Global Investigations

Combating computer-based, financial, corporate crimes of varied size and complexity by bringing perpetrators to justice

Request an investigation
1000+

successful investigations conducted by a diverse team of Group-IB experts

$300 mln

was returned to a client company as the result of our efforts

Europol, Interpol

and law enforcement agencies support in carrying out investigations

Why our investigators are in high demand

The main goal of our investigation is to bring the perpetrators to justice. If necessary, we will continue to be involved in the case until a sentence is carried out, by consulting lawyers and providing testimony in court.

Deep knowledge of criminal schemes

Based on our 15 year hands-on experience, we have an extensive knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money. This enables us to immobilize the attackers before businesses or individuals suffer major damage.

Individual approach by special project team

Every investigation is different and may require a different route through the process. Group-IB’s investigations are conducted by a diverse project team consisting of e-Discovery and Forensic analysts, economic security, financial audit, corporate law specialists, financial crime experts.

Collaboration with law enforcement agencies

As technology reaches into nearly all areas of our lives, law enforcement officers are challenged to maintain the skills and tools needed to conduct thorough investigations. Our experts work closely with international police in combating various types of crimes — from computer-based crimes to murders and missing people.

Proprietary technologies for criminals detection

Group-IB’s investigation department has adopted a proactive approach and developed a set of technologies for identifying groups or individuals who are assessed as being involved in ongoing criminal activity. We accelerate investigations using in-house tools for pattern analysis, network analysis, tactical profiling.

What types of crimes we handle

High-tech crime investigations are the oldest area of our activity. We conduct a wide variety of investigations, including:

Data theft

Competitive espionage, phishing, intellectual property breach, theft of trade secrets, credentials and other sensitive information.

Financial crimes

Cryptocurrency theft, online‑banking, mobile-banking, email fraud, ATMs, card processing, SWIFT, payment gateways.

Insider attacks

Abuse of authority, competitive espionage, critical infrastructure damaging, data leakage, account takeover.

Information wars

Extortion, reputational damage, defamation, harassment and identity theft.

Flood attacks

Overload of communication channels (emails, phone calls, social messengers).

DoS/DDoS attacks

Competitive and targeted attacks to overload web services and network.

Critical infrastructure attacks

Attacks on water supply, transport infrastructure, power grids control systems.

Malware attacks

Malware creation, proliferation and control, botnets, ransomware and spyware.

Along with combating advanced cyber crimes we assist law enforcement bodies in investigating criminal cases such as murders, suicides, robberies, kidnapping and others.

What you get after the investigation

The results of our investigations include:
Detailed threat actor profile

We explore the anatomy of the attack and threat actor’s infrastructure, identify the mechanisms and recreate the sequence of events.

Professional evidence collection for court

Group’s investigators collect all digital evidence in compliance with legal requirements and prepare required documentation for presenting evidence correctly in court.

Law enforcement consultation

Our investigators has sound knowledge of the relevant law and provide full cycle consultation support to lawyers and different enforcement agencies on every stage of investigation.

Our high-profile investigation cases

Group-IB has conducted over 1000 successful investigations, leading to arrests or decrease in criminal activity:

#Android trojans

CRON

This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.

Learn more
#Malware development

CARBERP

The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.

Learn more
#Thefts from bank accounts

Popelysh brothers

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers.

Learn more
#Android trojans

Fifth Reich

The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts.

Learn more
#DDoS attacks

Dragon DDoS-hacker

The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.

Learn more
#Android smartphones attacks

Mobile banking botnet

At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some “romantic gifts”.

Learn more
#Ransomware #DDoS

Ukrainian DDoS hackers

The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.

Learn more
#Retail companies hacking

Hijacking online accounts

Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account.

Learn more
#Malicious mobile apps

Mobile malware

The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering.

Learn more
#Targeted attacks on banks

Corkow

In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility.

Learn more
#Malware development

Buhtrap

A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions.

Learn more
#DDoS attacks

Lazarus

The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world.

Learn more
#Targeted attacks on banks

Cobalt

The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.

Learn more
#Attacks on banks

Hodprot group

One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.

Learn more
#APT against banks

Anunak / Carbanak

The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD).

Learn more
#Botnet

Germes

The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.

Learn more
#Botnet

Hameleon

The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.

Learn more
#DDoS attacks

PumpWaterReboot

The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.

Learn more
#Malicious software

Paunch (Blackhole)

Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.

Learn more
#Android trojans

Waplook

The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.

Learn more
Show more
#Android trojans

CRON


Infamous for:

This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.

Status:

Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.

Arrest video:
 

Read more in our blog

#Malware development

Carberp


Infamous for:

The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.

Status:

Disrupted. All members of the criminal group were arrested: the leaders were sentenced to 5 and 7 years of imprisonment accordingly.

Arrest video:
 

#Thefts from bank accounts

Popelysh brothers


Infamous for:

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware. From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles.

Status:

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. In June 2018, the Popelysh brothers were sentenced to 8 years in prison, their associates received from 4 to 6 years.

Arrest video:
 

Read more in our media centre

#Android trojans

“Fifth Reich”


Infamous for:

The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts. Hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The criminals dubbed their malware «the fifth Reich» and used Nazi symbols in the control system.

Status:

Four suspects were arrested with assistance of Administration «K» of the Russian Ministry of Internal Affairs, Group-IB and Sberbank of Russia.

Arrest video:
 

Read more

#DDoS attacks

Dragon DDoS-hacker


Infamous for:

The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.

Status:

The hacker was sentenced to 7 years in prison.

Arrest video:
 

#Android smartphones attacks

Mobile banking botnet


Infamous for:

At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some «romantic gifts».

Status:

Due to joint forces of the Ministry of Internal Affairs, Sberbank of Russia and Group-IB the criminals were arrested.

Arrest video:
 

#Ransomware #DDoS

Ukrainian DDoS hackers


Infamous for:

The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.

During the investigation, Group-IB found out that the said resource was not the only victim of the ransom seekers. Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. Most of the victims simply paid their ransoms and did not appeal to the police.

Status:

Both suspects pleaded guilty of the alleged crimes and were imposed a 5‑year suspended sentence each.

Read more in our media centre

#Android trojans

Mobile malware


Infamous for:

Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account. Buyers used access to the hacked accounts to buy products with that account’s bonuses. In some cases, the two hackers also offered «hijacking» services that included changing the account’s phone number and email.

Status:

The perpetrators were arrested and confessed to their actions. The investigation is ongoing.

Read more

#Malicious mobile apps

Mobile malware


Infamous for:

The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering. The criminals’ approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

Status:

The suspect has confessed to his actions and the investigation/ prosecution continues.

Read more in our media center

#Targeted attacks on banks

Corkow


Infamous for:

In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.

Status:

Suspended activity.

#Malware development

Buhtrap


Infamous for:

A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.

Status:

The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.

Read more in our report

#DDoS attacks

Lazarus


Infamous for:

The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.

Status:

Active

Read more in our report

#Targeted attacks on banks

Cobalt


Infamous for:

The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.

Status:

The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.

Read more in our blog

#Attacks on banks

Hodprot group


Infamous for:

One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.

Status:

All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.

#APT against banks

Anunak / Carbanak


Infamous for:

The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.

Status:

Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.

Read more in our report

#Botnet

Germes


Infamous for:

The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.

Status:

The leader of the group has been arrested and charged with thefts in a range of countries.

#Botnet

Hameleon group


Infamous for:

The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.

Status:

The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.

#DDoS attacks

PumpWaterReboot


Infamous for:

The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.

Status:

Found guilty under Russian legislation.

#Malicious software

Paunch (Blackhole)


Infamous for:

Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.

Status:

The group leader was sentenced to 7 years in a Russian penal colony in April 2016.

#Android trojans

Waplook


Infamous for:

The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.

Status:

The investigation is ongoing.

Contact our teamto immobilize the attackers in time and get help
with finding perpetrators
Request an investigation

Get immediate assistance from our experienced team of investigators.

 

Thank you for the inquiry! We will contact you soon.

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

Thank you!
We will contact you soon.