{
	"id": "72b98800-cd2d-4929-8998-3eec1a0e25f1",
	"created_at": "2026-05-01T03:09:09.252325Z",
	"updated_at": "2026-05-01T03:10:50.599205Z",
	"deleted_at": null,
	"sha1_hash": "fc29dc93044d6f52780f35338c6b862232894d55",
	"title": "MoneyTaker: in pursuit of the invisible",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 211779,
	"plain_text": "MoneyTaker: in pursuit of the invisible\r\nBy Dmitry Volkov, CEO of Group-IB\r\nArchived: 2026-05-01 02:11:24 UTC\r\nIn less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms\r\nin the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS\r\nCBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM,\r\nfinancial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.\r\nGet the report\r\nAlthough the group has been successful at targeting a number of banks in different countries, to date, they have\r\ngone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software\r\nvendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US\r\norganizations, 3 attacks on Russian banks and 1 in the UK.\r\nBy constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most\r\nimportantly carefully eliminating their traces after completing their operations, the group has largely gone\r\nunnoticed.\r\n\"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial\r\nexercise. In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had\r\ndocuments successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near\r\nfuture and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools,\r\ntechniques as well as indicators of compromise we attribute to MoneyTaker operations\".\r\nMoneyTaker attacks: past and future\r\nThe first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was\r\nstolen from the bank by gaining access to First Data’s “STAR” network operator portal. Since that time, the group\r\nattacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina,\r\nVirginia and Florida.\r\nIn 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a\r\nUS service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident\r\ninvolving a Russian bank was promptly identified and prevented that is known to Group-IB.\r\nhttps://www.group-ib.com/blog/moneytaker\r\nPage 1 of 5\n\nIn 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being\r\ntargeted. The geography, however, has narrowed to only the USA and Russia.\r\nConnections between incidents\r\nUsing the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20\r\nincidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the\r\ndistributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal\r\nschemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick\r\naround after the event, continuing to spy on a number of impacted banks and sending corporate emails and other\r\ndocuments to Yandex and Mail.ru free email services in the first.last@yandex.com format.\r\nImportant findings that enabled Group-IB to discover the links between crimes include privilege escalation tools\r\ncompiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. Also, in some\r\nincidents, hackers used the infamous Citadel and Kronos banking Trojans. The latter was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.\r\nhttps://www.group-ib.com/blog/moneytaker\r\nPage 2 of 5\n\nConnections between incidents\r\nMoneyTaker: arsenal for attacks\r\nGroup-IB reports that MoneyTaker uses both borrowed and their own self-written tools. For example, to spy\r\non bank operators they developed an application with ‘screenshot’ and ‘keylogger’ capabilities. This program is\r\ndesigned to capture keystrokes, take screenshots of the user’s desktop and get contents from the clipboard. The\r\napplication is compiled in Delphi and contains 5 timers: functions of the application (such as taking screenshots,\r\ncapturing keystrokes, disabling itself) are executed once the timer triggers. To circumvent antivirus and automated\r\nsample analysis, hackers again used ‘security measures’: they implemented the anti-emulation function in the\r\ntimer code.\r\nIn an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the\r\ngroup has been named after. Each component of this modular program performs a certain action: searches for\r\npayment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces.\r\nThe success of replacement is due to the fact that at this stage the payment order has not yet been signed, which\r\nwill occur after payment details are replaced. In addition to hiding the tracks, the concealment module again\r\nsubstitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This\r\nmeans that the payment order is sent and accepted for execution with the fraudulent payment details, and the\r\nresponses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds\r\nbefore the theft is detected.\r\nhttps://www.group-ib.com/blog/moneytaker\r\nPage 3 of 5\n\nCreated tools Borrowed tools\r\nMoneyTaker 5.0 – malicious program for\r\nauto replacement of payment data in\r\nAWS CBR\r\nMetasploit и PowerShell Empire\r\n‘Screenshotter’ and ‘keylogger’ to\r\nconduct espionage and capture keystrokes\r\nPrivilege escalation tools, whose code were demonstrated as a\r\nProof of Concept at ZeroNights cybersecurity conference in\r\nMoscow in 2016. More data provided later in this report\r\nMoneytaker ‘Auto-replacement’ program\r\nto substitute payment details in the\r\ninterbank transfer system\r\nCitadel and Kronos Banking Trojans. The latter one was used to\r\ndeliver a Point-of-Sale (POS) malware dubbed ScanPOS\r\nLeaving no trace behind\r\nTo conduct targeted attacks, MoneyTaker use a distributed infrastructure that is difficult to track. A unique\r\nfeature of the infrastructure is a persistence server, which delivers payloads only to victims with an IP addresses in\r\nMoneyTaker’s whitelist.\r\nTo control the full operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate\r\ntool for penetration testing – Metasploit. After successfully infecting one of the computers and gaining initial\r\naccess to the system, the attackers perform reconnaissance of the local network in order to gain domain\r\nadministrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct\r\nall these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate\r\nsystems privileges, and collect information.\r\nThe group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the\r\nsystem MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy\r\nto modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack.\r\nAfter successful infection, they carefully erase malware traces. However, when investigating an incident in\r\nRussia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by\r\ngaining access to the home computer of the bank’s system administrator.\r\nIn addition, to protect C\u0026C communications from being detected by security teams, MoneyTaker employs\r\nSSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank,\r\nMicrosoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi\r\nsolution for remote access.\r\nAttacks on card processing\r\nThe first attack on card processing that Group-IB specialists attribute to this group was conducted in May 2016.\r\nHaving gained access to the bank network, the attackers compromised the workstation of First Data’s STAR\r\nhttps://www.group-ib.com/blog/moneytaker\r\nPage 4 of 5\n\nnetwork portal operators, making the changes required and withdrawing the money. In January 2017, the attack\r\nwas repeated in another bank.\r\nThe scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they\r\ncould connect to the card processing system. Following this, they legally opened or bought cards of the bank\r\nwhose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously\r\nactivated cards went abroad and waited for the operation to begin. After getting into the card processing system,\r\nthe attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed\r\noverdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew\r\ncash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.\r\nSource: https://www.group-ib.com/blog/moneytaker\r\nhttps://www.group-ib.com/blog/moneytaker\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/moneytaker"
	],
	"report_names": [
		"moneytaker"
	],
	"threat_actors": [],
	"ts_created_at": 1777604949,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc29dc93044d6f52780f35338c6b862232894d55.pdf",
		"text": "https://archive.orkl.eu/fc29dc93044d6f52780f35338c6b862232894d55.txt",
		"img": "https://archive.orkl.eu/fc29dc93044d6f52780f35338c6b862232894d55.jpg"
	}
}