How Hackers Stole 1 Billion

A criminal cyber gang known as Carbonac has been responsible for stealing over a billion dollars from more than 100 financial institutions over the past two years. According to a report, this is considered the “great bank robbery of the modern era”. Their ultimate goal was to steal as much money as possible, and they largely accomplished that goal.

One night in 2014, an employee from one of the largest Russian banks called Kaspersky Labs, claiming to have sensitive information that he suspected was being monitored. This employee was so paranoid that he requested a personal meeting, fearing that his phone might have been bugged and his emails hacked. It turned out that the bank's domain controller was sending sensitive data to unknown servers in China. The domain controller is the most important server of any business, and if you can access it, you have control over everything else in that network. This means that whoever gets their hands on this server can do everything from looking at insignificant customer data to adding and removing funds from accounts, and even sending millions of dollars through the swift banking system. If this server is doing things that nobody knows about, the bank has a big problem.

The Kaspersky team was astonished by the fact that someone had hacked into the domain controller of a bank worth billions of dollars. They analyzed every single network phone and computer connected to the internal banking network, but at first, they didn't find anything suspicious. However, some of the computers had the screen sharing software VNC installed on them, and upon questioning the bank about it, they found out that nobody had ever installed it.

One of Kaspersky's experts then thought that someone must be spying on the bank employees for some reason. To test his theory, he opened a blank Word document on one of the computers and wrote "hello". He then waited and waited until the computer suddenly began to type on its own: "hello, you won't catch us." The experts were now determined to catch the mysterious hackers and went on to find out how they had managed to gain control over something as important as the domain controller.

They discovered that a bank employee had received an email from someone who claimed to be a legitimate customer, but in reality, the email was completely fake. To make things even worse, the email had a malicious Word document attached to it, infected with malware. Once the bank employee opened the document, the malware activated itself and installed a VNC backdoor on the computer. This is known as a spear-phishing attack. In these types of attacks, hackers try to create emails that mimic real people or businesses to look as credible as possible. These emails usually have an infected file attached to them, which can be anything from a Word, Excel, or PowerPoint document, and in some cases, even images or video files.

Once the hackers successfully infected a computer, they could now remotely watch and control the machine. The attackers then used this infected PC to infect the rest of the machines connected to the network and to search for the administrator's computer. They would slow down the admin computer by running as many background programs as possible, hoping that one of the bank employees would eventually contact IT support to fix the PC. This is exactly what happened. Once IT support arrived, they entered the admin passwords and tried to fix the problems on the computer. However, they didn't fix anything. Instead, they had just compromised the security of the entire bank thanks to a keylogger, a program that records every keystroke made on the keyboard. The hackers obtained the admin passwords and were now able to log into the admin account and infect the remaining network of the bank. The hackers now had access to absolutely everything, and this is where phase 3 started. They would spy on the employees for months until they knew how they operated.

In recent years, the Carbonic group had been infiltrating numerous financial institutions and successfully stole over $700 million dollars. Following this incident, the investigation became more serious as the JCAT task force cooperated with various intelligence agencies such as the FBI, CIA, Romanian, Russian, and Moldovan intelligence agencies. However, as the experts got closer to the Carbonic group, the hackers suddenly disappeared for a few months. They eventually returned and committed the biggest mistake of their hacking careers in Taiwan in 2016.

The cybercrime group resumed their illegal activities in Taiwan, but two inexperienced money mules caused a massive problem for the Carbonic group. While retrieving money from hacked ATMs, an unsuspecting Taiwanese resident approached the bank to withdraw money. As the resident approached, the two money mules got nervous and left quickly, forgetting a stack of 60,000 NT dollars in the ATM. Surprised by the strange behavior of the two men, combined with the fact that they left a decent amount of money behind, the resident alerted the police. The Taiwanese police acted quickly, watching CCTV footage of the ATMs and realizing that something was off. They eventually tracked down the address of the two men, leading to the identification of 22 suspects. Most of the suspects were Russians, and the rest were from Eastern Europe.

The Carbonic group was in big trouble, and even though 19 of the 22 suspects had already escaped Taiwan, three were still in the country, alone, with millions of dollars in cash. One of the remaining suspects was a Latvian man known as Andreas Pergodovs, who was the alleged leader of the operation. After seeing his face on national TV, he quickly decided to cut his ties with the money, went to a mountainous area near Donghu Park in Taipei, hid two bags full of cash, and proceeded to travel to the Yilan province.

The other two remaining members of the gang stored their part of the stolen money in the luggage lockers at the Taipei train station. Only a few hours later, two men from Eastern Europe picked up the luggage and calmly went back to their hotel, unaware that hundreds of police officers were watching them through the Taiwanese CCTV camera network. Once they arrived at the hotel and left their luggage in their room, they went to have brunch in the hotel's restaurant. This is where the police finally took action and arrested the two men in a perfectly coordinated operation. The police also captured Andreas Pergodovs on the same day, making the first arrest in the Carbonic case.

In 2018, Spanish authorities were investigating a criminal organization that was laundering money in Spain. With the help of Interpol, an international law enforcement agency, the Spanish police found out who was delivering the money that was being laundered and who their clients were. By coincidence, they discovered that one of the clients of the money laundering criminals was a Ukrainian computer specialist known as Dennis K. After thoroughly investigating this man, it was revealed that he had links to the Russian and Moldovan mafia and that he had coordinated several cyber-attacks for them since 2013. While the mafia provided Dennis K with the money mules, he would pay a hefty 40 percent of all his profits to these Eastern European criminal organizations.

Dennis K and three other members of the group were finally arrested in the port city of Alicante in 2018. Upon raiding their property, the police found boxes full of jewelry, two BMWs, and 15,000 bitcoins, which were worth about $150 million at the time. However, the rest of the $1 billion was never found. Although Dennis K was supposedly the leader of the group, Kaspersky Labs believe that there are many more people involved in this.