30 August 2019

Group-IB: Member of TipTop hacking group convicted

A member of TipTop, a hacking group known for attacking customers of major Russian banks for several years, was arrested and convicted in Russia. The group, dubbed TipTop by Group-IB, used malware to steal money from payment cards. Their member’s arrest was the result of a joint operation by Russian cyber police units.

Video of the arrest. Group-IB’s Youtube channel

The group distributed their malware by disguising it as popular mobile apps. Downloading such an app prompted the download of the actual Trojan, which gave the hackers access to the mobile banking services the victims used.

The group was dubbed TipTop and its main targets were customers of major Russian banks that used Android smartphones. The hackers delivered malware to victims’ devices via fake mobile apps disguised as banking apps, messengers, Adobe’s graphic design application, fake Google Play store app. The hackers placed links to the fake apps either on websites they designed themselves or on legitimate web resources they compromised. To increase the number of potential victims, the cybercriminals promoted these websites in search engines by purchasing ads for the keyword ‘mobile bank.

Sergey Lupanin

Sergey Lupanin

Head of Investigation Department, Group-IB

Once the user tried to download one of the malicious apps, the Hqwar Android banking Trojan (also known as Agent.BID) was installed on their device. The group tried other tools and money withdrawal schemes too, which made it difficult to attribute a particular attack to them. In 2015, the hackers used the Hqwar (Agent.BID) mobile Android Trojan to infect customers of Russian banks. In 2016, they started using the Honli Trojan, and in February 2016 — an upgraded version of it, which antiviruses detected as Asacub.g. In the same year, the group tried infecting smartphones with Cron, a Trojan developed by their predecessors, which gave its name to that group. At the time, TipTop used the CatsElite (MarsElite) Trojan. In April 2017, they returned to Hqware (Agent.BID) but also used Lokibot and an upgraded version of the old Marcher (Rahunok) Trojan. All mobile Trojans used by the hackers could intercept and read SMS messages, record phone calls and send USSD requests, but their main goal was to steal payment card details either using phishing windows that copied legitimate application windows or employing web fakes designed to trick users into entering their credentials for online banking accounts. The groups’ C&Cs used to infect the devices and control botnets were located in Germany, USA and Ukraine at different times.

During the investigation, the police established that a previously convicted 31-year-old resident of the city of Krasnoyarsk, who transferred money from users’ accounts to the accounts and cards of cybercriminals, was responsible for stealing money from the residents of one of the regions in Russia (over $1,000).

The man was arrested and his home was searched. During the search, the police found and seized computers, hard drives, flash drives, phones, and SIM cards. According to the investigation, the detainee’s role in the TipTop group was to transfer money from users’ accounts to the accounts and cards of the cybercriminals.

The police opened a criminal case for an offence committed under article 273 of the Russian Criminal Code «Creation, use and dissemination of harmful computer programs». The accused was later convicted and received a two-year suspended sentence.

After the fall of the CRON gang in late 2016, TipTop, to which the detainee belonged, became one of the largest and most dangerous ones. With the use of Android Trojans, the cybercriminals have managed to infect over 800,000 smartphones. The damage from their activities is currently being established, but certain estimations suggest that the cybercriminal group could have stolen between USD 1,500 and 10,500 on a daily basis. Group-IB first detected the group’s activities in 2015. The group’s victims in a number of regions across Russia have been identified.

Sergey Lupanin

Sergey Lupanin

Head of Investigation Department, Group-IB

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident