{
	"id": "7b36186b-54bc-473a-9ced-9ce523cc8f0c",
	"created_at": "2026-04-06T00:15:58.828156Z",
	"updated_at": "2026-04-10T03:21:33.275779Z",
	"deleted_at": null,
	"sha1_hash": "549cd55eca00698b848061e9254fb40a8858108b",
	"title": "Spain arrests 16 for working with the Mekotio and Grandoreiro malware gangs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101591,
	"plain_text": "Spain arrests 16 for working with the Mekotio and Grandoreiro\r\nmalware gangs\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-13 · Archived: 2026-04-05 18:01:15 UTC\r\nSpanish police arrested 16 suspects last week on charges of laundering funds stolen through banking\r\ntrojans such as Mekotio and Grandoreiro.\r\nAccording to the Guardia Civil, the oldest law enforcement agency in Spain and one of two national police forces,\r\n16 suspects have been arrested in Ribeira (a city in the A Coruña province), Seseña (Toledo), Villafranca de Los\r\nBarros (Badajoz), Aranda de Duero (Burgos), Parla (Madrid), Móstoles (Madrid), and the capital Madrid.\r\nThe group was arrested last week, and suspects had their houses searched and devices seized for investigation\r\nduring raids part of an operation that authorities named Aguas Vivas (Living Waters).\r\nDesarticulada una red dedicada a cometer estafas a través de Internet.\r\nSe ha detenido a 16 personas y se han conseguido bloquear tentativas de transferencias por un importe\r\nde 3.500.000 euros, tras analizar más de 1.800 correos electrónicos.\r\nMás info: https://t.co/0ggQlE0UxB pic.twitter.com/EOAVRuyrKq\r\n— Guardia Civil (@guardiacivil) July 10, 2021\r\nFollowing the raids, authorities said they found evidence that the suspects received more than €276,470 from bank\r\naccounts compromised with the help of the two banking trojans. In addition, the Guardia Civil said the suspects\r\nalso had access to bank accounts storing around €3.5 million, which they had not yet moved and stolen from their\r\nrespective owners.\r\nA well-structured operation\r\nBoth the Mekotio and Grandoreiro malware strains are believed to be the work of Brazilian cybercrime groups\r\nwho rent access to their tools to other gangs responsible for distributing the trojan and laundering funds.\r\nBoth trojans are developed to target Windows computers and are usually spread using spoofed emails mimicking\r\nlegitimate organizations. Once they infect a victim, they stay hidden and wait until users log into e-banking\r\naccounts, silently collecting their credentials.\r\nOfficials said the two trojans used in the attacks were capable of collecting data for up to 30 different banks. Once\r\nthe attackers had access to victim bank accounts, they accessed e-banking portals and sent the funds to accounts\r\nunder their control.\r\nhttps://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/\r\nPage 1 of 3\n\n\"One characteristic in which all the victims agreed is that, once they carried out any banking operation through the\r\nweb, their computers restarted several times until access was blocked, later observing that large amounts of their\r\nmoney had been transferred to unknown accounts,\" Guardia Civil officials said in a press release last week.\r\n\"After that, the money was split by sending it to other accounts, or by withdrawing cash at ATMs, transfers by\r\nBIZUM, REVOLUT cards, etc., in order to hinder possible police investigations,\" the agency added. Officials did\r\nnot say if the 16 suspects distributed the malware, but said that they were heavily involved in helping launder the\r\nstolen funds.\r\nThe organization was perfectly structured and hierarchical, in 4 levels. On the one hand, there were\r\nthose who were dedicated to receiving the amounts of fraudulent transfers (Level 1), which they later\r\ntransferred to other members of the organization (Level 2). On the other hand, there were those who\r\ntransferred the money to other accounts located abroad (Level 3) and, finally, those who were dedicated\r\nto masking the online operations of the accounts (Level 4).\r\nGuardia Civil\r\nExpansion of Brazil's banking trojan ecosystem\r\nThe arrest of the 16 suspects in Spain confirm reports from security firms like ESET and Kaspersky, both of\r\nwhom warned last year that Brazilian cybercrime groups had been updating their banking trojans with support for\r\nEuropean banks, on top of their classic Brazilian and Latin American targets.\r\nESET, which has been tracking the evolution of both Mekotio and Grandoreiro throughout 2020, specifically\r\nhighlighted how the two banking trojans grew in sophistication and reach last year.\r\nWhile Mekotio is a relatively new operation, the Grandoreiro trojan has been around since 2016 and is a well-known name in the cybersecurity industry.\r\nIn a July 2020 blog post, Kaspersky put both Mekotio (also known as Melcoz) and Grandoreiro in the Tetrade, a\r\ncodename the company was using to describe the four largest banking trojan families created, developed, and\r\nspread by Brazilian crooks on a global level. The other two part of the Tetrade cartel were Guildma (Astaroth) and\r\nJavali.\r\n\"Grandoreiro and Mekotio have been expanding to Europe (especially Spain) since around the beginning of 2020,\r\nwhich attracted substantially more attention to these banking trojans than before, whether it was from researchers,\r\ncompanies or police forces,\" an ESET spokesperson told The Record earlier today.\r\n\"The arrest demonstrates that the operation these threat actors are running is not a small one. Additionally, it gives\r\nan estimate of how successful their European campaign was by revealing how much money was stolen through\r\nMekotio and Grandoreiro,\" the security firm added.\r\nStats released by Kaspersky today confirm both of Mekotio and Grandoreiro's expansion to Europe, with Spain\r\nbeing the hardest hit after their native Brazil.\r\nThe Mekotio and Grandoreiro-related arrests in Spain are also the second time Spanish authorities arrested local\r\ncybercriminals working with banking trojan malware in 2021. The first arrests took place in March when they\r\nhttps://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/\r\nPage 2 of 3\n\napprehended four suspects for distributing the FluBot Android banking trojan.\r\nArticle updated shortly after publication to clarify that the group was arrested mainly for money laundering\r\nactivities and not malware distribution. Article also updated with ESET comments.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/\r\nhttps://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/"
	],
	"report_names": [
		"spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/549cd55eca00698b848061e9254fb40a8858108b.pdf",
		"text": "https://archive.orkl.eu/549cd55eca00698b848061e9254fb40a8858108b.txt",
		"img": "https://archive.orkl.eu/549cd55eca00698b848061e9254fb40a8858108b.jpg"
	}
}