Russian police are reported to have arrested the gang behind the notorious Carberp Trojan used to steal hundreds of millions of roubles from online bank customers during one of the most notorious cybercrime campaigns ever to hit the country.
In a major police operation, The Federal Security Service (FSB) and Ministry of the Interior (MVD) are said to have swooped on the gang’s ringleaders, two Moscow-based brothers in their late 20s, one of whom was wanted for real estate fraud.
Six accomplices of the pair were also detained.
“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialised banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, CEO of Group-IB, a security firm that helped investigate the gang’s attacks.
“The investigations conducted by our Forensics Lab confirmed the use of the Win32/Carberp and Win32/Rdpdor malware by the criminals in order to carry out theft of funds.”
The gang also conducted DDoS attacks, Sachkov said. Police seem confident that they have netted the entire gang.
Often associated with Blackhole Exploit Kit, Carberp achieved notoriety across the online banking world as a follow-up attack in the aftermath of the infamous Zeus Trojan of 2010.
In its signature Russian attacks, the Trojan would steal online logins, which allowed the criminals to transfer sums to mule accounts from where it was removed using ATM transactions.
What marked the Carberp gang out from the start was the apparent impunity with which it attacked ordinary Russians, something that made it public enemy number one in the country. Up to 130 banks around the world were affected, with at least 130 million roubles (£2.8 million) stolen in a recent three-month period in Russia alone.
Worldwide, in the 18 months of its operation Carberp was probably making the gang millions of dollars per month, some of which was cycled back into other cybercrime campaigns.
The full extent of the gang's activities has still to be established but could take in other high-profile Russian malware activities.