successful incident investigations in Russia and Europe


of all high-profile investigation cases in the field of high-tech crime in Russia are supported by Group-IB experts

$110 mln

was returned to a client company
as the result of our investigation


DDoS attack investigation in Russia was conducted by Group-IB specialists in 2009

High-tech crime investigations are the oldest area of our activity. We are proud to have played an active role in the successful initiation and completion of the first and since then continue to be involved in the largest investigative criminal cases in Russia, legal proceedings against perpetrators and organizers of DDoS attacks, and the exposure of global hacker groups.
Group-IB has the largest forensic laboratory in Eastern Europe, which professional expertise is in demand both in Russia and abroad. Joint efforts of forensic specialists and skilled experts guarantee identification of the criminal and professional evidence collection.

Investigation Department

Any illegal action where a computer or digital media was used an instrument of crime can be investigated by our specialists. We identify the mechanisms, recreate the sequence of events, collect digital evidence, all leading us to the perpetrators of the crime to help bring them to justice.

The main goal of our investigation is to bring the perpetrators to justice. If necessary, we will continue to be involved in the case until a sentence is carried out, by consulting with lawyers, investigation officers, or providing testimony in court.

From our criminal investigative experience, we have deep knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money, which enables us to immobilize the attackers before the businesses suffer major damage.

Each investigation is conducted by a special project team of experts. The data collection, search and analysis are performed by our specialists in the following areas:

  • financial crime
  • accounting and financial audit
  • economic security
  • e-discovery and forensics
  • compliance
  • corporate and civil law

Cyber intelligence analysis provided by Group-IB’s
Intelligence system, a network of honeypots HoneyNet, and innovative products developed by Group-IB enable us to see the complete picture of an incident, which is inaccessible to our competitors.

We leverage close cooperation with international law enforcement agencies to get the criminals, wherever they hide. On June 17, 2015 Europol’s European Cybercrime Centre (EC3) signed an MoU with Group-IB in order to establish cooperation in fighting cybercrime.

We are proud of our close cooperation with Interpol. During one of our recent joint operations Group-IB contributed to a series of actions as a part of an international police operation to disrupt the Dorkbot botnet server which was responsible for spreading malware designed to steal victim’s credentials for their online banking services.

Our clients can rely on our expert investigation as well as prompt assistance: CERT-GIB will help deal with the consequences of the incident while the Audit Department will protect your system from future attacks.

We investigate:

Targeted attacks

DDoS attacks

Unsanctioned access

Financial crimes

Asset and intellectual property misappropriation, products counterfeiting etc.

Corporate crimes

Espionage, raiding, commercial data breach and other abuse

Theft and fraud

Money theft, illegal use of brand and other crimes

Laboratory of Computer Forensics
and Malicious Code Analysis

Group-IB’s Lab has more than ten years of experience collecting and preserving digital evidence. We know what and how to search for on any data storage device, even if the data has been removed, hidden or encrypted.

We apply the most advanced equipment, software, and well-known Russian and foreign cyber forensic products to identify and collect evidence.

We use a set of mobile forensic tools to carry out a scene inspection and perform investigation activities, which enables us to collect evidence without affecting data integrity (preserving the data carrier in the evidence base) and conduct express on-site investigation.

In addition to the information itself the forensic analyst needs to know the history of data creation, access and use. We have developed innovative solutions which enable us to recreate criminal events second-by-second and discover malicious files, which antivirus cannot detect.

Malicious programs are analyzed by our special virus analysis division, whose primary function is to detect and preserve trails which lead to developers and operators of the attack.

Synergy of Group-IB forensic specialists and virus analysts’ activity provides prompt, complete and, most importantly, high-quality investigation.

Our high-quality expertise has gained the confidence of corporate clients and international law enforcement agencies.

Group-IB’s Lab is the only laboratory in Russia which specialists are certified by GIAC in Digital Forensics and Malware Analysis. Our expert results are guaranteed to be accepted as evidences both in Russian and foreign courts.

Our services

Digital Forensics
Collection of digital evidences
Malicious programs analysis
Outsourcing and independent expertise
Cooperation with law enforcement agencies

High-profile Investigations

Cron gang

The group infected more than 1 mln Android devices with the Cron Trojan that stealthy transferred money from users’ bank accounts to accounts controlled by the criminals.


Total damage from Cron's activity amounted to approximately $800 000.

All (more than 20) gang members are arrested.


The group tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank's security and compromised several Polish banks.


Group-IB research cemented the group’s connection to North Korea by providing a full analysis of all of Lazarus’ infrastructure and ultimate attribution.

Paunch (BlackHole)

The group developed platforms to spread malicious programs. Up to 40% of infections worldwide were conducted using their products on the Internet.


The group leader was arrested and sentenced to prison.


The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.


Found guilty according to the Russian legislation.


The group created a botnet designed to conduct paid DDoS attacks. Hackers targeted several British and Russian companies, including one of the top 10 Russian largest banks.


The group leader has been arrested.

Carberp group

The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.


The first case in Russia when all members of the criminal group were arrested; the leaders were sentenced to 5 and 7 years in prison accordingly.

Hodprot group

One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts.


All members of the criminal group have been arrested, even though they are known to have used control servers located abroad — in the Netherlands, Germany, France and the USA. Legal proceedings have been launched against the criminals.

Germes group

The largest botnet in Russia is known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.


The leader of the group which conducted crimes in several countries has been arrested.

Hameleon group

The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.


The investigation has resulted in the fraud prevention of 1 billion rubles’. The criminal group leader has been arrested.


The first criminal group members who were arrested for money theft conducted using malicious mobile apps in Russia.


The investigation is ongoing.