Cybercrime gang leader who caused ATMs to spit cash is arrested

Europol has caught another notorious hacker in Spain.

The leader of Russian-Ukrainian cybercrime gang Carbanak, allegedly responsible for stealing billions of euros from hundreds of banks, has been arrested in Spain.

Over the last five years, the “Carbanak” group has stolen roughly 1.2 billion euros from more than 100 financial institutions, according to a dual announcement Monday by Europol and police in Spain. Carbanak is the name for the cybercrime group as well as its characteristic hacking tool: a malware framework designed to allow the attacker to covertly move money around between different bank accounts.

An individual leading the criminal entity was recently arrested, but police have yet to release their name. At least two other members of Carbanak were also reportedly arrested in a related investigation.

In various cases, Carbanak was able to successfully spearphish banking employees. These breaches saw complex malware spread inside the companies, redirecting funds from legitimate accounts to ATM machines in Eastern Europe which would then dispense cash to “money mules” waiting on the ground.


When Carbanak infects a system, it allows for complete remote access, including the ability to record keystrokes and gain access to the computer’s video camera, according to prior research by cybersecurity companies Kaspersky Lab, IB Group and FireEye. There has been multiple iterations of the Carbanak malware, meaning that the group was likely continuously developing and upgrading their toolset.

The arrest marks yet another high profile win for Europol after the law enforcement organization also arrested Russian hacker Peter Levashov, who ran the notorious Kelihos botnet, in Spain earlier this year.

Security researchers have been tracking Carbanak for years, attributing multiple breaches to their criminal activities. But until today, little was known publicly about who exactly was behind Carbanak. Often the group would convert their illicit gains into Bitcoin before purchasing assets, making them difficult to track.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts