Feb 15, 2015

The Billion Dollar Heist: Carbanak and the FIN7 Banking Operation

At two in the morning on a weekday in a city somewhere in Eastern Europe, a man walked up to an ATM.

He was not carrying a card. He did not enter a PIN. He stood in front of the machine with the casual posture of someone waiting for a bus, and precisely on schedule — at the moment that had been programmed into the machine weeks earlier, during the period when its operator was asleep and its software had been invisibly rewritten — the ATM began dispensing cash.

He collected the bills. He walked away.

He was a money mule. The people who had orchestrated the moment he just experienced were somewhere else entirely — watching on a screen, logging the transaction, routing the funds, and already turning their attention to the next bank, the next ATM, the next set of internal wire transfers that would move money out of financial institutions and into accounts they controlled before any compliance officer at any institution checked their reports in the morning.

By the time Kaspersky Lab published its findings on the Carbanak group in February 2015, those orchestrators had stolen over $1 billion from more than 100 banks in 30 countries — the largest bank robbery in history, executed not with masks and firearms but with Microsoft Word documents and months of patient observation.

Threat Actor Profile: FIN7 / Carbanak Group

Designation: “Carbanak” (Kaspersky Lab designation, derived from strings in the malware); “Anunak” (Group-IB/Fox-IT designation for the group’s earlier phase); “FIN7” (Mandiant/FireEye financial threat designation for the overlapping threat actor); “Cobalt Group” (Group-IB designation for related operations)
Attribution: Eastern European criminal syndicate. Multiple forensic investigations point to Ukraine and Russia as the primary operating bases. No confirmed nation-state direction, though several members have been linked to locations in Ukraine, Russia, Moldova, and Georgia. The syndicate operated with a level of sophistication and operational security that suggests either prior professional security training or significant resources for acquiring it.
Origin: Eastern Europe (Ukraine, Russia, Moldova attributed)
Active: 2013 (Anunak phase) through at least 2018 (FIN7 phase); some operations continuing post-arrests
Primary Mission: Financial theft from banking institutions, financial services companies, and (in later FIN7 operations) restaurant, hospitality, and retail point-of-sale systems globally
Known Tradecraft: Spear phishing with malicious Office documents, Carbanak RAT deployment, long-term persistent access, screen recording and video capture, ATM jackpotting, SWIFT manipulation, money mule networks, use of legitimate tools (Cobalt Strike, Metasploit) to blend with authorized activity

Notorious Operations:

Anunak (2013–2014): The initial phase of operations, primarily targeting Russian banks and financial institutions. Smaller in scale but identical in methodology to later operations. Named by Group-IB and Fox-IT.
Carbanak Global Campaign (2014–2015): The expansion phase. Over 100 banks in 30 countries targeted across Europe, Latin America, and Asia. Use of the Carbanak RAT for long-term access and reconnaissance. ATM jackpotting and SWIFT manipulation as primary cash-out mechanisms.
Metel Campaigns: A related but distinct campaign targeting banks by compromising the computers of call center employees who had access to banking systems. Allowed attackers to roll back ATM transactions in real time, enabling unlimited cash withdrawals.
GCMAN: A campaign targeting foreign exchange and other financial services companies, routing funds through cryptocurrency exchanges to obscure financial trails.
FIN7 / Cobalt Group Operations (2016–2018): Expansion into point-of-sale system targeting in US restaurant, hospitality, and retail chains, including breaches of Chipotle, Arby’s, Jason’s Deli, and others. Estimated 15 million payment cards stolen.

The Spear Phish: An Ordinary Email

The entire operation — the billion dollars, the hundred banks, the ATMs dispensing cash in the middle of the night — began with an email.

Not a sophisticated email. Not a complex, multi-stage delivery mechanism. A Microsoft Word document, attached to a message that looked like it might have come from somewhere legitimate: a financial regulator, a partner institution, a software vendor, a job applicant. The document exploited a known vulnerability in Microsoft Word’s RTF file handling — specifically CVE-2014-1761, a memory corruption vulnerability in Word’s handling of RTF files that had been patched but not applied on many corporate machines — or, in earlier operations, CVE-2012-0158, a critical vulnerability in MSXML’s ActiveX control that Microsoft had patched in April 2012 and that was still exploited successfully by dozens of criminal groups years later.

A bank employee in the accounting department, or the finance team, or the IT operations group, opened the document. They may have seen a brief flash of content before Word crashed, or they may have seen a convincing-looking document that displayed normally while, underneath, shellcode executed.

The shellcode connected back to a command-and-control server. It downloaded the Carbanak RAT — a Remote Access Trojan of considerable sophistication — and installed it quietly in memory and as a persistent service. The employee’s machine was now owned.

Nothing visible had changed. No ransom demand appeared. No files were encrypted. No data was obviously exfiltrated. The employee closed Word, perhaps reopened the document, perhaps moved on with their day.

In the background, the long game had begun.

The Carbanak RAT: Two Years of Watching

The Carbanak RAT was not designed for a smash-and-grab. It was designed for long-term persistent access — the kind of access you need when you are trying to learn how a bank operates from the inside well enough to impersonate its own employees.

The RAT’s capabilities were extensive:

Keylogging: Every keystroke made on an infected machine was captured and transmitted. Every password. Every email. Every internal message.

Screen capture and video recording: The RAT captured screenshots at configurable intervals. More usefully, it could activate continuous video recording of the infected machine’s screen — essentially streaming surveillance footage of whatever the bank employee was doing. Over weeks and months, the attackers accumulated video footage of employees conducting routine transactions, accessing internal systems, processing wire transfers, and operating ATMs through remote management interfaces.

Active microphone access: The RAT could activate the machine’s microphone and stream audio back to the attackers — making it possible to monitor phone calls and in-person conversations at the workstation.

Command execution: Full remote shell access. The attackers could execute arbitrary commands, install additional software, move files, and interact with any system the infected machine could reach.

Lateral movement capability: Once established on one machine, the Carbanak infrastructure supported lateral movement across the corporate network, hopping from system to system using harvested credentials and techniques borrowed from legitimate penetration testing frameworks.

The average time between initial infection and the first cash-out operation at a targeted bank was three to four months.

The attackers spent those months watching.

Learning to Be a Banker

The observation phase served a specific purpose: the attackers were building a model of how each specific bank’s operations worked, detailed enough to allow them to conduct transactions that would appear completely legitimate to the bank’s own systems and employees.

They watched how wire transfers were authorized. Which employees had what level of access. What approval workflows were required for transactions above certain thresholds. What the normal pattern of transactions looked like for a given account or business line. Which systems communicated with which other systems, and through what interfaces.

When they had accumulated sufficient operational intelligence, they moved to the extraction phase.

The Carbanak group used three primary cash-out mechanisms, often in combination:

Mechanism 1: ATM Jackpotting

ATMs are, at their core, networked computers running Windows XP or Windows 7, connected to a bank’s internal network and managed through administrative interfaces. Through the lateral movement capabilities of the Carbanak infrastructure, the attackers would identify the machines on the bank’s network that had administrative access to ATM management software. They would then use those machines to directly manipulate ATM configurations.

Specifically, they would issue commands to specific ATMs directing them to dispense cash at specific times — typically in the middle of the night, when the machines would not be attended by normal users. Money mules stationed nearby would collect the dispensed bills. The operation was precise: a specific ATM would dispense cash at 2:00 AM on a specific date, and a mule would be positioned to receive it.

The ATM’s transaction logs would record the dispensing, but the records would show internal administrative commands rather than user-initiated transactions. Without the context of knowing the bank’s network had been compromised, the disbursements were difficult to distinguish from routine maintenance activities.

Mechanism 2: SWIFT Manipulation

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) network is the global messaging system that banks use to communicate international wire transfers. A SWIFT message from an authorized bank terminal, properly authenticated, tells another bank to move money. The receiving bank’s systems treat properly formatted, authenticated SWIFT messages as legitimate instructions.

The Carbanak group identified bank employees with access to SWIFT terminal systems and, using the Carbanak RAT’s screen recording and keylogging capabilities, observed their workflows until the attackers understood exactly how to craft a legitimate-looking SWIFT transfer. They then used these employees’ sessions — either by hijacking active sessions or by using harvested credentials to initiate new ones — to submit fraudulent transfer instructions.

The funds were directed to accounts in multiple countries, frequently immediately transferred through multiple additional accounts and converted to cryptocurrency to obscure the trail.

Mechanism 3: Account Balance Manipulation

In some operations, the Carbanak group demonstrated a more audacious technique: directly manipulating account balances in the bank’s core banking system.

An account holding $1,000 would be temporarily inflated to $10,000. Money mules with accounts at the targeted bank would then withdraw the inflated balance in cash. The transaction records showed a legitimate withdrawal. The manipulation of the underlying balance was covered by rolling back the inflation before end-of-day reconciliation — or occasionally simply left in place, relying on the bank’s reconciliation processes being slow enough that the fraudulent funds could be extracted before the discrepancy was flagged.

Cobalt Strike Before It Was Cool

One of the more technically significant aspects of the Carbanak operation, in retrospect, was its early and sophisticated use of Cobalt Strike — a legitimate penetration testing framework produced by the American security company Raphael Mudge and later acquired by HelpSystems.

Cobalt Strike was designed for authorized penetration testers to simulate advanced persistent threat actors in their clients’ environments. It provided a sophisticated C2 (command-and-control) infrastructure, beacon-based implants that mimicked the communication patterns of legitimate traffic, and a rich toolkit for post-exploitation operations.

The Carbanak group’s adoption of Cobalt Strike for their operations represented a strategic insight that criminal groups have now widely emulated: legitimate security tools, used by authorized personnel, generate alerts that security teams are trained to recognize as normal. If an attacker’s traffic looks identical to Cobalt Strike traffic — and an authorized penetration test is in progress — security monitoring infrastructure may not distinguish between them.

By using Cobalt Strike, the Carbanak group’s network traffic blended with the traffic generated by the banks’ own authorized security testing activities. Their lateral movement used the same techniques that authorized penetration testers use. Their C2 communications used the same protocols and cadences. Defensive systems looking for signature-based indicators of compromise found nothing to flag.

This technique — what the security industry now calls Living Off the Land (LotL) combined with abuse of legitimate security tools — has become the defining characteristic of sophisticated financial crime groups in the decade since Carbanak.

Discovery: The 100-Million-Dollar Tip

The Carbanak operation was discovered not through any bank’s internal security monitoring, but through an investigation that began when a bank in Ukraine contacted Kaspersky Lab in late 2013, reporting suspicious behavior on its internal network.

The Kaspersky team deployed their detection and analysis tools into the bank’s environment and found the Carbanak implant — a piece of malware they had not previously encountered. They began analyzing it and, through its C2 infrastructure, discovered that the same attacker was operating against dozens of additional institutions. The scope of what they were looking at became clearer over the next year of investigation.

Kaspersky coordinated with Interpol, Europol, and the US FBI. In February 2015, they published their initial report: “Carbanak — APT-style attack targeting financial organizations.” The report named a $1 billion+ theft from over 100 institutions. It was, at the time, the most comprehensive public documentation of financially motivated APT-level operations ever published.

The banking world absorbed the information with a mixture of alarm and relief — alarm because the techniques described had been used against them, and relief because disclosure meant they could now look for indicators of compromise in their own systems.

Many found them.

The Arrests

The Carbanak group operated for years after the Kaspersky disclosure, refining their techniques and expanding operations under the FIN7 designation into US point-of-sale systems.

In March 2018, Europol announced the arrest of the primary Carbanak group organizer — identified publicly only as “Denis K.” — in Alicante, Spain. Denis K., a Ukrainian national, was described by investigators as the principal architect of the Carbanak campaign. His home contained evidence of over $15 million in assets, including real estate, luxury vehicles, and a private zoo.

Subsequent US DOJ prosecutions of FIN7-connected individuals — including Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov — provided additional technical detail about the group’s operations. Hladyr, the group’s systems administrator, pleaded guilty in 2021 and was sentenced to ten years in federal prison.

The arrests disrupted but did not eliminate the Carbanak/FIN7 ecosystem. Criminal enterprises of this sophistication — with distributed operations, rotating infrastructure, and compartmentalized knowledge — rarely collapse with the arrest of a single individual or even a core team. The techniques pioneered by Carbanak — spear phishing, long-term persistence, ATM jackpotting, abuse of legitimate security tools — became the standard playbook for subsequent financial cybercrime groups around the world.

The billion-dollar heist did not end. It was franchised.

Attack Chain: Carbanak — The Banking Heist (2013–2015)

graph TD
    A["👥 FIN7 / Carbanak Group\nEastern Europe\nUkraine / Russia / Moldova"] --> B["Target Selection\n100+ Banks in 30 Countries\nFocus: Eastern Europe → Global\nAccess via Employee Endpoints"]

    B --> C["Spear Phishing Campaign\nEmail to Bank Finance / Accounting / IT Staff\nMalicious Word Document Attachment\nCVE-2014-1761 (RTF) or CVE-2012-0158 (MSXML)"]

    C --> D["Employee Opens Document\nSilent Shellcode Execution\nWord May Crash or Display Decoy Content\nNo Visible Indication of Compromise"]

    D --> E["Carbanak RAT Deployed\nMemory Resident + Persistent Service\nConnect to C2 Infrastructure\n(Often Cobalt Strike Beacons)"]

    E --> F["C2 Established\nBeacon Traffic Mimics Legitimate Tools\nBlends with Authorized Pentest Traffic\nEvades Signature-Based Detection"]

    F --> G["Long-Term Observation Phase\n3–4 Months Average Before Cash-Out"]

    G --> G1["Keylogging\nAll Credentials Captured\nSystems Access Mapped\nApproval Workflows Documented"]
    G --> G2["Screen/Video Recording\nEmployee Transaction Workflows\nATM Management Interface Operations\nSWIFT Terminal Usage Recorded"]
    G --> G3["Microphone Access\nPhone Calls Monitored\nIn-Person Conversations Captured"]

    G1 --> H["Lateral Movement\nCredential Harvesting → Lateral Hop\nPrivilege Escalation\nReach: ATM Mgmt + SWIFT + Core Banking"]
    G2 --> H
    G3 --> H

    H --> I{"Cash-Out Mechanism\nSelection Based on Bank Architecture"}

    I --> J["ATM Jackpotting\nAdmin Access to ATM Mgmt Software\nProgram ATMs to Dispense Cash\nScheduled for 2–4 AM"]
    I --> K["SWIFT Manipulation\nHijack Authorized Session\nCraft Fraudulent Transfer Message\nFunds to Mule Accounts Abroad"]
    I --> L["Account Balance Inflation\nDirect Core Banking DB Access\n$1,000 → $10,000 in Mule Account\nWithdraw Before Reconciliation"]

    J --> M["Money Mule Network\nPositioned at Target ATM\nCollect Dispensed Bills\nMulti-Country Distribution Chain"]
    K --> N["Wire Transfer Chain\nMultiple Correspondent Banks\nFinal Destination: Crypto Exchange\nFunds Laundered via BTC/Other"]
    L --> M

    M --> O["$1B+ Total Exfiltrated\n100+ Banks / 30+ Countries\n2013–2015 Primary Campaign\nLargest Bank Robbery in History"]
    N --> O

    O --> P["Discovery: 2013\nUkrainian Bank Contacts Kaspersky\nPreviously Unknown Malware Found\nC2 Infrastructure Reveals 100+ Victims"]

    P --> Q["February 2015\nKaspersky Publishes Carbanak Report\nInterpol / Europol / FBI Coordinated\nGlobal Banking Sector Alert"]

    Q --> R["FIN7 Evolution 2016–2018\nExpansion to US POS Systems\nChipotle / Arby's / Jason's Deli\n15M+ Payment Cards Stolen"]

    R --> S["March 2018: Europol\nDenis K. Arrested — Alicante, Spain\nPrincipal Carbanak Organizer\n$15M in Assets Seized"]

    S --> T["🔴 US DOJ Prosecutions\nFedir Hladyr — 10 Years Federal Prison\nDmytro Fedorov, Andrii Kopakov\nAdditional Arrests Ongoing"]