The Biggest Digital Heist in History Isn't Over Yet

Jun 27, 2018, 01:09 PM

As night fell in Taipei on July 10, 2016, most people in the city were hunkered down to ride out the end of a typhoon. Not Sergey Berezovsky and Vladimir Berkman. The two Russians made their way through the rain to an ATM at First Commercial Bank, one of Taiwan’s top lenders. Wearing hats and antipollution masks, they loitered at the machine for a moment. Then, as the astonished couple in line behind them later told the police, the ATM started disgorging cash without either man touching it. The men shoved the bills into a satchel and brushed past them. As the Russians drove off in a black sedan, the couple spotted something on the ground: One of the guys had dropped his bank card. By the time detectives traced Berezovsky and Berkman to the nearby Grand Hyatt the next day, the Russians had already jetted off to Moscow by way of Hong Kong. And they were just two of 15 “money mules” who’d hit 41 ATMs at 22 branches of First Commercial over that stormy weekend, the cops learned, taking 83 million New Taiwan dollars (NT$), or about $2.6 million. Hackers, investigators discovered, had forced the machines to spit out cash.

The Carbanak gang had struck again. Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn’t created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it. Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that’s become the stuff of legend in the digital underworld.

Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses. “Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks,” says James Chappell, co-founder and chief innovation officer of Digital Shadows Ltd., a London intelligence firm that works with the Bank of England and other lending institutions. “It’s the breadth of the attacks, that’s what’s truly different about this one.”

For years police and banking-industry sleuths doubted they’d ever catch the phantoms behind Carbanak. Then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana in the Mediterranean port city of Alicante. The authorities have held him since then on suspicion of being the brains of the operation. Katana’s lawyer declined to comment, and his client’s alleged confederates couldn’t be reached for comment. While Katana hasn’t been charged with a crime, Spanish detectives say financial information, emails, and other data trails show he was the architect of a conspiracy that spanned three continents. And there are signs that the Carbanak gang is far from finished.

Carbanak first surfaced in Kiev, when executives at a Ukrainian bank realized they were missing a bunch of money. Security cameras showed the lender’s ATMs dispensing cash in the predawn h...