The Biggest Digital Heist in History Isn’t Over Yet

(Bloomberg Businessweek) -- As night fell in Taipei on July 10, 2016, most people in the city were hunkered down to ride out the end of a typhoon. Not Sergey Berezovsky and Vladimir Berkman. The two Russians made their way through the rain to an ATM at First Commercial Bank, one of Taiwan’s top lenders. Wearing hats and antipollution masks, they loitered at the machine for a moment. Then, as the astonished couple in line behind them later told the police, the ATM started disgorging cash without either man touching it. The men shoved the bills into a satchel and brushed past them. As the Russians drove off in a black sedan, the couple spotted something on the ground: One of the guys had dropped his bank card.

By the time detectives traced Berezovsky and Berkman to the nearby Grand Hyatt the next day, the Russians had already jetted off to Moscow by way of Hong Kong. And they were just two of 15 “money mules” who’d hit 41 ATMs at 22 branches of First Commercial over that stormy weekend, the cops learned, taking 83 million New Taiwan dollars (NT$), or about $2.6 million. Hackers, investigators discovered, had forced the machines to spit out cash.

The Carbanak gang had struck again.

Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn’t created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it.

Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that’s become the stuff of legend in the digital underworld.

Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses. “Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks,” says James Chappell, co-founder and chief innovation officer of Digital Shadows Ltd., a London intelligence firm that works with the Bank of England and other lending institutions. “It’s the breadth of the attacks, that’s what’s truly different about this one.”

For years police and banking-industry sleuths doubted they’d ever catch the phantoms behind Carbanak. Then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana in the Mediterranean port city of Alicante. The authorities have held him since then on suspicion of being the brains of the operation. Katana’s lawyer, Jose Esteve Villaescusa, declined to comment, and his client’s alleged confederates couldn’t be reached for comment. While Katana hasn’t been charged with a crime, Spanish detectives say financial information, emails, and other data trails show he was the architect of a conspiracy that spanned three continents. And there are signs that the Carbanak gang is far from finished.

Carbanak first surfaced in Kiev, when executives at a Ukrainian bank realized they were missing a bunch of money. Security cameras showed the lender’s ATMs dispensing cash in the predawn hours to people who didn’t bother to insert cards or punch in PINs. The bank hired the Russian cybersecurity firm Kaspersky Lab to check it out. Initially, the researchers suspected that hackers had infected the machines with malware from a handheld device. “What we found instead was something else,” says David Emm, Kaspersky’s principal security researcher.

Someone had sent emails to the bank’s employees with Microsoft Word attachments, purporting to be from suppliers such as ATM manufacturers. It was a classic spear-phishing gambit. When opened, the attachments downloaded a piece of malicious code based on Carberp, a so-called Trojan that unlocked a secret backdoor to the bank’s network. The malware siphoned confidential data from bank employees and relayed the information to a server the hackers controlled. Delving deeper, the Kaspersky team found that intruders were taking control of the cameras on hundreds of PCs inside the organization, capturing screenshots and recording keystrokes. Soon, the researchers learned that other banks in Russia and Ukraine had been hacked the same way.

The attackers cased their targets for months, says Kaspersky. The Carbanak crew was looking for executives with the authority to direct the flow of money between accounts, to other lenders, and to ATMs. They were also studying when and how the bank moved money around. The thieves didn’t want to do anything that would catch the eyes of security. State-backed spies use this type of reconnaissance in what’s known as an advanced persistent threat. “In those instances, the attacks are designed to steal data, not get their hands on money,” Emm says. When the time was right, the thieves used the verification codes of bank officers to create legit-looking transactions.

By the fall of 2014, the authorities realized they were dealing with something new. That October, Keith Gross, chair of the cybersecurity group for a European bank lobby, called a crash meeting with experts from Citigroup, Deutsche Bank, and other major European lenders. In a meeting room at Europol’s fortress-like headquarters in The Hague, Kaspersky researchers briefed the bank officials on what they’d found in Ukraine. “I’ve never seen anything like this before,” Troels Oerting, then the head of Europol’s Cybercrime Centre, told the group. “It’s a well-orchestrated malware attack, it’s very sophisticated, and it’s global.”

So Europol went global, too, enlisting help from law enforcement agencies in Belarus, Moldova, Romania, Spain, Taiwan, the U.S., as well as bank industry representatives. It set up a secure online clearinghouse where investigators could cross-check data and find links between the thefts, says Fernando Ruiz, head of operations in Europol’s cybercrime unit. At the heart of its operation was a lab where technicians dissected the two dozen samples of malware identified in the Carbanak thefts. By isolating unique characteristics in the code, detectives could trace where the programs came from and maybe who was using them. The work led them toward Denis Katana’s apartment in Alicante, a four-hour drive southeast of Madrid. “This is what the Spanish police used to open their investigation,” Ruiz says.

Carlos Yuste, a chief inspector in the National Police’s cybercrime center, took it from there. Yuste, a cerebral veteran detective with salt-and-pepper hair, and his chatty younger partner, Javier Sanchez, started taking a closer look at 34-year-old Katana. He used offshore servers for his computing needs—not unlawful, but unusual. More interesting, he was visited by Romanians and Moldovans linked to organized crime. Yuste ordered surveillance, but he and Sanchez labored to build a case for a wiretap or arrest.

From a distance, Katana appeared to be just another immigrant building a new life in the West. A skinny, smallish man, he shared a modest 1,100-square-foot apartment with his Ukrainian wife and young son and didn’t seem to have much of a social life. He wasn’t trying to learn Spanish, and the cops never once saw him visit San Juan Beach, the long stretch of golden sand just a few blocks away. He appeared to have a much more active life online, often toiling on his laptop until sunrise.

Slowly, Yuste and Sanchez started piecing together how they believed Katana was working on the Carbanak thefts with three other men in Ukraine and Russia. One sent the malicious emails, another was a database expert, and the third cleaned up the gang’s digital footprints, the police say. As for Katana, Sanchez says he handled the most critical and complex task: He allegedly conducted the reconnaissance of banking systems and then shuffled money around the network like an air traffic controller. In his hands, it was art as much as science, the police say. “This guy is in another league, he’s like Rafa Nadal playing tennis,” Yuste says. “There are few people in the world capable of doing what he did.”

Just as the police started to make strides, the Carbanak crew opened another front, says Kaspersky’s Emm. In the first half of 2016, the thieves sent spear-phishing emails that looked like messages from legitimate financial institutions. When bank employees opened the emails’ attachments, they downloaded malware based on a program called Cobalt Strike, which is designed to let security officers hack their own institutions to find vulnerabilities, like in a war game. The Carbanak-Cobalt gang was able to extract $12 million per heist, says Europol. The thieves’ nimbleness was sobering. “Sometimes the investigation looked good,” Ruiz says, “and sometimes it looked like we’d reached a dead end.”

The Carbanak crew did have one weakness that wasn’t easy to finesse: humans. On July 16, 2016, six days after the suspected Russian mules Berezovsky and Berkman allegedly hit ATMs in the wake of Typhoon Nepartak, two other men linked to the thefts landed in Taipei. After clearing customs at Taiwan Taoyuan International Airport, Mihail Colibaba and Nicolae Pencov took a taxi to the central railway station. There they entered the baggage storage facility and, after receiving access codes by text, took suitcases from three separate lockers, according to police. The bags held NT$60 million in bundles of crisp blue NT$1,000 notes. The men then checked into the Grand Victoria Hotel across from the city’s mammoth Ferris wheel and holed up in their rooms for the next 24 hours. At about 8 p.m. the next day, they enjoyed a leisurely dinner at the hotel’s restaurant. Their job was nearly done. As the pair left the dining room, police confronted them and took them into custody. They’d been under surveillance since they left the railway station the day before.

They have the sloppy tradecraft of their alleged accomplices, Berezovsky and Berkman, to thank for their capture. After the police got hold of the bank card one of the men had dropped the prior Sunday, Hsin-Yi Tseng, a 28-year-old detective in Taipei’s Criminal Investigation Bureau, coordinated a citywide sweep to map out the scope of the ATM heists. She had scores of officers scan security camera footage, and her colleagues managed to track down another mule, whom they followed to the railway station. They watched him stash the three cash-stuffed suitcases in lockers and waited to see who came to collect them. It was Colibaba and Pencov, who are now serving four and a half years in prison. Colibaba’s iPhone contained photos of stacks of cash in different currencies about the size of the piles in the suitcases, and, Tseng says, email exchanges with a man who appeared to be in charge of the operation. They traced the man to Alicante.

Yuste and Sanchez say Katana didn’t ease up on the bank raids. In early 2017, mules extracted $4 million from ATMs in Madrid after Katana allegedly took control of accounts inside Russian and Kazakh lenders. That was a mistake, because it enabled Yuste to get judicial approval to wiretap Katana’s phones. The funny thing is Katana didn’t need the money, Sanchez says. Katana was laundering his money through a Bitcoin warehouse he’d bought in China, had already converted most of his cash into Bitcoin, and was constructing a mansion in Alicante. “It was a kind of game for him,” Sanchez says. “To attack a bank wasn’t about ‘Let’s steal a million dollars.’ It was, ‘Let’s crack the security the bank is putting in our way.’  ”

Earlier this year the detectives learned Katana and his partners were preparing to up their game with the release of a more potent version of Carbanak. On the morning of March 6, a police officer knocked on the door of his apartment. Katana answered with a resigned look. He didn’t resist as more than a dozen armed cops entered and bagged his laptop and other evidence. In addition to jewelry and two BMWs in his name, they found 15,000 Bitcoins, then valued at about $162 million. Law enforcement officials worldwide were jubilant.

Yet experts point out that even if Katana was the mastermind, he was just one guy in a crime that surely must have had many authors. Unlike the bank jobs of yore, digital heists are amoeba-like ventures that divide over and over again as the malware proliferates. “We’ve already seen the modification of Carbanak and multiple groups using it,” says Kimberly Goody, an analyst at security software maker FireEye Inc. “Same case with Cobalt.”

In recent weeks, employees at banks in the Russian-speaking world have been receiving emails that appear to be from Kaspersky, the security company that unearthed Carbanak. The messages warn recipients that their PCs have been flagged for possibly violating the law and they should download a complaint letter or face penalties. When they click on the attachment, a version of the Cobalt malware infects their networks. It turns out cyberheists may not die even when their suspected perpetrators are nabbed.

To contact the editor responsible for this story: Jeff Muskus at jmuskus@bloomberg.net, Daniel Ferrara

©2018 Bloomberg L.P.