely stuffed with bills.
And, interestingly, the bag immediately disappeared. Where it disappeared to is unknown, perhaps it was picked up by a random passerby or it was a specially planned transfer of money. This fact was never clarified. Another suspect tried to hide two sports bags filled with money in Dungu Park, but the police were on his trail. When he was detained, he confessed where he left the money, but only one bag was found in the place he indicated.
But where did the second one disappear to? Later it turned out that it was accidentally found by an old man passing by, who decided that this money was a gift from the gods, and took this bag home. Well, why not? What would you do in this case? I doubt that you would immediately go to the police and say, "Oh, damn, I found a bag of money, and this is for you, comrade policemen." But, unfortunately, the plan for a rich old age with Blackjack and Corvalol had to be canceled.
The police confiscated the bag filled with millions and reprimanded the old man for not reporting it to the police. The third suspect was even more cunning. He had previously agreed with the other participants in the robbery to whom he was supposed to hand over the money and hid it at the Taipei Central Station, leaving it in the storage lockers. But this plan did not work, the police put the bag and the money under surveillance. And when two men from Eastern Europe arrived for the bag, the police recorded all their actions and followed their tracks.
Having taken the bag with the money, the two men went to their hotel and calmly sat down to breakfast at a local restaurant, not suspecting that they would immediately be cornered. The guys were on their way to success, but it didn’t work out, they were out of luck. This saying has never been more appropriate. The operation to catch the criminals was quite successful. During a search of the suspects’ hotel room, the police found a large sum of cash – about one and a half million dollars.
Overall, the bank got back about 90% of the stolen money, but the remaining 10%, which is about 250 thousand dollars, disappeared without a trace. In total, the police managed to get back most of the money, and the detainees were charged with fraud, cybercrime and money laundering, for which the prosecutor's office demanded a 20-year prison term. But the court handed down a sentence much more lenient than expected - 12 years in prison each.
And now, it would seem that the investigation is coming to an end, but one key question remains - who was the organizer of this large-scale scheme, who controlled the actions of the mules, who ensured their communication with the hackers who broke into the bank's system? Unfortunately, there were no answers to these questions, and it seemed that the investigation had reached a dead end. Until the police got their hands on the phone of one of the detainees. And this was the beginning of a new, much more exciting chapter of the investigation.
The phone contained photographs, stacks of money in different currencies, plane tickets, tags, geodata, card numbers. In general, everything that confirmed the attitude of the phone owner to other crimes of hacker attacks around the world. And to all this, clear instructions transmitted directly from the leader of one of the most famous and dangerous hacker groups Carbonak, which also involved other famous groups, namely Carbon, Cobalt Spider, Joker.
Steerstash and FinSem. A little information about the hacker groups that I have just listed. Their traces could be found all over the world, and they terrified the largest corporations. And now I will tell you how exactly these hacker groups made the digital world shudder. Carbon is a group of hackers who made their way into banking networks with surgical precision. Their attacks were not noisy or chaotic.
They entered carefully and patiently. For months, and sometimes even years, they studied the internal systems of banks. Imagine a situation, you are a bank employee, you log in to the system to check the balance of clients. Well, at this moment, someone has already replaced the data, someone is managing transactions, withdrawing millions of dollars and all this is unnoticed by the security system.
Unlike Carbon, Cobalt Spider used phishing letters, sending them to employees of large financial firms and hacking their data, writing off, and then disappearing, leaving no trace behind.
The third hacker group - Joker Srash - were the real kings of the Darknet. Under this pseudonym hid the creator of the largest underground market of stolen bank cards. Data stolen from millions of people was sold in thousands of lots, and buyers - cybercriminals from all over the world - paid in cryptocurrency in order to later cash out other people's money.
One of the most high-profile Joker Srash cases was the theft of data from 5 million customer cards in the Marriott hotel chain. It was a blow from which the company recovered for several years. At the same time, Joker Srash was impossible to catch or track. But the most professional group was FIN-7. These are not just hackers, this is an entire corporation of the criminal world. They worked as a real IT company, with offices, salaries, departments and even HR managers.
New employees were recruited under the guise of programmers, and they did not even suspect that they were working for cybercriminals. The thing is that each employee was a small cog who simply did his monotonous work. But if you put it all together, you get a real hacker organization of the largest scale in the history of mankind. They sent infected letters, created computer viruses, hacked networks of restaurants, hotels, airlines.
Their target was bank card data, and after the attack, tens of thousands of clients discovered that their accounts were empty. And all because they once entered their bank details on the website of one of the hotels or carriers. It would seem like a common thing, but such dangers can await us all. These hacker groups are not just guys in glasses and hoodies, sitting at laptops in dark rooms. These are real criminal syndicates that can destroy the financial systems of states.
Carbonac, unlike the above-mentioned groups, was distinguished by the fact that it did not just steal money, but completely took control of banking networks, turning the banks themselves into a tool for theft. They infiltrated systems, gained access to internal servers and remotely managed finances, as if they were sitting at the employees' workstations. They could change balances, transfer millions and even force ATMs to dispense money at the right time and in the right place.
But where did it all start? Let's go back to the very beginning. And it all started at the end of 2013, where do you think? In Kiev. One of the ATMs in the capital of Ukraine suddenly started behaving very strangely. At random times of the day, it simply gave out money. No one inserted a card, no one pressed buttons, just suddenly a huge amount of money started flying out of the ATM.
People passing by cannot believe their luck, cash just falls out almost into your pocket. This is immediately reported to the bank's security service and, of course, they do not find it funny. The first version is about hacking the equipment. Maybe the ATM was kicked, shaken or turned over? They check the ATM itself, but it is absolutely intact. Then the system and equipment settings are checked, but, again, no failures are found.
Everything works fine. And although at that moment it seemed that this was just an isolated incident that would not happen again, the management still decided that they needed to seek help from cybersecurity specialists and invited the best specialists from the Kaspersky Lab team. The hired specialist, his name is not disclosed, so let's imagine that his name was Alex, comes to Kiev and conducts monitoring. At first, neither he nor his team notices anything unusual.
It seems that there is nothing suspicious and everything works as always. Having checked all the databases, Alex informs the bank's board that everything is clean, but continues to monitor the system, still trying to find the very error that caused the ATM to work. A few months later, in the middle of the night, Alex receives a call from a colleague on his personal number. Another specialist from Kaspersky Lab is in one of the largest banks in Russia, where suspicious things are also happening.
Disappearance of money, accounts, faulty ATMs and transfers that no one has ever made. Alex's colleague discovered that someone had gained control over the bank's domain controller, which is literally the center of the entire server network. I'll explain it in plain language for those who aren't aware of all these nuances. If you have access to the domain controller, you can automatically control the entire system. The entire system.
Literally. I don't think I need to explain what this means on the scale of a huge banking network. Then Alex and his colleague start checking everything again to understand how control is achieved, and eventually he finds an installed program that allows remote monitoring of the computer and direct control over it. This means that everything you do and everything you see on the monitor is seen by someone else, be it a password, correspondence with a colleague, or browsing social networks for personal interests on a work computer.
Then Alex decided to test one theory. He opens a Word document and writes one word "Hello". And guess what happened next. The cursor itself started moving, and in response to his hello, Alex read "You won't catch us". A bold statement, nothing to say. So, the theory was confirmed, the virus itself was similar to a Trojan grabber, and one of its configuration files was called anag.
And yes, guys, if I pronounce some names incorrectly, then don't be too angry, because I'm not some kind of hacker. Of course, I try to check all the names, but you understand that there may be mistakes. Oh well, let's continue. So, Alex and his colleagues named the virus "Carbonac". It turns out that the problem of money flying out was not in the ATM. The entire banking system was infected with this virus. But not a simple one. This virus allowed cybercriminals to monitor absolutely all bank employees and their actions for literally months.
They recorded screens, recorded every keystroke, studied the employees’ behavior, watched how the bank made transfers, how it checked transactions, how the accounting department worked in general. And they even checked the employees’ personal correspondence on their work computers. What bastards. And when they figured everything out down to the smallest detail, they started acting.
The fraudsters forged transfers, withdrew money through fictitious accounts, forced ATMs to issue cash at the right time. And not only in Ukraine or Russia. Money disappeared from the balance sheets of the largest banks in Japan, the USA, Switzerland, the Netherlands. Hundreds of financial institutions, millions of dollars, stolen practically out of thin air. But what’s surprising is that not a single bank officially acknowledged the hack, just silence. Ask why this happens?
Well, I think because admitting it means showing the whole world that their security systems are not so reliable, and they can lose customers. Meanwhile, the attacks continued. Europol, the FBI, and intelligence agencies from several countries began hunting the criminals, but were unable to find any leads. Kaspersky Lab experts called this operation one of the most complex in history. Unlike classic hacks, where hackers act crudely and quickly, these criminals worked patiently and quietly.
They did not break into a bank with weapons, they studied the system and became part of it. Everything looked like regular banking transactions. So, hackers mainly used three methods of operations. The first option is a quiet transfer of money. The hackers transferred money from special transaction accounts to their own. In order not to arouse suspicion, they increased the balance of these accounts in advance by the amount they were going to steal, simply changing the number, and then conducting the transaction.
Thus, the overall balance of the bank does not change and everything looks unnoticed, because at that time banks checked accounts approximately every 10 hours. I have already told you about the second type of hacking - these are gushing ATMs. To achieve this, hackers gained remote control over certain ATMs and forced them to issue cash at the right time.
Naturally, the cash was taken by intermediaries, that is, drops. They sent the money to the bosses, and kept a small percentage for themselves, which in fact amounted to tens of thousands of dollars. In addition, there was a third type of hacking money, as for me the most difficult - manipulation of the database. To pull off this trick, hackers opened fake bank accounts and issued debit cards for them with a balance of a couple of bucks. Then they updated the database, replacing a few dollars with a million-dollar balance.
Sometimes, of course, there were failures or errors. So a money fountain could occur in a random ATM near a grandmother withdrawing her pension. Or the balance of a person who has absolutely nothing to do with hackers increased by a couple of zeros. It's just fantastic, how cool is that. Someone was lucky, just imagine.
But now you will probably ask yourself the main question - how exactly did this virus penetrate the company's software, how was it even possible to do this? And yes, of course, we all know about advertising letters, but directors of large banks and people who have high-level access do not open letters from no-names, do not download website cards, and in general have maximum protection and limited access - all this does not even reach them. So how did it end up? And everything was done according to a completely simple and logical chain.
First, the bank received a call where the support service was complaining about poor Internet banking or a problem with a product or service. Confused in words, such "clients" could not explain the cause of the error and offered to send a screenshot or document with an error by email. And here the most interesting thing began. The support team, naturally, accepted the request and opened the letter in the hope of solving the client's problem. But the letter was already infected and the employee's computer could already be used.
What can be done with the maximum limited access of a call center employee? Well, for example, write a letter to someone of a higher rank, for example, to your boss or IT support employees, through whom you can also raise the manager's level, and therefore the level of access and responsibility. Such a letter could contain anything at all, for example, a request to familiarize yourself with a new resolution of the National Bank.
So, the hackers pushed the employees to download and run the malware until they raised the access level to those with which it was possible to penetrate into the very heart of banking operations and collect customer data. So, one of these letters got to one of the top managers of the bank. He opened it, did not find anything interesting and began his most ordinary duties. At this point, the hacker installed a malicious program on the PC that made the machine lag and work much slower than usual.
This, naturally, interferes with work and the manager calls an IT specialist to figure out what the problem is. The IT specialist connects to the employee's computer, enters the administrator password, which is immediately read by the hacker and voila. He tries it on the domain controller and it works. Now the hacker can find the computer that manages money transfers and ATMs. Access is open and all the internal processes of the banking system can be studied in detail.
Carbonac used this scheme in all the banks he hacked. According to the Kaspersky Lab report, more than 100 banks and other financial institutions in 30 countries suffered, with a total loss of more than $1 billion. And it seems to be one of the largest bank thefts in history. The attackers carefully studied the work of each bank and simultaneously opened fake accounts in the US and China to receive transfers.
By the way, both banks refused to comment on this situation. Well, now we will return to the events that took place in the summer of 2016 in Taiwan, when the police found photos of huge bundles of money and letters from the alleged leader of Carbonac on the phone of one of the arrested mules. The largest international agencies, such as Interpol, the FBI, and leading cybersecurity companies and intelligence agencies of several countries, immediately joined the investigation.
They all worked around the clock. They analyzed correspondence, tracked financial flows, studied the movements of suspects, trying to find the organizer. The participants of the criminal scheme, namely the organizers, programmers, couriers, money launderers and victims were located in different countries, which complicated the investigation. In order to find out where the organizer of the group might be, the special services began to track technical traces.
Using the correspondence found, surveillance began. Each login to the system, each message left a digital imprint. The special services analyzed the IP addresses of the server through which the correspondence passed, checked whether the criminal had made any mistakes. If he had logged into the network without protection at least once, this could have been the key to the solution. But there was another way - money. Despite the fact that the scammers used cryptocurrency to transfer money, large purchases still had to be made with regular money.
Real estate, cars, luxury goods – all of this required banking operations. An online clearing house was also created, where researchers could cross-check data and find connections between bank hacks in different countries. Experts analyzed two dozen samples of generic software found during carbon-ac thefts. By identifying unique characteristics in the code, detectives were able to track where the programs came from and, possibly, who used them.
And so they came upon a trail that pointed to the main suspect. In Spain, there was a man who lived secretly, but owned expensive assets. Then the investigators decided not to rush, they put him under surveillance, cameras recorded that this man rarely left his house, and when he did, he preferred not to be seen. He was cautious, but the intelligence services were patient.
When his identity was confirmed and another large transfer was established after a hacker attack on one of the banks, the intelligence services began to act. In March 2018, the Spanish National Police, with the support of Europol, the FBI, and law enforcement agencies from Romania, Taiwan, and Belarus, detained the leader of the Carbonac hacker group. There was no mistake, the hacker turned out to be a 34-year-old native of Odessa named Denis Tokarenko, call sign Katana.
There was a switched-on laptop on the man’s desk, and it was on it that the evidence was stored – the malicious code used for ATAK. The group’s leader, along with his wife and son, lived in the Spanish town of Alicante. During the search, computer equipment, jewelry, documents, two expensive cars, and over 500 thousand euros were seized from him. In addition, multimillion-dollar accounts and two houses worth 1 million euros, as well as about 15 thousand bitcoins, were found.
Denis completed the most important and difficult task. He conducted reconnaissance of banking systems, and then shuffled money across the network, like an air traffic controller. Only he did it as professionally as possible. In a way, it’s even genius. Katan and Hosea’s lawyer Steva Villascusa declined to comment. Although Denis was considered the brains of the operation, he did not work alone. Carbonac consisted of between 10 and 30 people, and code analysis showed that similar malware was used by many other hacker groups.
In late 2018, three more Ukrainian suspects associated with Carbonac were arrested. And despite the arrests of some Carbonac members, the group continues to operate to this day. In November 2023, NCC Group specialists recorded the return of Carbonac with new distribution methods, including the use of compromised websites disguised as popular applications.
Additionally, last month, Microsoft analysts reported on FinSEM activity, linking it to the CLOB ransomware. All of this suggests that Carbonac is not only remaining active, but also adapting, adopting new tactics and attack tools. In recent years, law enforcement agencies around the world have been actively pursuing members of cybercriminal groups. In 2020, the FBI arrested several key members of FINSEM responsible for hacking major financial companies.
In 2021, one of the leaders of Joker Srash was arrested, but the Darknet Market itself did not close until a year later. And in 2023, Spanish police arrested a hacker associated with Kobalt, and in the same year, a group operating under the Carbon brand was dismantled in Ukraine. This whole story has shown us how vulnerable even the most secure banking systems can be.
Hackers don't break locks anymore, they study human behavior, penetrate and become part of the system, and their methods, which hackers used, continue to evolve. Perhaps right now somewhere in the world there is a new, even larger attack, which we will learn about only after years. By the way, have you heard about how recently a North Korean hacker hacked the crypto exchange Bybit and stole more than a billion dollars worth of ether, I think.
In short, if you are interested in knowing more about this, write in the comments, I will definitely write a topic about it. The main thing to take away from this topic is that one careless click can cost you millions of dollars. Be sure to write your comments, maybe some of you have been hacked.
Well, all the best. Bye-bye.
This is not fiction, but a real story of a hacker nicknamed Katana and the Carbanak group, which terrified the financial world.
Who is he, how did they act - we will find out today.
Imagine a warm summer evening, you were late at work and are already returning home. Deciding to go to an ATM on the way to withdraw some bills. You take out your card and are about to cash it. When suddenly the ATM shows a blue error window, and thousands of dollars fly out of it in a wave right onto the floor, scatter around you, and you stand there and do not understand at all what is happening now. You ask yourself the most important question, what to do at all?
Grab and run, call the police or silently go in search of another ATM. But what's more, at this very moment, such money fountains are happening in dozens of other ATMs across the country. And the people involved, covering their faces with masks and caps, fill their bags with wads of bills, and then quickly leave, hiding from surveillance cameras. And what's said above is not an excerpt from some blockbuster of the 2000s, it's a description of real events that took place between 2014 and 2016 in Taipei, the capital of Taiwan, and other cities around the world.
During this time, more than 100 banks in 30 countries were attacked, and the amount of stolen funds amounted to more than $1 billion. In this episode, you will learn about the largest and most significant hacker attack, due to which banks suffered losses of billions of dollars. I will tell you how the hacking took place, how the criminals acted, and what law enforcement agencies had to do to expose this criminal group.
And most importantly, you will find out who is behind it. And believe me, this will definitely surprise you. So watch this video to the end and write your comments if you have heard about this story before. And also subscribe to my telegram channel, there are more interesting stories and exclusive content. Well, now let's go! Let's go back to the events that took place in the summer of 2016.
This period became a real disaster for many banks. It is unknown how the criminals hacked the First Bank system, which allowed them to disable many ATMs and issue huge amounts of cash without cards or any manipulation of banking equipment directly. This has already happened in many cities in Europe, America and Asia, and all these times the criminals were never found. This was not the first case of hacker hacking in Taiwanese banks.
So law enforcement agencies expected a repeat of the events. And for good reason. On the night of July 11, several dozen ATMs in Taiwan malfunctioned. At the same time, they all began to dispense all the bills they had. The criminals were already there, wearing masks and caps. And as soon as the money rained down on them, the men began to collect the bills, put them in their bags and fled.
That night, 83.5 million Taiwan dollars were stolen from 41 ATMs in 22 NTS branches. Dollars. That's about 2.5 million US dollars. As soon as the bank received a signal about another ATM hack and theft of money, all law enforcement agencies immediately began searching for the criminals. This operation differed from others in its quick response and scale.
More than five hundred police officers were involved and they studied the surveillance footage, tracked the suspects' routes and tracked the group, which consisted of 22 people. Most of the participants were from Eastern Europe, including Latvia, Estonia, Romania, Moldova, Russia, Belarus, France and Australia. Immediately after the robbery, most of the participants in the crime, namely 19 people, quickly managed to leave the country.
The remaining three were closely watched. The thing is that the police understood very well that these people were the so-called drops, roughly speaking, pawns who took on all the dirty work, while the organizers of the crime could be anywhere in the world. Noticing that he was being followed, one of the suspects decided to get rid of the money and went for a walk in the park, as if by accident, dropped a bag there, completely stuffed with bills.
And, interestingly, the bag immediately disappeared. Where it disappeared to is unknown, perhaps it was picked up by a random passerby or it was a specially planned transfer of money. This fact was never clarified. Another suspect tried to hide two sports bags filled with money in Dungu Park, but the police were on his trail. When he was detained, he confessed where he left the money, but only one bag was found in the place he indicated.
But where did the second one disappear to? Later it turned out that it was accidentally found by an old man passing by, who decided that this money was a gift from the gods, and took this bag home. Well, why not? What would you do in this case? I doubt that you would immediately go to the police and say, "Oh, damn, I found a bag of money, and this is for you, comrade policemen." But, unfortunately, the plan for a rich old age with Blackjack and Corvalol had to be canceled.
The police confiscated the bag filled with millions and reprimanded the old man for not reporting it to the police. The third suspect was even more cunning. He had previously agreed with the other participants in the robbery to whom he was supposed to hand over the money and hid it at the Taipei Central Station, leaving it in the storage lockers. But this plan did not work, the police put the bag and the money under surveillance. And when two men from Eastern Europe arrived for the bag, the police recorded all their actions and followed their tracks.
Having taken the bag with the money, the two men went to their hotel and calmly sat down to breakfast at a local restaurant, not suspecting that they would immediately be cornered. The guys were on their way to success, but it didn’t work out, they were out of luck. This saying has never been more appropriate. The operation to catch the criminals was quite successful. During a search of the suspects’ hotel room, the police found a large sum of cash – about one and a half million dollars.
Overall, the bank got back about 90% of the stolen money, but the remaining 10%, which is about 250 thousand dollars, disappeared without a trace. In total, the police managed to get back most of the money, and the detainees were charged with fraud, cybercrime and money laundering, for which the prosecutor's office demanded a 20-year prison term. But the court handed down a sentence much more lenient than expected - 12 years in prison each.
And now, it would seem that the investigation is coming to an end, but one key question remains - who was the organizer of this large-scale scheme, who controlled the actions of the mules, who ensured their communication with the hackers who broke into the bank's system? Unfortunately, there were no answers to these questions, and it seemed that the investigation had reached a dead end. Until the police got their hands on the phone of one of the detainees. And this was the beginning of a new, much more exciting chapter of the investigation.
The phone contained photographs, stacks of money in different currencies, plane tickets, tags, geodata, card numbers. In general, everything that confirmed the attitude of the phone owner to other crimes of hacker attacks around the world. And to all this, clear instructions transmitted directly from the leader of one of the most famous and dangerous hacker groups Carbonak, which also involved other famous groups, namely Carbon, Cobalt Spider, Joker.
Steerstash and FinSem. A little information about the hacker groups that I have just listed. Their traces could be found all over the world, and they terrified the largest corporations. And now I will tell you how exactly these hacker groups made the digital world shudder. Carbon is a group of hackers who made their way into banking networks with surgical precision. Their attacks were not noisy or chaotic.
They entered carefully and patiently. For months, and sometimes even years, they studied the internal systems of banks. Imagine a situation, you are a bank employee, you log in to the system to check the balance of clients. Well, at this moment, someone has already replaced the data, someone is managing transactions, withdrawing millions of dollars and all this is unnoticed by the security system.
Unlike Carbon, Cobalt Spider used phishing letters, sending them to employees of large financial firms and hacking their data, writing off, and then disappearing, leaving no trace behind.
The third hacker group - Joker Srash - were the real kings of the Darknet. Under this pseudonym hid the creator of the largest underground market of stolen bank cards. Data stolen from millions of people was sold in thousands of lots, and buyers - cybercriminals from all over the world - paid in cryptocurrency in order to later cash out other people's money.
One of the most high-profile Joker Srash cases was the theft of data from 5 million customer cards in the Marriott hotel chain. It was a blow from which the company recovered for several years. At the same time, Joker Srash was impossible to catch or track. But the most professional group was FIN-7. These are not just hackers, this is an entire corporation of the criminal world. They worked as a real IT company, with offices, salaries, departments and even HR managers.
New employees were recruited under the guise of programmers, and they did not even suspect that they were working for cybercriminals. The thing is that each employee was a small cog who simply did his monotonous work. But if you put it all together, you get a real hacker organization of the largest scale in the history of mankind. They sent infected letters, created computer viruses, hacked networks of restaurants, hotels, airlines.
Their target was bank card data, and after the attack, tens of thousands of clients discovered that their accounts were empty. And all because they once entered their bank details on the website of one of the hotels or carriers. It would seem like a common thing, but such dangers can await us all. These hacker groups are not just guys in glasses and hoodies, sitting at laptops in dark rooms. These are real criminal syndicates that can destroy the financial systems of states.
Carbonac, unlike the above-mentioned groups, was distinguished by the fact that it did not just steal money, but completely took control of banking networks, turning the banks themselves into a tool for theft. They infiltrated systems, gained access to internal servers and remotely managed finances, as if they were sitting at the employees' workstations. They could change balances, transfer millions and even force ATMs to dispense money at the right time and in the right place.
But where did it all start? Let's go back to the very beginning. And it all started at the end of 2013, where do you think? In Kiev. One of the ATMs in the capital of Ukraine suddenly started behaving very strangely. At random times of the day, it simply gave out money. No one inserted a card, no one pressed buttons, just suddenly a huge amount of money started flying out of the ATM.
People passing by cannot believe their luck, cash just falls out almost into your pocket. This is immediately reported to the bank's security service and, of course, they do not find it funny. The first version is about hacking the equipment. Maybe the ATM was kicked, shaken or turned over? They check the ATM itself, but it is absolutely intact. Then the system and equipment settings are checked, but, again, no failures are found.
Everything works fine. And although at that moment it seemed that this was just an isolated incident that would not happen again, the management still decided that they needed to seek help from cybersecurity specialists and invited the best specialists from the Kaspersky Lab team. The hired specialist, his name is not disclosed, so let's imagine that his name was Alex, comes to Kiev and conducts monitoring. At first, neither he nor his team notices anything unusual.
It seems that there is nothing suspicious and everything works as always. Having checked all the databases, Alex informs the bank's board that everything is clean, but continues to monitor the system, still trying to find the very error that caused the ATM to work. A few months later, in the middle of the night, Alex receives a call from a colleague on his personal number. Another specialist from Kaspersky Lab is in one of the largest banks in Russia, where suspicious things are also happening.
Disappearance of money, accounts, faulty ATMs and transfers that no one has ever made. Alex's colleague discovered that someone had gained control over the bank's domain controller, which is literally the center of the entire server network. I'll explain it in plain language for those who aren't aware of all these nuances. If you have access to the domain controller, you can automatically control the entire system. The entire system.
Literally. I don't think I need to explain what this means on the scale of a huge banking network. Then Alex and his colleague start checking everything again to understand how control is achieved, and eventually he finds an installed program that allows remote monitoring of the computer and direct control over it. This means that everything you do and everything you see on the monitor is seen by someone else, be it a password, correspondence with a colleague, or browsing social networks for personal interests on a work computer.
Then Alex decided to test one theory. He opens a Word document and writes one word "Hello". And guess what happened next. The cursor itself started moving, and in response to his hello, Alex read "You won't catch us". A bold statement, nothing to say. So, the theory was confirmed, the virus itself was similar to a Trojan grabber, and one of its configuration files was called anag.
And yes, guys, if I pronounce some names incorrectly, then don't be too angry, because I'm not some kind of hacker. Of course, I try to check all the names, but you understand that there may be mistakes. Oh well, let's continue. So, Alex and his colleagues named the virus "Carbonac". It turns out that the problem of money flying out was not in the ATM. The entire banking system was infected with this virus. But not a simple one. This virus allowed cybercriminals to monitor absolutely all bank employees and their actions for literally months.
They recorded screens, recorded every keystroke, studied the employees’ behavior, watched how the bank made transfers, how it checked transactions, how the accounting department worked in general. And they even checked the employees’ personal correspondence on their work computers. What bastards. And when they figured everything out down to the smallest detail, they started acting.
The fraudsters forged transfers, withdrew money through fictitious accounts, forced ATMs to issue cash at the right time. And not only in Ukraine or Russia. Money disappeared from the balance sheets of the largest banks in Japan, the USA, Switzerland, the Netherlands. Hundreds of financial institutions, millions of dollars, stolen practically out of thin air. But what’s surprising is that not a single bank officially acknowledged the hack, just silence. Ask why this happens?
Well, I think because admitting it means showing the whole world that their security systems are not so reliable, and they can lose customers. Meanwhile, the attacks continued. Europol, the FBI, and intelligence agencies from several countries began hunting the criminals, but were unable to find any leads. Kaspersky Lab experts called this operation one of the most complex in history. Unlike classic hacks, where hackers act crudely and quickly, these criminals worked patiently and quietly.
They did not break into a bank with weapons, they studied the system and became part of it. Everything looked like regular banking transactions. So, hackers mainly used three methods of operations. The first option is a quiet transfer of money. The hackers transferred money from special transaction accounts to their own. In order not to arouse suspicion, they increased the balance of these accounts in advance by the amount they were going to steal, simply changing the number, and then conducting the transaction.
Thus, the overall balance of the bank does not change and everything looks unnoticed, because at that time banks checked accounts approximately every 10 hours. I have already told you about the second type of hacking - these are gushing ATMs. To achieve this, hackers gained remote control over certain ATMs and forced them to issue cash at the right time.
Naturally, the cash was taken by intermediaries, that is, drops. They sent the money to the bosses, and kept a small percentage for themselves, which in fact amounted to tens of thousands of dollars. In addition, there was a third type of hacking money, as for me the most difficult - manipulation of the database. To pull off this trick, hackers opened fake bank accounts and issued debit cards for them with a balance of a couple of bucks. Then they updated the database, replacing a few dollars with a million-dollar balance.
Sometimes, of course, there were failures or errors. So a money fountain could occur in a random ATM near a grandmother withdrawing her pension. Or the balance of a person who has absolutely nothing to do with hackers increased by a couple of zeros. It's just fantastic, how cool is that. Someone was lucky, just imagine.
But now you will probably ask yourself the main question - how exactly did this virus penetrate the company's software, how was it even possible to do this? And yes, of course, we all know about advertising letters, but directors of large banks and people who have high-level access do not open letters from no-names, do not download website cards, and in general have maximum protection and limited access - all this does not even reach them. So how did it end up? And everything was done according to a completely simple and logical chain.
First, the bank received a call where the support service was complaining about poor Internet banking or a problem with a product or service. Confused in words, such "clients" could not explain the cause of the error and offered to send a screenshot or document with an error by email. And here the most interesting thing began. The support team, naturally, accepted the request and opened the letter in the hope of solving the client's problem. But the letter was already infected and the employee's computer could already be used.
What can be done with the maximum limited access of a call center employee? Well, for example, write a letter to someone of a higher rank, for example, to your boss or IT support employees, through whom you can also raise the manager's level, and therefore the level of access and responsibility. Such a letter could contain anything at all, for example, a request to familiarize yourself with a new resolution of the National Bank.
So, the hackers pushed the employees to download and run the malware until they raised the access level to those with which it was possible to penetrate into the very heart of banking operations and collect customer data. So, one of these letters got to one of the top managers of the bank. He opened it, did not find anything interesting and began his most ordinary duties. At this point, the hacker installed a malicious program on the PC that made the machine lag and work much slower than usual.
This, naturally, interferes with work and the manager calls an IT specialist to figure out what the problem is. The IT specialist connects to the employee's computer, enters the administrator password, which is immediately read by the hacker and voila. He tries it on the domain controller and it works. Now the hacker can find the computer that manages money transfers and ATMs. Access is open and all the internal processes of the banking system can be studied in detail.
Carbonac used this scheme in all the banks he hacked. According to the Kaspersky Lab report, more than 100 banks and other financial institutions in 30 countries suffered, with a total loss of more than $1 billion. And it seems to be one of the largest bank thefts in history. The attackers carefully studied the work of each bank and simultaneously opened fake accounts in the US and China to receive transfers.
By the way, both banks refused to comment on this situation. Well, now we will return to the events that took place in the summer of 2016 in Taiwan, when the police found photos of huge bundles of money and letters from the alleged leader of Carbonac on the phone of one of the arrested mules. The largest international agencies, such as Interpol, the FBI, and leading cybersecurity companies and intelligence agencies of several countries, immediately joined the investigation.
They all worked around the clock. They analyzed correspondence, tracked financial flows, studied the movements of suspects, trying to find the organizer. The participants of the criminal scheme, namely the organizers, programmers, couriers, money launderers and victims were located in different countries, which complicated the investigation. In order to find out where the organizer of the group might be, the special services began to track technical traces.
Using the correspondence found, surveillance began. Each login to the system, each message left a digital imprint. The special services analyzed the IP addresses of the server through which the correspondence passed, checked whether the criminal had made any mistakes. If he had logged into the network without protection at least once, this could have been the key to the solution. But there was another way - money. Despite the fact that the scammers used cryptocurrency to transfer money, large purchases still had to be made with regular money.
Real estate, cars, luxury goods – all of this required banking operations. An online clearing house was also created, where researchers could cross-check data and find connections between bank hacks in different countries. Experts analyzed two dozen samples of generic software found during carbon-ac thefts. By identifying unique characteristics in the code, detectives were able to track where the programs came from and, possibly, who used them.
And so they came upon a trail that pointed to the main suspect. In Spain, there was a man who lived secretly, but owned expensive assets. Then the investigators decided not to rush, they put him under surveillance, cameras recorded that this man rarely left his house, and when he did, he preferred not to be seen. He was cautious, but the intelligence services were patient.
When his identity was confirmed and another large transfer was established after a hacker attack on one of the banks, the intelligence services began to act. In March 2018, the Spanish National Police, with the support of Europol, the FBI, and law enforcement agencies from Romania, Taiwan, and Belarus, detained the leader of the Carbonac hacker group. There was no mistake, the hacker turned out to be a 34-year-old native of Odessa named Denis Tokarenko, call sign Katana.
There was a switched-on laptop on the man’s desk, and it was on it that the evidence was stored – the malicious code used for ATAK. The group’s leader, along with his wife and son, lived in the Spanish town of Alicante. During the search, computer equipment, jewelry, documents, two expensive cars, and over 500 thousand euros were seized from him. In addition, multimillion-dollar accounts and two houses worth 1 million euros, as well as about 15 thousand bitcoins, were found.
Denis completed the most important and difficult task. He conducted reconnaissance of banking systems, and then shuffled money across the network, like an air traffic controller. Only he did it as professionally as possible. In a way, it’s even genius. Katan and Hosea’s lawyer Steva Villascusa declined to comment. Although Denis was considered the brains of the operation, he did not work alone. Carbonac consisted of between 10 and 30 people, and code analysis showed that similar malware was used by many other hacker groups.
In late 2018, three more Ukrainian suspects associated with Carbonac were arrested. And despite the arrests of some Carbonac members, the group continues to operate to this day. In November 2023, NCC Group specialists recorded the return of Carbonac with new distribution methods, including the use of compromised websites disguised as popular applications.
Additionally, last month, Microsoft analysts reported on FinSEM activity, linking it to the CLOB ransomware. All of this suggests that Carbonac is not only remaining active, but also adapting, adopting new tactics and attack tools. In recent years, law enforcement agencies around the world have been actively pursuing members of cybercriminal groups. In 2020, the FBI arrested several key members of FINSEM responsible for hacking major financial companies.
In 2021, one of the leaders of Joker Srash was arrested, but the Darknet Market itself did not close until a year later. And in 2023, Spanish police arrested a hacker associated with Kobalt, and in the same year, a group operating under the Carbon brand was dismantled in Ukraine. This whole story has shown us how vulnerable even the most secure banking systems can be.
Hackers don't break locks anymore, they study human behavior, penetrate and become part of the system, and their methods, which hackers used, continue to evolve. Perhaps right now somewhere in the world there is a new, even larger attack, which we will learn about only after years. By the way, have you heard about how recently a North Korean hacker hacked the crypto exchange Bybit and stole more than a billion dollars worth of ether, I think.
In short, if you are interested in knowing more about this, write in the comments, I will definitely write a topic about it. The main thing to take away from this topic is that one careless click can cost you millions of dollars. Be sure to write your comments, maybe some of you have been hacked.
Well, all the best. Bye-bye.
