{ "id": "0dd96a31-9641-44cd-8dd7-306d3463f186", "created_at": "2026-04-06T00:15:33.354815Z", "updated_at": "2026-04-10T03:31:13.555801Z", "deleted_at": null, "sha1_hash": "aa0f49e2902cdde49e5ac0fb0e0a4602d35a0462", "title": "Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 200721, "plain_text": "Mastermind behind EUR 1 billion cyber bank robbery arrested in\r\nSpain\r\nBy Europol\r\nPublished: 2018-03-26 · Archived: 2026-04-02 10:54:27 UTC\r\nThe leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial\r\ninstitutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the\r\nSpanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and\r\nTaiwanese authorities and private cyber security companies.\r\nSince 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions\r\nusing pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks\r\nin more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry.\r\nThe magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10\r\nmillion per heist.\r\nhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nPage 1 of 5\n\nModus operandi\r\nThe organised crime group started its high-tech criminal activities in late 2013 by launching the Anunak malware\r\ncampaign that targeted financial transfers and ATM networks of financial institutions around the world. By the\r\nfollowing year, the same coders improved the Anunak malware into a more sophisticated version, known as\r\nCarbanak, which was used in until 2016. From then onwards, the crime syndicate focused their efforts into\r\ndeveloping an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike\r\npenetration testing software.\r\nIn all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear\r\nphishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the\r\nmalicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to\r\nthe internal banking network and infecting the servers controlling the ATMs. This provided them with the\r\nknowledge they needed to cash out the money.\r\nhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nPage 2 of 5\n\nhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nPage 3 of 5\n\nCashing out\r\nThe money was then cashed out by one of the following means:\r\nATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected\r\nby organised crime groups supporting the main crime syndicate: when the payment was due, one of the\r\ngang members was waiting beside the machine to collect the money being ‘voluntarily’ spit out by the\r\nATM;\r\nThe e-payment network was used to transfer money out of the organisation and into criminal accounts;\r\nDatabases with account information were modified so bank accounts balance would be inflated, with\r\nmoney mules then being used to collect the money.\r\nThe criminal profits were also laundered via cryptocurrencies, by means of prepaid cards linked to the\r\ncryptocurrency wallets which were used to buy goods such as luxury cars and houses.\r\nInternational police cooperation\r\nInternational police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce was central in\r\nbringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all\r\nlocated in different geographical locations around the world.\r\nEuropol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational\r\nmeetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain\r\nduring the action day.\r\nThe close private-public partnership with the European Banking Federation (EBF), the banking industry as a\r\nwhole and the private security companies was also paramount in the success of this complex investigation.\r\nWim Mijs, Chief Executive Office of the European Banking Federation, said: \"This is the first time that the EBF\r\nhas actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on\r\ncybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that\r\nwe are seeing here with the Carbanak gang.\"\r\nSteven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: \"This global operation is a\r\nsignificant success for international police cooperation against a top level cybercriminal organisation. The arrest of\r\nthe key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international\r\nanonymity. This is another example where the close cooperation between law enforcement agencies on a\r\nworldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.\"\r\nVIEW FULL INFOGRAPHIC\r\nDownloads\r\nhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nPage 4 of 5\n\nSource: https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nhttps://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" ], "report_names": [ "mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa0f49e2902cdde49e5ac0fb0e0a4602d35a0462.pdf", "text": "https://archive.orkl.eu/aa0f49e2902cdde49e5ac0fb0e0a4602d35a0462.txt", "img": "https://archive.orkl.eu/aa0f49e2902cdde49e5ac0fb0e0a4602d35a0462.jpg" } }