The crime boss of a gang targeting over 100 financial institutions worldwide and costing the financial industry an estimated EUR 1 billion in cumulative losses, has been arrested, say authorities.

The criminal profits were also laundered via cryptocurrencies, Europol said, using prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.

The gang targeted banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt.

The Cobalt malware alone is understood to have allowed criminals to steal up to EUR 10 million per heist.

The arrest was made following an investigation by Spanish police, with the support of Europol, the US FBI and other enforcement agencies.

Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), said: “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.”

The group has been in operation since 2013, launching the Anunak malware campaign that targeted financial transfers and ATM networks of banks.

They then changed the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016, and from there, went on to use tailor-made malware based on the Cobalt Strike penetration testing software.

“The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies,” Europol explained.

“Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”

Wim Mijs, Chief Executive Office of the European Banking Federation, said: “This is the first time that the EBF has actively cooperated with Europol on a specific investigation.

“Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”

Read more:

UK: Gang laundered cash from fraud victims through bank accounts

Chinese money launderers paid £1.8m into London banks

EU Sixth Anti-Money Laundering Directive (6AMLD) – Expert analysis of new EU measures