Global Investigations

Infamous for:

This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.

Status:

Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.

Arrest video:
 

Read more in our blog

Infamous for:

The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.

Status:

Disrupted. All members of the criminal group were arrested: the leaders were sentenced to 5 and 7 years of imprisonment accordingly.

Arrest video:
 

Infamous for:

In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.

The hackers were arrested in spring 2011 but received only mild sentences. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware. From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles.

Status:

In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. In June 2018, the Popelysh brothers were sentenced to 8 years in prison, their associates received from 4 to 6 years.

Arrest video:
 

Read more in our media centre

Infamous for:

The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts. Hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The criminals dubbed their malware «the fifth Reich» and used Nazi symbols in the control system.

Status:

Four suspects were arrested with assistance of Administration «K» of the Russian Ministry of Internal Affairs, Group-IB and Sberbank of Russia.

Arrest video:
 

Read more

Infamous for:

The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.

Status:

The hacker was sentenced to 7 years in prison.

Arrest video:
 

Infamous for:

At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some «romantic gifts».

Status:

Due to joint forces of the Ministry of Internal Affairs, Sberbank of Russia and Group-IB the criminals were arrested.

Arrest video:
 

Infamous for:

The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.

During the investigation, Group-IB found out that the said resource was not the only victim of the ransom seekers. Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. Most of the victims simply paid their ransoms and did not appeal to the police.

Status:

Both suspects pleaded guilty of the alleged crimes and were imposed a 5‑year suspended sentence each.

Read more in our media centre

Infamous for:

Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account. Buyers used access to the hacked accounts to buy products with that account’s bonuses. In some cases, the two hackers also offered «hijacking» services that included changing the account’s phone number and email.

Status:

The perpetrators were arrested and confessed to their actions. The investigation is ongoing.

Read more

Infamous for:

The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering. The criminals’ approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

Status:

The suspect has confessed to his actions and the investigation/ prosecution continues.

Read more in our media center

Infamous for:

In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.

Status:

Suspended activity.

Infamous for:

A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.

Status:

The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.

Read more in our report

Infamous for:

The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.

Status:

Active

Read more in our report

Infamous for:

The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.

Status:

The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.

Read more in our blog

Infamous for:

One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.

Status:

All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.

Infamous for:

The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.

Status:

Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.

Read more in our report

Infamous for:

The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.

Status:

The leader of the group has been arrested and charged with thefts in a range of countries.

Infamous for:

The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.

Status:

The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.

Infamous for:

The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.

Status:

Found guilty under Russian legislation.

Infamous for:

Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.

Status:

The group leader was sentenced to 7 years in a Russian penal colony in April 2016.

Infamous for:

The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.

Status:

The investigation is ongoing.

Case:

Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.

Status:

Group-IB is working with police to identify and detain operators of these fake web resources. Over a half of them have been blocked.

The Moscow police found evidence that pointed to two residents of Moscow and the Moscow region who ran such sites. Both suspects were detained and pleaded guilty to fraud. Criminal proceedings have been launched.

Learn more

Case:

TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.

Status:

A joint operation of Russian cyberpolice forces resulted in the arrest and conviction of a member of TipTop responsible for transferring stolen money.

Learn more

Case:

JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.

Status:

GetBilling operators were arrested and convicted as a result of joint operation Night Fury initiated by INTERPOL’s ASEAN Cyber Capability Desk, Indonesian Cyber Police, and Group-IB’s APAC Cyber Investigations Team.

This case was the first successful multi-jurisdictional operation against JS-sniffers in the region.

Learn more

Case:

Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.

Status:

In less than a month, Group-IB was able to confirm that a portion of the votes (tens of thousands, to be exact) cast during the season was fake.

Learn more

Case:

This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.

Status:

After identifying digital traces of the perpetrator, Group-IB were able to identify them and law enforcement eventually found and detained them. The pirate was convicted and sentenced, the first such ruling in a Russian court.

Learn more