Police arrest the man behind a billion-dollar cybercrime spree that tricked ATMs into spitting out free cash

Surveillance video shows a man removing cash from an ATM without entering any information as part of the malware attack.

caption
Surveillance video shows a man removing cash from an ATM without entering any information as part of the malware attack.
source
Business Insider/YouTube

  • Police announced the arrest of the suspected mastermind of the so-called Carbanak and Cobalt strains of malware.
  • The man, Denis K., was detained in Alicante, Spain, earlier this month.
  • Europol said he was behind the malware strains, which could trick ATMs into handing out money to people standing nearby.

The suspected mastermind of a billion-dollar cybercrime network, which tricked ATMs into spitting out cash unprompted, has been arrested.

According to European police, the head of a criminal gang behind widespread pieces of malware, called Carbanak and Cobalt, was detained in Alicante, Spain. He was named in Spanish media as Denis K., a Ukrainian national.

Spain’s national police released a video showing the arrest. A man can be seen being led to a police car, but his identity is obscured by a hood.

In a press release issued Monday, the pan-European policing agency Europol explained the enormous losses caused to banks who fell victim to the malware, which affected 12 countries over the course of four years.

Both pieces of malware were distributed by so-called spear-phishing attacks on employees in banks – targeted fake emails designed to trick people into compromising their machines.

A map showing countries affected by the malware.

caption
A map showing countries affected by the malware.
source
Europol

Hackers were then able to take over internal bank systems and syphon huge amounts of cash. The total cost was estimated at €1 billion ($1.2 billion, £870,000).

One of the more eye-catching methods used to remove cash from banks was by tricking ATM machines to spit out money for no reason.

The machines could be instructed to dispense a predetermined amount of cash at a given location and time. Criminal gangs would then send people to stand by the ATM at the right moment and pick up the cash.

El Mundo, a Spanish newspaper, published video of a suspect in the attack being given money by an ATM without touching it. He waits a short while and is given another delivery of cash, then walks away.

To anybody not paying close attention, it could look like a regular withdrawal, and once the cash is gone it is very difficult to trace.

The gangs also used other methods to extract cash from banks, Europol said.

These include direct electronic transfers from bank funds to criminal accounts, and also editing bank databases to inflate the contents of given accounts, which could then be emptied.

Europol said the cash was then converted into cryptocurrency wallets, a method increasingly favoured by organised criminals.

The agency listed nations which had been affected as the United Kingdom, Spain, Belgium, the Czech Republic, Belarus, Romania, Bulgaria, Kazakhstan, Azerbaijan, Kyrgyzstan, Taiwan, and Thailand.

Europol said the operation involved its own agents, Spain’s national police, the FBI, Romanian, Belorussian, and Taiwanese enforcement agencies.