{
	"id": "1c65c1f7-9115-4ed2-af3d-270ad8c1abf9",
	"created_at": "2026-04-06T00:10:28.452494Z",
	"updated_at": "2026-04-10T13:12:37.664876Z",
	"deleted_at": null,
	"sha1_hash": "6802714935ccd29046ced357297b9532f8cb5238",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44334,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 13:23:10 UTC\r\n APT group: MoneyTaker\r\nNames MoneyTaker (Group-IB)\r\nCountry Russia\r\nMotivation Financial crime\r\nFirst seen 2016\r\nDescription\r\n(Group-IB) In less than two years, this group has conducted over 20 successful attacks on\r\nfinancial institutions and legal firms in the USA, UK and Russia. The group has primarily been\r\ntargeting card processing systems, including the AWS CBR (Russian Interbank System) and\r\npurportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in\r\nLATAM could have particular exposure to a potential interest from the MoneyTaker group.\r\nAlthough the group has been successful at targeting a number of banks in different countries,\r\nto date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked\r\nlaw firms and also financial software vendors. In total, Group-IB has confirmed 20 companies\r\nas MoneyTaker victims, with 16 attacks on US organizations, 3 attacks on Russian banks and 1\r\nin the UK.\r\nObserved\r\nSectors: Financial.\r\nCountries: Russia, UK, USA.\r\nTools used Citadel, Kronos, Metasploit, MoneyTaker, Screenshotter.\r\nInformation \u003chttps://www.group-ib.com/blog/moneytaker\u003e\r\nLast change to this card: 14 April 2020\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8993618c-1ca6-47b2-a304-483f88810ad5\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8993618c-1ca6-47b2-a304-483f88810ad5\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8993618c-1ca6-47b2-a304-483f88810ad5"
	],
	"report_names": [
		"showcard.cgi?u=8993618c-1ca6-47b2-a304-483f88810ad5"
	],
	"threat_actors": [
		{
			"id": "746214d4-5d48-4644-b763-8e9a9c549c04",
			"created_at": "2022-10-25T16:07:23.878029Z",
			"updated_at": "2026-04-10T02:00:04.769032Z",
			"deleted_at": null,
			"main_name": "MoneyTaker",
			"aliases": [],
			"source_name": "ETDA:MoneyTaker",
			"tools": [
				"Kronos",
				"Metasploit",
				"MoneyTaker",
				"Screenshotter"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e5364c16-eb97-467e-a8c2-a720269498c1",
			"created_at": "2023-01-06T13:46:38.733469Z",
			"updated_at": "2026-04-10T02:00:03.082343Z",
			"deleted_at": null,
			"main_name": "MoneyTaker",
			"aliases": [],
			"source_name": "MISPGALAXY:MoneyTaker",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434228,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6802714935ccd29046ced357297b9532f8cb5238.pdf",
		"text": "https://archive.orkl.eu/6802714935ccd29046ced357297b9532f8cb5238.txt",
		"img": "https://archive.orkl.eu/6802714935ccd29046ced357297b9532f8cb5238.jpg"
	}
}