Prevention
- Security Assessment
- Red Teaming
- Compliance Audit
- Pre-IR Assessment
- Compromise Assessment
- Cyber Education
- GIB Crypto
successful investigations conducted by a diverse team of Group-IB experts
was returned to a client company as the result of our efforts
and law enforcement agencies support in carrying out investigations
Based on our 16 year hands-on experience, we have an extensive knowledge of criminal schemes ranging from recruiting insiders and developing malicious programs to withdrawing and cashing out money. This enables us to immobilize the attackers before businesses or individuals suffer major damage.
Every investigation is different and may require a different route through the process. Group-IB’s investigations are conducted by a diverse project team consisting of e-Discovery and Forensic analysts, economic security, financial audit, corporate law specialists, financial crime experts.
As technology reaches into nearly all areas of our lives, law enforcement officers are challenged to maintain the skills and tools needed to conduct thorough investigations. Our experts work closely with international police in combating various types of crimes — from computer-based crimes to murders and missing people.
Group-IB’s investigation department has adopted a proactive approach and developed a set of technologies for identifying groups or individuals who are assessed as being involved in ongoing criminal activity. We accelerate investigations using in-house tools for pattern analysis, network analysis, tactical profiling.
High-tech crime investigations are the oldest area of our activity. We conduct a wide variety of investigations, including:
Competitive espionage, phishing, intellectual property breach, theft of trade secrets, credentials and other sensitive information.
Cryptocurrency theft, online‑banking, mobile-banking, email fraud, ATMs, card processing, SWIFT, payment gateways.
Abuse of authority, competitive espionage, critical infrastructure damaging, data leakage, account takeover.
Extortion, reputational damage, defamation, harassment and identity theft.
Overload of communication channels (emails, phone calls, social messengers).
Competitive and targeted attacks to overload web services and network.
Attacks on water supply, transport infrastructure, power grids control systems.
Malware creation, proliferation and control, botnets, ransomware and spyware.
Along with combating advanced cyber crimes we assist law enforcement bodies in investigating criminal cases such as murders, suicides, robberies, kidnapping and others.
We explore the anatomy of the attack and threat actor’s infrastructure, identify the mechanisms and recreate the sequence of events.
Group-IB investigators collect all digital evidence in compliance with legal requirements and prepare required documentation for presenting evidence correctly in court.
Our investigators has sound knowledge of the relevant law and provide full cycle consultation support to lawyers and different enforcement agencies on every stage of investigation.
Group-IB has conducted over 1000 successful investigations, leading to arrests or decrease in criminal activity:
Group-IB in cooperation with INTERPOL and the Nigerian Police Force targeted a business email compromise (BEC) cybercrime gang from Nigeria called TMT. Since 2017, the group has compromised at least 500,000 government and private sector companies in more than 150 countries.
Learn moreThis three-month anti-cybercrime operation was let by Europol’s European Cyber Crime Centre (C3) and supported by The Dedicated Card and Payment Crime Unit of the London Police, the City of London Police, and Group-IB, which was the only private-sector cybersecurity involved. The effort targeted traders of compromised card details.
Learn moreOver 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Learn moreTipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
Learn moreJS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
Learn moreRussia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
Learn moreThis owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
Learn moreThis group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Learn moreThe largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Learn moreIn the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers.
Learn moreThe hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts.
Learn moreThe 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
Learn moreAt the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some “romantic gifts”.
Learn moreThe criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
Learn moreTwo hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account.
Learn moreThe hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering.
Learn moreIn February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility.
Learn moreA solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions.
Learn moreThe North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world.
Learn moreThe group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
Learn moreOne of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
Learn moreThe first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD).
Learn moreThe largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
Learn moreThe group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
Learn moreThe hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Learn moreAuthor of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
Learn moreThe first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
Learn moreThis group stole money from bank accounts of Android smartphone users. The hackers infected over 1 million devices in total and the overall damage from Cron’s activity is estimated to approximately $800 000.
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
The largest criminal gang in Russia managed to infect over 1.5 million computers and steal approximately $250 million from Russian bank accounts.
Disrupted. All members of the criminal group were arrested: the leaders were sentenced to 5 and 7 years of imprisonment accordingly.
In the short period from September to December 2010, Sarbin and the Popelysh twins stole approximately 2 million rubles from 16 customers. By February 2011, 170 customers of Russian banks from 46 regions in the country had fallen victim to the criminals, bringing the total amount of funds stolen to 13 million rubles.
The hackers were arrested in spring 2011 but received only mild sentences. Once they were released, the brothers reverted to their old habits: they equipped themselves with new malware. From March 2013 to May 2015, the Popelysh twins’ group gained access to more than 7000 customer accounts at various Russian banks and stole more than 12.5 million rubles.
In May 2015, the Popelysh twins were detained once again during a joint special operation conducted by the Ministry of Internal Affairs and the Federal Security Service in St. Petersburg. In June 2018, the Popelysh brothers were sentenced to 8 years in prison, their associates received from 4 to 6 years.
The hacker group, which had infected over 340,000 Android-based devices to steal money from bank accounts. Hackers distributed the malware via SMS messages containing a link to download a program masked as Adobe Flash Player. The criminals dubbed their malware «the fifth Reich» and used Nazi symbols in the control system.
Four suspects were arrested with assistance of Administration «K» of the Russian Ministry of Internal Affairs, Group-IB and Sberbank of Russia.
The 26-year old hacker was involved in DDoS attacks against large financial organization using Dragon botnet. Group-IB experts carried out the investigation, including detention of a criminal in a record period of one month.
The hacker was sentenced to 7 years in prison.
At the end of 2013, Sberbank of Russia security experts recorded a large-scale cyberattack on Android smartphone users. A group of criminals was infecting the smartphones through MMS delivery of some «romantic gifts».
Due to joint forces of the Ministry of Internal Affairs, Sberbank of Russia and Group-IB the criminals were arrested.
The criminal group that had been involved in launching DDoS attacks and extortion for over two years. In September 2015, one of the largest international online dating services, AnastasiaDate faced a powerful DDoS attack. The attack caused the company’s website failure and the hackers demanded $10,000 for stopping the assault.
During the investigation, Group-IB found out that the said resource was not the only victim of the ransom seekers. Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. Most of the victims simply paid their ransoms and did not appeal to the police.
Both suspects pleaded guilty of the alleged crimes and were imposed a 5‑year suspended sentence each.
Two hackers were breaching, hijacking, and selling access to over 700,000 online accounts at Russian-based online stores, payment systems, and bookmaking/betting portals.After gaining access to the victims account, both hackers sells these accounts on hacking forums for the price tag of $5 per account. Buyers used access to the hacked accounts to buy products with that account’s bonuses. In some cases, the two hackers also offered «hijacking» services that included changing the account’s phone number and email.
The perpetrators were arrested and confessed to their actions. The investigation is ongoing.
The hacker was stealing funds from Russian banks’ customers using Android Trojans. At the height of their activity, victims reportedly lost up to 8,000 dollars daily and levered cryptocurrency for laundering. The criminals’ approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.
The suspect has confessed to his actions and the investigation/ prosecution continues.
In February 2015, the group conducted the first major successful attack on a trading system that provoked hacking induced exchange volatility. By infecting the bank’s internal network, the criminals managed to access an exchange terminal and conducted a series of operations, which made the Dollar/Ruble exchange rate jump by almost 20%.
Suspended activity.
A solid example of a top criminal group refocusing from attacks against bank clients to attacks directly targeting financial institutions. From August 2015 to February 2016, this gang conducted 13 successful attacks on Russian banks causing direct losses in the amount of 1.8 billion rubles ($25 million USD). The loss to fraud was 2.5 times larger than the bank’s charter capital in two cases.
The group has suspended attacks on banks. They sold their botnet to other attackers, who are currently conducting thefts from legal entities.
The North Korean hacker group has spied on ideological enemies of the regime — state institutions and private corporations in the United States and South Korea — for years. Now Lazarus attacks banks and financial institutions throughout the world. The most large-scale attack happened in February 2016, when hackers tried to steal about $1bln from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. Due to a mistake in the payment document, the attackers managed to steal only $81 million.
Active
The group has attacked banks across the world. The group specializes in contactless (logical) attacks on ATMs. Cobalt has also turned their efforts to stealing from card processing systems, SWIFT systems and payment gateways.
The arrest of 5 money mules associated with Cobalt has not affected the group activity. They continue to pose a high risk to financial institutions.
One of the oldest Russian hacker gangs is known to have stolen approximately 125 million rubles from Russian bank accounts. To hide their activity, the criminals used control servers located abroad — in the Netherlands, Germany, France and the USA.
All members of the criminal group have been arrested. Legal proceedings have been launched against the criminals.
The first successful targeted attacks on banks in Russia. It is the most experienced group — having attacked over 50 Russian banks and 5 payment systems in 2013-2014, which resulted in total thefts of more than 1 billion rubles (about $25 million USD). They also infected POS terminals in US and European retail chains. The group has a number of successors copying their tactics.
Disrupted. In November 2016, a large-scale operation was carried out in 6 Russian regions — 16 Cron members were detained. The last active member of the group was arrested in April 2017 in St. Petersburg.
The largest botnet in Russia — known to have infected 4.5 million computers. The volume of fraud is estimated at more than 150 million rubles.
The leader of the group has been arrested and charged with thefts in a range of countries.
The group created the first Russian botnet designed to steal money from personal bank accounts. The criminal conducted attacks against bank clients using counterfeit SIM cards.
The investigation resulted in fraud prevention to the sum of 1 billion rubles. The leader of the group has been arrested.
The hacker was involved in DDoS attacks against Tinkoff Bank, Alfa-Bank, Promsvyazbank, Kaspersky Lab and large Internet portals. He is known to have demanded payment to stop further attacks.
Found guilty under Russian legislation.
Author of widely used exploit kits. Up to 40% of infections worldwide were conducted using these products online.
The group leader was sentenced to 7 years in a Russian penal colony in April 2016.
The first criminal group who were arrested for money theft conducted using malicious mobile apps in Russia.
The investigation is ongoing.
Over 100 fraudulent online resources — including websites, Telegram channels, and groups in social media — are illegally selling fake digital passes to the residents of Moscow and other Russian regions. These passes are required by law to move around cities during the COVID-19 lockdown.
Group-IB is working with police to identify and detain operators of these fake web resources. Over a half of them have been blocked.
The Moscow police found evidence that pointed to two residents of Moscow and the Moscow region who ran such sites. Both suspects were detained and pleaded guilty to fraud. Criminal proceedings have been launched.
TipTop, a hacker group that targets clients of major Russian banks, used malware disguised as popular mobile apps to steal money from bank cards. It is estimated that over 800,000 smartphones were infected, and that the group stole between $1,500 and $10,500 every day.
A joint operation of Russian cyberpolice forces resulted in the arrest and conviction of a member of TipTop responsible for transferring stolen money.
JS-sniffer family GetBilling infected hundreds of e-commerce websites in Indonesia, Australia, the UK, the US, Germany, Brazil, and other countries, stealing the payment and personal data of thousands of online shoppers.
GetBilling operators were arrested and convicted as a result of joint operation Night Fury initiated by INTERPOL’s ASEAN Cyber Capability Desk, Indonesian Cyber Police, and Group-IB’s APAC Cyber Investigations Team.
This case was the first successful multi-jurisdictional operation against JS-sniffers in the region.
Russia’s Channel One asked Group-IB to investigate potential anomalies in the voting process for the Russian edition of the show The Voice Kids (Season 6). There was a great disparity between the finalists’ votes, and the channel attributed this to fowl play.
In less than a month, Group-IB was able to confirm that a portion of the votes (tens of thousands, to be exact) cast during the season was fake.
This owner of a pirate streaming network in Russia profited off of infringements of video copyrights. The network contained dozens of websites, each of which contained more than 10,000 movies and TV shows.
After identifying digital traces of the perpetrator, Group-IB were able to identify them and law enforcement eventually found and detained them. The pirate was convicted and sentenced, the first such ruling in a Russian court.
Group-IB in cooperation with INTERPOL and the Nigerian Police Force targeted a business email compromise (BEC) cybercrime gang from Nigeria called TMT. Since 2017, the group has compromised at least 500,000 government and private sector companies in more than 150 countries.
Three TNT gang members have been arrested in Lagos. The operation is still ongoing as thousands of members remain at large.
This three-month anti-cybercrime operation was let by Europol’s European Cyber Crime Centre (C3) and supported by The Dedicated Card and Payment Crime Unit of the London Police, the City of London Police, and Group-IB, which was the only private-sector cybersecurity involved. The effort targeted traders of compromised card details.
Data from Group-IB Threat Intelligence & Attribution led to Carding Action preventing nearly 40 million euros in losses across Europe.
Security Investigation – Group-IB Hi-Tech Crime Investigations
The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators based on MITRE ATT&CK®