Global Investigations
Combating computer-based, financial, corporate crimes of varied size and complexity by bringing perpetrators to justice
1000+
successful investigations conducted by a diverse team of Group-IB experts
$300 mln
was returned to a client company as the result of our efforts
Europol, Interpol
and law enforcement agencies support in carrying out investigations
Why our investigators are in high demand
The main goal of our investigation is to bring the perpetrators to justice. If necessary, we will continue to be involved in the case until a sentence is carried out, by consulting lawyers and providing testimony in court.
Deep knowledge of criminal schemes
Based on our 16 year hands-on experience, we have an extensive knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money. This enables us to immobilize the attackers before businesses or individuals suffer major damage.
Individual approach by special project team
Every investigation is different and may require a different route through the process. Group-IB’s investigations are conducted by a diverse project team consisting of e-Discovery and Forensic analysts, economic security, financial audit, corporate law specialists, financial crime experts.
Collaboration with law enforcement agencies
As technology reaches into nearly all areas of our lives, law enforcement officers are challenged to maintain the skills and tools needed to conduct thorough investigations. Our experts work closely with international police in combating various types of crimes — from computer-based crimes to murders and missing people.
Proprietary technologies for criminals detection
Group-IB’s investigation department has adopted a proactive approach and developed a set of technologies for identifying groups or individuals who are assessed as being involved in ongoing criminal activity. We accelerate investigations using in-house tools for pattern analysis, network analysis, tactical profiling.
What types of crimes we handle
High-tech crime investigations are the oldest area of our activity. We conduct a wide variety of investigations, including:
Data theft
Competitive espionage, phishing, intellectual property breach, theft of trade secrets, credentials and other sensitive information.
Financial crimes
Cryptocurrency theft, online‑banking, mobile-banking, email fraud, ATMs, card processing, SWIFT, payment gateways.
Insider attacks
Abuse of authority, competitive espionage, critical infrastructure damaging, data leakage, account takeover.
Information wars
Extortion, reputational damage, defamation, harassment and identity theft.
Flood attacks
Overload of communication channels (emails, phone calls, social messengers).
DoS/DDoS attacks
Competitive and targeted attacks to overload web services and network.
Critical infrastructure attacks
Attacks on water supply, transport infrastructure, power grids control systems.
Malware attacks
Malware creation, proliferation and control, botnets, ransomware and spyware.
Along with combating advanced cyber crimes we assist law enforcement bodies in investigating criminal cases such as murders, suicides, robberies, kidnapping and others.
What you get after the investigation
The results of our investigations include:
Detailed threat actor profile
We explore the anatomy of the attack and threat actor’s infrastructure, identify the mechanisms and recreate the sequence of events.
Professional evidence collection for court
Group-IB investigators collect all digital evidence in compliance with legal requirements and prepare required documentation for presenting evidence correctly in court.
Law enforcement consultation
Our investigators has sound knowledge of the relevant law and provide full cycle consultation support to lawyers and different enforcement agencies on every stage of investigation.
Our high-profile investigation cases
Group-IB has conducted over 1000 successful investigations, leading to arrests or decrease in criminal activity:
#Covid19 #Lockdown
Fake COVID-19 Passes in Russia
Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Learn more#Banksfraud
TipTop
TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
Learn more#Malware development
GetBilling
JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
Learn more#Riggedvote
The Voice Kids Russia
Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
Learn more#Piracy
Pirate streaming network
This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
Learn more#Android trojans
CRON
This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Learn more#Malware development
CARBERP
The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Learn more#Thefts from bank accounts
Popelysh brothers
In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers.
Learn more#Android trojans
Fifth Reich
The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts.
Learn more#DDoS attacks
Dragon DDoS-hacker
The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
Learn more#Android smartphones attacks
Mobile banking botnet
At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some “romantic gifts”.
Learn more#Ransomware #DDoS
Ukrainian DDoS hackers
The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
Learn more#Retail companies hacking
Hijacking online accounts
Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account.
Learn more#Malicious mobile apps
Mobile malware
The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering.
Learn more#Targeted attacks on banks
Corkow
In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility.
Learn more#Malware development
Buhtrap
A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions.
Learn more#APT attacks
Lazarus
The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world.
Learn more#Targeted attacks on banks
Cobalt
The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Learn more#Attacks on banks
Hodprot group
One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Learn more#APT against banks
Anunak / Carbanak
The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD).
Learn more#Botnet
Germes
The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Learn more#Botnet
Hameleon
The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Learn more#DDoS attacks
PumpWaterReboot
The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Learn more#Malicious software
Paunch (Blackhole)
Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Learn more#Android trojans
Waplook
The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Learn more#Android trojans
Arrest video:
CRON
Infamous for:
This group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Status:
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
Arrest video:
#Malware development
Arrest video:
Carberp
Infamous for:
The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Status:
Disrupted. All members of the criminal group were arrested: the leaders were sentenced to 5 and 7 years of imprisonment accordingly.
Arrest video:
#Thefts from bank accounts
Arrest video:
Popelysh brothers
Infamous for:
In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.
The hackers were arrested in spring 2011 but received only mild sentences. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware. From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles.
Status:
In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. In June 2018, the Popelysh brothers were sentenced to 8 years in prison, their associates received from 4 to 6 years.
Arrest video:
#Android trojans
Arrest video:
“Fifth Reich”
Infamous for:
The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts. Hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The criminals dubbed their malware «the fifth Reich» and used Nazi symbols in the control system.
Status:
Four suspects were arrested with assistance of Administration «K» of the Russian Ministry of Internal Affairs, Group-IB and Sberbank of Russia.
Arrest video:
#DDoS attacks
Arrest video:
Dragon DDoS-hacker
Infamous for:
The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
Status:
The hacker was sentenced to 7 years in prison.
Arrest video:
#Android smartphones attacks
Arrest video:
Mobile banking botnet
Infamous for:
At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some «romantic gifts».
Status:
Due to joint forces of the Ministry of Internal Affairs, Sberbank of Russia and Group-IB the criminals were arrested.
Arrest video:
#Ransomware #DDoS
Ukrainian DDoS hackers
Infamous for:
The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
During the investigation, Group-IB found out that the said resource was not the only victim of the ransom seekers. Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. Most of the victims simply paid their ransoms and did not appeal to the police.
Status:
Both suspects pleaded guilty of the alleged crimes and were imposed a 5‑year suspended sentence each.
#Android trojans
Mobile malware
Infamous for:
Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account. Buyers used access to the hacked accounts to buy products with that account’s bonuses. In some cases, the two hackers also offered «hijacking» services that included changing the account’s phone number and email.
Status:
The perpetrators were arrested and confessed to their actions. The investigation is ongoing.
#Malicious mobile apps
Mobile malware
Infamous for:
The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering. The criminals’ approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.
Status:
The suspect has confessed to his actions and the investigation/ prosecution continues.
#Targeted attacks on banks
Corkow
Infamous for:
In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.
Status:
Suspended activity.
#Malware development
Buhtrap
Infamous for:
A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.
Status:
The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.
#DDoS attacks
Lazarus
Infamous for:
The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.
Status:
Active
#Targeted attacks on banks
Cobalt
Infamous for:
The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Status:
The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.
#Attacks on banks
Hodprot group
Infamous for:
One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Status:
All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.
#APT against banks
Anunak / Carbanak
Infamous for:
The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.
Status:
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
#Botnet
Germes
Infamous for:
The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Status:
The leader of the group has been arrested and charged with thefts in a range of countries.
#Botnet
Hameleon group
Infamous for:
The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Status:
The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.
#DDoS attacks
PumpWaterReboot
Infamous for:
The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Status:
Found guilty under Russian legislation.
#Malicious software
Paunch (Blackhole)
Infamous for:
Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Status:
The group leader was sentenced to 7 years in a Russian penal colony in April 2016.
#Android trojans
Waplook
Infamous for:
The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Status:
The investigation is ongoing.
#Covid19
Fake COVID-19 Passes in Russia
Case:
Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Status:
Group-IB is working with police to identify and detain operators of these fake web resources. Over a half of them have been blocked.
The Moscow police found evidence that pointed to two residents of Moscow and the Moscow region who ran such sites. Both suspects were detained and pleaded guilty to fraud. Criminal proceedings have been launched.
#Bankfraud
TipTop
Case:
TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
Status:
A joint operation of Russian cyberpolice forces resulted in the arrest and conviction of a member of TipTop responsible for transferring stolen money.
#Malware development
GetBilling
Case:
JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
Status:
GetBilling operators were arrested and convicted as a result of joint operation Night Fury initiated by INTERPOL’s ASEAN Cyber Capability Desk, Indonesian Cyber Police, and Group-IB’s APAC Cyber Investigations Team.
This case was the first successful multi-jurisdictional operation against JS-sniffers in the region.
#Riggedvote
The Voice Kids Russia
Case:
Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
Status:
In less than a month, Group-IB was able to confirm that a portion of the votes (tens of thousands, to be exact) cast during the season was fake.
#Piracy
Pirate streaming network
Case:
This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
Status:
After identifying digital traces of the perpetrator, Group-IB were able to identify them and law enforcement eventually found and detained them. The pirate was convicted and sentenced, the first such ruling in a Russian court.
Contact our team