How Hackers Stole $1 Billion Dollars From Banks, ATMs Across the Globe

By Jonathan Zhou
Jonathan Zhou
Jonathan Zhou
Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.
February 16, 2015 Updated: February 16, 2015

A group of cyber-criminals stole as much as $1 billion dollars from over 100 financial institutions over 2 years via a phishing campaign targeting bank employees, according to a report Kaspersky Labs produced with help from law enforcement agencies.

Banks from the United States, Germany, and China were all targeted, but a majority of the victims were Russian-speaking, and the logs for the malicious tools trace the hackers to IP addresses in Ukraine, France, and China.

Here’s how it all worked.

Once a banking employee was successfully phished by clicking on an infected attachment, the hackers gained access to the system and could observe how bank clerks worked. The first method of theft was to inflate a legitimate account’s balance then transfer the excess to the hackers’ accounts in China or the United States. The second was to have ATM machines dispense cash directly to the hackers.

One bank lost $7.3 million from an ATM attack, and another lost $10 million through fraudulent transfer schemes.

The group, using malware dubbed “Carbanak” by Kaspersky Labs, conducted most of their attacks between April and September of 2014, and ceased operations almost entirely since December. Kaspersky’s analyst team said the group was now expanding operations in “Malaysia, Nepal, Kuwait, and several regions in Africa.”

Banks are not the group’s only targets, according to the cyber-security firm Fox-IT, which published a report on Carbanak in December.

“The compromises outside Russia related to retail compromises with the goal of obtaining credit card data to create counterfeit credit cards,” Fox-IT CTO Ronald Prins said in a press release on Monday.

The Kaspersky report said that Carbanak’s central innovation was to pose as bank clerks within the online systems, which allowed it to bypass traditional fraud detection services that monitor customer activities.

“We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT [advanced persistent threat] techniques directly against the financial industry instead of through its customers,” the report said. 

Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.