Connect with us

Hi, what are you looking for?



“MoneyTaker” Hackers Stole $1 Million From Russian Bank

A cybercriminal group referred to as

A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from PIR Bank (Russia), according to cybercrime research firm Group-IB.

The theft was performed on July 3 through the Russian Central Bank’s Automated Workstation Client, an interbank system similar to SWIFT. The hackers managed to transfer the funds to 17 accounts at major Russian banks and then cashed them out.

After the incident, the cybercriminals also attempted to maintain persistence in the bank’s network, but were detected. While PIR staff was able to delay the withdrawal of some of the funds, it appears that most of what was stolen has been lost, namely around $920,000 (which is a conservative estimate, according to Group-IB).

Group-IB, which analyzed the incident, says that all evidence points to the MoneyTaker group orchestrating the theft. The investigators discovered tools and techniques previously associated with the group, along with the IP addresses of their command and control (C&C) servers.

The security firm previously reported that MoneyTaker had launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years. The group has been mainly focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US).

 The security researchers established that the attack on PIR Bank started in late May 2018 and that a compromised router of one of the bank’s regional branches was used as entry point.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,” the researchers say.

Advertisement. Scroll to continue reading.

The hackers breached the bank’s main network and accessed the AWS CBR, then generated payment orders and sent money to mule accounts prepared in advance. Funds were transferred to accounts at 17 of the largest banks and were immediately cashed out by money mules via ATMs.

The bank employees discovered the unauthorized transactions with large sums on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys, but weren’t able to stop the financial transfers in time. Thus, the hackers managed to cash out most of the stolen money.

The attackers also cleared OS logs on compromised computers, to hinder analysis. They also left reverse shells onto the bank’s computers to conduct new attacks, but these were discovered during investigation and removed.

Attacks on AWS CBR are not easy to implement, Valeriy Baulin, Head of Digital Forensics Lab Group-IB, says. Thus, such attacks are “not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully.”

“This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind,” Baulin said.

Related: Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...