Prevention
- Security Assessment
- Red Teaming
- Compliance Audit
- Pre-IR Assessment
- Compromise Assessment
- Cyber Education
- GIB Crypto
Global Investigations
Combating computer-based, financial, corporate crimes of varied size and complexity by bringing perpetrators to justice
Request an investigation1300+
successful investigations conducted by a diverse team of Group-IB experts
$300 mln
was returned to a client company as the result of our efforts
Europol, Interpol
and law enforcement agencies support in carrying out investigations
Why our investigators are in high demand
The main goal of our investigation is to bring the perpetrators to justice. If necessary, we will continue to be involved in the case until a sentence is carried out, by consulting lawyers and providing testimony in court.
Deep knowledge of criminal schemes
Based on our 16 year hands-on experience, we have an extensive knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money. This enables us to immobilize the attackers before businesses or individuals suffer major damage.
Individual approach by special project team
Every investigation is different and may require a different route through the process. Group-IB’s investigations are conducted by a diverse project team consisting of e-Discovery and Forensic analysts, economic security, financial audit, corporate law specialists, financial crime experts.
Collaboration with law enforcement agencies
As technology reaches into nearly all areas of our lives, law enforcement officers are challenged to maintain the skills and tools needed to conduct thorough investigations. Our experts work closely with international police in combating various types of crimes — from computer-based crimes to murders and missing people.
Proprietary technologies for criminals detection
Group-IB’s investigation department has adopted a proactive approach and developed a set of technologies for identifying groups or individuals who are assessed as being involved in ongoing criminal activity. We accelerate investigations using in-house tools for pattern analysis, network analysis, tactical profiling.
What types of crimes we handle
High-tech crime investigations are the oldest area of our activity. We conduct a wide variety of investigations, including:
Data theft
Competitive espionage, phishing, intellectual property breach, theft of trade secrets, credentials and other sensitive information.
Financial crimes
Cryptocurrency theft, online‑banking, mobile-banking, email fraud, ATMs, card processing, SWIFT, payment gateways.
Insider attacks
Abuse of authority, competitive espionage, critical infrastructure damaging, data leakage, account takeover.
Information wars
Extortion, reputational damage, defamation, harassment and identity theft.
Flood attacks
Overload of communication channels (emails, phone calls, social messengers).
DoS/DDoS attacks
Competitive and targeted attacks to overload web services and network.
Critical infrastructure attacks
Attacks on water supply, transport infrastructure, power grids control systems.
Malware attacks
Malware creation, proliferation and control, botnets, ransomware and spyware.
Along with combating advanced cyber crimes we assist law enforcement bodies in investigating criminal cases such as murders, suicides, robberies, kidnapping and others.
What you get after the investigation
The results of our investigations include:
Detailed threat actor profile
We explore the anatomy of the attack and threat actor’s infrastructure, identify the mechanisms and recreate the sequence of events.
Professional evidence collection for court
Group-IB investigators collect all digital evidence in compliance with legal requirements and prepare required documentation for presenting evidence correctly in court.
Law enforcement consultation
Our investigators has sound knowledge of the relevant law and provide full cycle consultation support to lawyers and different enforcement agencies on every stage of investigation.
Our high-profile investigation cases
Group-IB has conducted over 1000 successful investigations, leading to arrests or decrease in criminal activity:
#BEC
Operation Falcon
Group-IB in cooperation with INTERPOL and the Nigerian Police Force targeted a business email compromise (BEC) cybercrime gang from Nigeria called TMT. Since 2017, the group has compromised at least 500,000 government and private sector companies in more than 150 countries.
Learn more#Compromise
Carding Action 2020
This three-month anti-cybercrime operation was let by Europol’s European Cyber Crime Centre (C3) and supported by The Dedicated Card and Payment Crime Unit of the London Police, the City of London Police, and Group-IB, which was the only private-sector cybersecurity involved. The effort targeted traders of compromised card details.
Learn more#Covid19 #Lockdown
Fake COVID-19 Passes in Russia
Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Learn more#Banksfraud
TipTop
TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
Learn more#Malware development
GetBilling
JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
Learn more#Riggedvote
The Voice Kids Russia
Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
Learn more#Piracy
Pirate streaming network
This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
Learn more#Android trojans
CRON
This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Learn more#Malware development
CARBERP
The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Learn more#Thefts from bank accounts
Popelysh brothers
In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers.
Learn more#Android trojans
Fifth Reich
The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts.
Learn more#DDoS attacks
Dragon DDoS-hacker
The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
Learn more#Android smartphones attacks
Mobile banking botnet
At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some “romantic gifts”.
Learn more#Ransomware #DDoS
Ukrainian DDoS hackers
The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
Learn more#Retail companies hacking
Hijacking online accounts
Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account.
Learn more#Malicious mobile apps
Mobile malware
The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering.
Learn more#Targeted attacks on banks
Corkow
In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility.
Learn more#Malware development
Buhtrap
A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions.
Learn more#APT attacks
Lazarus
The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world.
Learn more#Targeted attacks on banks
Cobalt
The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Learn more#Attacks on banks
Hodprot group
One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Learn more#APT against banks
Anunak / Carbanak
The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD).
Learn more#Botnet
Germes
The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Learn more#Botnet
Hameleon
The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Learn more#DDoS attacks
PumpWaterReboot
The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Learn more#Malicious software
Paunch (Blackhole)
Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Learn more#Android trojans
Waplook
The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Learn more#Android trojans
Arrest video:
CRON
Infamous for:
This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Status:
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
Arrest video:
#Malware development
Arrest video:
Carberp
Infamous for:
The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Status:
Disrupted. All members of the criminal group were arrested: the leaders were sentenced to 5 and 7 years of imprisonment accordingly.
Arrest video:
#Thefts from bank accounts
Arrest video:
Popelysh brothers
Infamous for:
In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.
The hackers were arrested in spring 2011 but received only mild sentences. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware. From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles.
Status:
In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. In June 2018, the Popelysh brothers were sentenced to 8 years in prison, their associates received from 4 to 6 years.
Arrest video:
#Android trojans
Arrest video:
“Fifth Reich”
Infamous for:
The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts. Hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The criminals dubbed their malware «the fifth Reich» and used Nazi symbols in the control system.
Status:
Four suspects were arrested with assistance of Administration «K» of the Russian Ministry of Internal Affairs, Group-IB and Sberbank of Russia.
Arrest video:
#DDoS attacks
Arrest video:
Dragon DDoS-hacker
Infamous for:
The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
Status:
The hacker was sentenced to 7 years in prison.
Arrest video:
#Android smartphones attacks
Arrest video:
Mobile banking botnet
Infamous for:
At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some «romantic gifts».
Status:
Due to joint forces of the Ministry of Internal Affairs, Sberbank of Russia and Group-IB the criminals were arrested.
Arrest video:
#Ransomware #DDoS
Ukrainian DDoS hackers
Infamous for:
The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
During the investigation, Group-IB found out that the said resource was not the only victim of the ransom seekers. Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. Most of the victims simply paid their ransoms and did not appeal to the police.
Status:
Both suspects pleaded guilty of the alleged crimes and were imposed a 5‑year suspended sentence each.
#Android trojans
Mobile malware
Infamous for:
Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account. Buyers used access to the hacked accounts to buy products with that account’s bonuses. In some cases, the two hackers also offered «hijacking» services that included changing the account’s phone number and email.
Status:
The perpetrators were arrested and confessed to their actions. The investigation is ongoing.
#Malicious mobile apps
Mobile malware
Infamous for:
The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering. The criminals’ approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.
Status:
The suspect has confessed to his actions and the investigation/ prosecution continues.
#Targeted attacks on banks
Corkow
Infamous for:
In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.
Status:
Suspended activity.
#Malware development
Buhtrap
Infamous for:
A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.
Status:
The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.
#DDoS attacks
Lazarus
Infamous for:
The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.
Status:
Active
#Targeted attacks on banks
Cobalt
Infamous for:
The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Status:
The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.
#Attacks on banks
Hodprot group
Infamous for:
One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Status:
All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.
#APT against banks
Anunak / Carbanak
Infamous for:
The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.
Status:
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
#Botnet
Germes
Infamous for:
The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Status:
The leader of the group has been arrested and charged with thefts in a range of countries.
#Botnet
Hameleon group
Infamous for:
The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Status:
The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.
#DDoS attacks
PumpWaterReboot
Infamous for:
The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Status:
Found guilty under Russian legislation.
#Malicious software
Paunch (Blackhole)
Infamous for:
Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Status:
The group leader was sentenced to 7 years in a Russian penal colony in April 2016.
#Android trojans
Waplook
Infamous for:
The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Status:
The investigation is ongoing.
#Covid19
Fake COVID-19 Passes in Russia
Case:
Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Status:
Group-IB is working with police to identify and detain operators of these fake web resources. Over a half of them have been blocked.
The Moscow police found evidence that pointed to two residents of Moscow and the Moscow region who ran such sites. Both suspects were detained and pleaded guilty to fraud. Criminal proceedings have been launched.
#Bankfraud
TipTop
Case:
TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
Status:
A joint operation of Russian cyberpolice forces resulted in the arrest and conviction of a member of TipTop responsible for transferring stolen money.
#Malware development
GetBilling
Case:
JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
Status:
GetBilling operators were arrested and convicted as a result of joint operation Night Fury initiated by INTERPOL’s ASEAN Cyber Capability Desk, Indonesian Cyber Police, and Group-IB’s APAC Cyber Investigations Team.
This case was the first successful multi-jurisdictional operation against JS-sniffers in the region.
#Riggedvote
The Voice Kids Russia
Case:
Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
Status:
In less than a month, Group-IB was able to confirm that a portion of the votes (tens of thousands, to be exact) cast during the season was fake.
#Piracy
Pirate streaming network
Case:
This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
Status:
After identifying digital traces of the perpetrator, Group-IB were able to identify them and law enforcement eventually found and detained them. The pirate was convicted and sentenced, the first such ruling in a Russian court.
#BEC
Operation Falcon
Case:
Group-IB in cooperation with INTERPOL and the Nigerian Police Force targeted a business email compromise (BEC) cybercrime gang from Nigeria called TMT. Since 2017, the group has compromised at least 500,000 government and private sector companies in more than 150 countries.
Status:
Three TNT gang members have been arrested in Lagos. The operation is still ongoing as thousands of members remain at large.
#Compromise
Carding Action 2020
Case:
This three-month anti-cybercrime operation was let by Europol’s European Cyber Crime Centre (C3) and supported by The Dedicated Card and Payment Crime Unit of the London Police, the City of London Police, and Group-IB, which was the only private-sector cybersecurity involved. The effort targeted traders of compromised card details.
Status:
Data from Group-IB Threat Intelligence & Attribution led to Carding Action preventing nearly 40 million euros in losses across Europe.
Latest research
Ransomware Uncovered 2021/2022
The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®
Hi-Tech Crime Trends 2021/2022 part I
Uninvited Guests: The sale of access to corporate networks
Analysis of dark web forums to understand the sale of access to compromised infrastructure.
Hi-Tech Crime Trends 2021/2022 part II
Corporansom: Threat number one
The history and analysis of affiliate programs and trends in the ransomware market.
Hi-Tech Crime Trends 2021/2022 part III
Big Money: Threats to financial sector
A look at the cyber threat landscape: ransomware attacks, carding activity, network access sales, phishing and scams.
Hi-Tech Crime Trends 2021/2022 part V
Scams and Phishing: The epidemic of online fraud
New fraud technologies & an analysis of schemes, tools and infrastructure
RedCurl: The Awakening
Commercial cyber espionage remains a rare and largely unique phenomenon. We cannot rule out, however, that RedCurl’s success could lead to a new trend in the cybercrime arena.
Ransomware Uncovered 2020/2021
The complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®
Hi-Tech Crime Trends 2020/2021
Source of strategic data on the global cyber threat landscape and forecasts for its development
UltraRank: the unexpected twist of a JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors. For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers and managed to stay unnoticed for the most part.
RedCurl: The pentest
you didn’t know about
Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS.
Online Piracy Research:
Jolly Roger’s patrons
Group-IB exposes financial crime network
of online pirates in developing countries.
of online pirates in developing countries.
Fxmsp: “The invisible god of networks”
The evolution of Fxmsp — one of the most notorious and prolific sellers of access to corporate networks on underground forums. Group-IB researchers analyzed Fxmsp’s activity on underground forums for three years and discovered that the threat actor had compromised networks of more than 130 targets.
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Lazarus Arisen: Architecture, Tools and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Buhtrap
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25 mln.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Ransomware Uncovered 2021/2022
The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®
Hi-Tech Crime Trends 2021/2022 part I
Uninvited Guests: The sale of access to corporate networks
Analysis of dark web forums to understand the sale of access to compromised infrastructure.
Hi-Tech Crime Trends 2021/2022 part II
Corporansom: Threat number one
The history and analysis of affiliate programs and trends in the ransomware market.
Hi-Tech Crime Trends 2021/2022 part III
Big Money: Threats to financial sector
A look at the cyber threat landscape: ransomware attacks, carding activity, network access sales, phishing and scams.
Hi-Tech Crime Trends 2021/2022 part V
Scams and Phishing: The epidemic of online fraud
New fraud technologies & an analysis of schemes, tools and infrastructure
RedCurl: The Awakening
Commercial cyber espionage remains a rare and largely unique phenomenon. We cannot rule out, however, that RedCurl’s success could lead to a new trend in the cybercrime arena.
Ransomware Uncovered 2020/2021
The complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®
Hi-Tech Crime Trends 2020/2021
Source of strategic data on the global cyber threat landscape and forecasts for its development
UltraRank: the unexpected twist of a JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors. For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers and managed to stay unnoticed for the most part.
RedCurl: The pentest
you didn’t know about
Research of the new espionage APT-group RedCurl and its elaborate attacks on enterprise companies in North America, Europe and CIS.
Online Piracy Research:
Jolly Roger’s patrons
Group-IB exposes financial crime network
of online pirates in developing countries.
of online pirates in developing countries.
Fxmsp: “The invisible god of networks”
The evolution of Fxmsp — one of the most notorious and prolific sellers of access to corporate networks on underground forums. Group-IB researchers analyzed Fxmsp’s activity on underground forums for three years and discovered that the threat actor had compromised networks of more than 130 targets.
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Lazarus Arisen: Architecture, Tools and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Buhtrap
From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25 mln.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Get immediate assistance from our experienced team of investigators.
Awards and recognition
Security Investigation – Group-IB Hi-Tech Crime Investigations
Get immediate assistance from our experienced team of investigators.
Get new report
Ransomware Uncovered 2021/2022
The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®