successful incident investigations in Russia and Europe


of all high-profile investigation cases in the field of high-tech crime in Russia are supported by Group-IB experts

$110 mln

was returned to a client company
as the result of our investigation


DDoS attack investigation in Russia was conducted by Group-IB specialists in 2009

High-tech crime investigations are the oldest area of our activity. We are proud to have played an active role in the successful initiation and completion of the first and since then continue to be involved in the largest investigative criminal cases in Russia, legal proceedings against perpetrators and organizers of DDoS attacks, and the exposure of global hacker groups.
Group-IB has the largest forensic laboratory in Eastern Europe, which professional expertise is in demand both in Russia and abroad. Joint efforts of forensic specialists and skilled experts guarantee identification of the criminal and professional evidence collection.

Investigation Department

Any illegal action where a computer or digital media was used an instrument of crime can be investigated by our specialists. We identify the mechanisms, recreate the sequence of events, collect digital evidence, all leading us to the perpetrators of the crime to help bring them to justice.

The main goal of our investigation is to bring the perpetrators to justice. If necessary, we will continue to be involved in the case until a sentence is carried out, by consulting with lawyers, investigation officers, or providing testimony in court.

From our criminal investigative experience, we have deep knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money, which enables us to immobilize the attackers before the businesses suffer major damage.

Each investigation is conducted by a special project team of experts. The data collection, search and analysis are performed by our specialists in the following areas:

  • financial crime
  • accounting and financial audit
  • economic security
  • e-discovery and forensics
  • compliance
  • corporate and civil law

Cyber intelligence analysis provided by Group-IB’s
Intelligence system, a network of honeypots HoneyNet, and innovative products developed by Group-IB enable us to see the complete picture of an incident, which is inaccessible to our competitors.

We leverage close cooperation with international law enforcement agencies to get the criminals, wherever they hide. On June 17, 2015 Europol’s European Cybercrime Centre (EC3) signed an MoU with Group-IB in order to establish cooperation in fighting cybercrime.

We are proud of our close cooperation with Interpol. During one of our recent joint operations Group-IB contributed to a series of actions as a part of an international police operation to disrupt the Dorkbot botnet server which was responsible for spreading malware designed to steal victim’s credentials for their online banking services.

Our clients can rely on our expert investigation as well as prompt assistance: CERT-GIB will help deal with the consequences of the incident while the Audit Department will protect your system from future attacks.

We investigate:

Targeted attacks

DDoS attacks

Unsanctioned access

Financial crimes

Asset and intellectual property misappropriation, products counterfeiting etc.

Corporate crimes

Espionage, raiding, commercial data breach and other abuse

Theft and fraud

Money theft, illegal use of brand and other crimes

Laboratory of Computer Forensics
and Malicious Code Analysis

Group-IB’s Lab has more than ten years of experience collecting and preserving digital evidence. We know what and how to search for on any data storage device, even if the data has been removed, hidden or encrypted.

We apply the most advanced equipment, software, and well-known Russian and foreign cyber forensic products to identify and collect evidence.

We use a set of mobile forensic tools to carry out a scene inspection and perform investigation activities, which enables us to collect evidence without affecting data integrity (preserving the data carrier in the evidence base) and conduct express on-site investigation.

In addition to the information itself the forensic analyst needs to know the history of data creation, access and use. We have developed innovative solutions which enable us to recreate criminal events second-by-second and discover malicious files, which antivirus cannot detect.

Malicious programs are analyzed by our special virus analysis division, whose primary function is to detect and preserve trails which lead to developers and operators of the attack.

Synergy of Group-IB forensic specialists and virus analysts’ activity provides prompt, complete and, most importantly, high-quality investigation.

Our high-quality expertise has gained the confidence of corporate clients and international law enforcement agencies.

Group-IB’s Lab is the only laboratory in Russia which specialists are certified by GIAC in Digital Forensics and Malware Analysis. Our expert results are guaranteed to be accepted as evidences both in Russian and foreign courts.

Our services

Outsourcing and independent expertise

High-profile Investigations

Group-IB cooperates on an international basis with Law Enforcement, sharing our unique investigative
capabilities with Interpol, Europol and national police worldwide. Group-IB has conducted the following
investigations into cyber criminal groups, leading to arrests or decrease in criminal activity:

#DDoS attacks
#targeted attacks on banks
#malware development
Infamous for: The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.
Status: Active
Download Report
#targeted attacks on banks
Infamous for: The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Status: The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.

Download Report
#thefts from individuals
  using Android Trojans
Infamous for: this group stole money from bank accounts of Android smartphone users. The hackers infected 3,500 mobile devices per day during the height of their operations, in total, infecting over 1 mln devices. The total damage from Cron’s activity amounted to approximately $800 000. In June 2016 the criminals rented a mobile banking Trojan Tiny.z. This universal tool has capabilities to attack Android devices of both Russian and international banks’ customers.
Status: Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions: 16 Cron members were detained. The last active member of the group was detained in early April in St. Petersburg.
More details on our blog
#thefts from individuals
#thefts from companies
#targeted attacks on banks
Infamous for: In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.
Status: Suspended activity.
#thefts from companies
#targeted attacks on banks
#malware development
Infamous for: a solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.
Status: The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.
Download Report
#thefts from individuals
#thefts from companies
Infamous for: This hacker group stole money through SMS banking and created phishing web pages to steal credit card data and online banking credentials. With credentials compromised and access to victim’s messages from the bank in their hands, the fraudsters were able to successfully make fraudulent payments. The criminals called their malware 5th Reich and used the Nazi symbols in the control system.
Status: 4 group members were arrested. Legal proceedings have been launched against the criminals.
#thefts from individuals
#thefts from companies
#malware development
Infamous for: The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Status: Disrupted. The first case in Russia when all members of the criminal group were arrested; the leaders were sentenced to 5 and 7 years in prison accordingly.
Hodprot group
#thefts from individuals
#thefts from companies
Infamous for: One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Status: All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.
Carbanak / Anunak
#targeted attacks on banks
#thefts from individuals
#thefts from companies
Infamous for: the first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.
Status: The group has not performed successful thefts in Russia since early 2015. Their Trojan is still known to be used for attacks on companies outside the CIS.
Download report
#thefts from individuals
#thefts from companies
Infamous for: The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Status: The leader of the group has been arrested and charged with thefts in a range of countries.
Hameleon group
#thefts from individuals
Infamous for: The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Status: The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.
#DDoS attacks
Infamous for: The group created a botnet designed to conduct paid DDoS attacks. Hackers targeted several British and Russian companies, including one of the top 10 Russian largest banks.
Status: The group leader has been arrested.
#DDoS attacks
Infamous for: The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Status: Found guilty under Russian legislation.
Paunch (BlackHole)
#thefts from individuals
#thefts from companies
#malware development
Infamous for: Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Status: The group leader was sentenced to 7 years in a Russian penal colony in April 2016.
#thefts from individuals
  using Android Trojans
Infamous for: The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Status: The investigation is ongoing.
Popelysh brothers
#thefts from companies
#targeted attacks on banks
#malware development
Infamous for: In 2010 the Popelysh brothers stole 13 mln rubles from accounts of over 170 bank clients in 46 Russian regions. Criminals were arrested, however they received only a suspended sentence and stayed at large. Even during the investigation the brothers were continuing to steal from bank clients — in total, they compromised over 7000 accounts, which resulted in the theft of 11 mln rubles.
Status: The twins were again arrested in May 2015 in Saint Petersburg. The sentencing is expected soon.

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

* Your data is protected by Privacy Policy
Thank you!
We will contact you soon.
Report an incident