Cybercrime and international investigations

With organised crime becoming increasingly sophisticated and technology-enabled, there is a need for increased global cooperation amongst police and law enforcement agencies, as well as the private sector.

This has been demonstrated recently in the arrest of the leader of an organised crime group behind global malware attacks that infiltrated over 100 banks in more than 40 countries, with combined losses of over EUR 1 billion.

The arrest occurred in Alicante, Spain after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies. We explore the details provided in a Europol press release.


Malware development

  • The organised crime group started its activities in late 2013 with its ‘Anunak’ malware campaign
  • By 2014 this malware was developed into a more sophisticated version known as ‘Carbanak’, which was used until 2016.
  • From then onwards, efforts focused on developing even more sophisticated cyber-attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.


Operating model

All cyber-attacks followed a similar pattern:

  • Spear phishing emails were sent to bank employees to infect their computers
  • Malware was deployed through the bank’s internal network, infecting servers and controlling ATMs
  • Money was cashed out by one of the following means:
    • Money transferred into criminal’s account or foreign bank account
    • Criminal sending command to specific ATMs to spit out cash and money mules collecting the money
    • Criminal raising the balance of a bank account they control, and withdrawing money at an ATM
  • Stolen money was converted into cryptocurrencies such as Bitcoin, and laundered through purchasing goods such as luxury cars and properties


International cooperation

The leader of the organised crime group, the coders who developed the malware, and other players such as the money mules and launderers were all located in different parts of the world. Therefore, International police cooperation was essential in order to bring them to justice.

This effort was headed by Europol and the Joint Cybercrime Action Taskforce, with Europol’s European Cybercrime Centre (EC3) facilitating the information exchange, malware analysis support and operations including deployment of various experts on the day of the arrest.

Europol also collaborated with the European Banking Federation (EBF) and private security companies, showing public-private cooperation to be instrumental to the success of the operation.



Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”



Nyman Gibson Miralis provides expert advice and representation in complex international cybercrime investigations. Our expertise includes dealing with malware, phishing and computer hacking offences, bootlegging and tripping, Bitcoin and crypto-currency fraud, as well as offences relating to identity theft, spreading computer viruses and DDoS attacks.

Contact us if you require assistance.