{
	"id": "d8f322b1-54ad-4fe8-98f9-74b052e7aa32",
	"created_at": "2026-04-06T00:18:43.162925Z",
	"updated_at": "2026-04-10T13:12:37.26589Z",
	"deleted_at": null,
	"sha1_hash": "cfde1c5d1e1b74c95878b734babcb97cc59494e5",
	"title": "FluBot Malware Gang Arrested in Barcelona",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 96610,
	"plain_text": "FluBot Malware Gang Arrested in Barcelona\r\nBy Catalin Cimpanu\r\nPublished: 2022-11-17 · Archived: 2026-04-05 17:30:02 UTC\r\nCatalan police arrested four suspects last week on suspicion of distributing FluBot, an Android malware strain that\r\ninfected at least 60,000 devices, with most victims located in Spain.\r\nFour men, aged between 19 and 27, were arrested in Barcelona on Tuesday, March 2.\r\nMembers of the Mossos d'Esquadra (the local Catalan government's police force) raided the suspects' apartments\r\nand seized cash, laptops, documents, and mobile devices. Some of the mobile devices were still sealed and were\r\nallegedly bought with their victims' money, officials said.\r\nDesmantellem grup criminal especialitzat en l'#Smishing o l'estafa amb missatges SMS, amb els quals\r\nobtenien dades bancàries i del telèfon mòbil de les víctimes. Dos dels integrants, que formaven la\r\ncúpula, ja són a presó pic.twitter.com/d2XiWa0rCP\r\n— Mossos (@mossos) March 5, 2021\r\nThe suspects were arraigned in front of a judge on Thursday, March 4. Two members, deemed the leaders of the\r\ngang, were detained, while the other two were set free but required to appear in court every 15 days.\r\nSuspect names were not released, according to local data privacy regulations; however, Catalan police said that\r\none of the two FluBot gang leaders appeared to have been in charge of the technical side of the operation, being\r\nthe one who wrote the malware code and created fake bank login pages.\r\n97% of FluBot's victims were located in Spain\r\nThe FluBot malware, also known as the Fedex Banker or Cabassous, has been active since late 2020. The malware\r\nwas designed as a banking trojan for Android devices. It would infect devices and abuse the Android Accessibility\r\nservice to show fake login screens for mobile banking portals.\r\nThe malware would collect banking credentials and send the data back to its command and control server. Here,\r\nthe FluBot gang would abuse the credentials and the full control they had over victim devices to access bank\r\naccounts, intercept and bypass bank verification codes, and steal funds from victims' accounts.\r\n\"In addition to making money transfers, the perpetrators made purchases of high-end cell phones with the victims'\r\ncards, which were sent to people living in the province of Madrid, to whom the scammers paid to receive the\r\npackages,\" Mossos d'Esquadra also added on Friday.\r\nTo spread to new victims, the malware relied on sending SMS spam messages to an infected user's contacts list.\r\nCatalan officials said they tracked at least 71,000 spam SMS messages sent by the group.\r\nhttps://therecord.media/flubot-malware-gang-arrested-in-barcelona/\r\nPage 1 of 3\n\nHowever, the number is believed to be much larger. In a report last week, Swiss security firm PRODAFT said that\r\nafter managing to gain access to FluBot's command and control server, they tracked the malware to 60,000\r\ndevices and discovered that the FluBot operators had collected phone numbers for 11 million users, 97% of which\r\nwere Spanish citizens.\r\nThe number represented around 25% of Spain's population. In an interview last week, PRODAFT told The\r\nRecord their discovery prompted them to report their findings to Spanish law enforcement, which would explain\r\nlast week's crackdown against the FluBot gang.\r\nIn the meantime, security researchers reported that the malware appears to be still active and spreading. The\r\nmalware is advertised in underground hacking forums and its creators are believed to be still at large.\r\nLooks like it isn't dead after all. Even after succesful police intervention #Flubot campaing is still\r\ngoing, eh? @B0rys_Grishenko @500mk500 @CERT_OPL @PPiekutowski\r\n— Piotr Kowalczyk (@pmmkowalczyk) March 7, 2021\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/flubot-malware-gang-arrested-in-barcelona/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/flubot-malware-gang-arrested-in-barcelona/\r\nhttps://therecord.media/flubot-malware-gang-arrested-in-barcelona/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/flubot-malware-gang-arrested-in-barcelona/"
	],
	"report_names": [
		"flubot-malware-gang-arrested-in-barcelona"
	],
	"threat_actors": [],
	"ts_created_at": 1775434723,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfde1c5d1e1b74c95878b734babcb97cc59494e5.pdf",
		"text": "https://archive.orkl.eu/cfde1c5d1e1b74c95878b734babcb97cc59494e5.txt",
		"img": "https://archive.orkl.eu/cfde1c5d1e1b74c95878b734babcb97cc59494e5.jpg"
	}
}