Europol announced today that Spanish police has arrested a man suspect of being the mastermind behind the Carbanak hacking group, known for some of the biggest bank cyber-heists in recent years.

Europol said the Carbanak gang —also known as Cobalt— had carried out over 100 hacks across 40 different countries, stealing over €1 billion ($1.24 billion), with a hack average of €10 million ($12.4 million) per heist.

Carbanak group attacks banks and ATM systems only

The Carbanak gang is infamous because it only attacked banks, e-payment systems, and financial institutions. The gang's activities can be split in three main phases, depending on the malware they used for attacks:

2013 - 2014 — the group developed and used Anunak malware and targeted mainly financial institutions and ATM networks.

2014 - 2016 — the group developed and used Carbanak malware, a newer and more sophisticated version of Anunak.

2016 - 2017 — the group developed custom malware using Cobalt Strike, a legitimate penetration testing framework.

Carbanak hackers operated in the same way for each hack

While the group's malware varied, the Carbanak gang always followed the same modus operandi when carrying out the attacks, a modus operandi that has now been copied by many other groups.

All attacks would start with hackers sending spear-phishing emails to their targets. Emails used domain spoofing to impersonate legitimate business partners or collaborators and contained a file attachment with malicious software.

Attackers usually relied on infecting one target and then spreading to the rest of the internal network, looking for computers that had access to software used for managing the target's funds. This included software that controlled ATMs, bank accounts, money transfers, and more.

Hackers had three ways of stealing money

Once they gained access to these systems, hackers choose one of three methods of stealing money.

The first was to coordinate with money mule groups and make ATMs spit out cash at a predetermined hour and day. Money mules would pick up the funds, some of which would end up back with the Carbanak group after intermediaries took their cuts.

Second, the Carbanak group would transfer money from legitimate accounts to the ones they or their money mules owned, who would then empty accounts at ATMs, or use the accounts to buy expensive products and launder the money.

Third, crooks would use their access to the bank's internal network to artificially inflate the money balance of accounts created by money mules in advance, without transferring funds from other accounts. Same as before, money mules would empty accounts as soon as possible.

Some of the criminal profits were also laundered via cryptocurrencies. Investigators said hackers also used prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.

The arrest of the Carbanak leader is expected to hinder the group's operations, if not kill it entirely. Authorities have not released the man's name, but only said he's been arrested in the city of Alicante, Spain, after a massive and lengthy investigation that included officers and support from Europol, the FBI, the private cyber-security sector, the banking sector, and the Spanish, Romanian, Belarussian, and Taiwanese national police forces.

UPDATE: Post-publication, Ukrainian police also posted details about arresting another member of the Carbanak/Cobalt crew. Spanish police have also released a video from the arrest.