Connect with us

Hi, what are you looking for?



‘MoneyTaker’ Hackers Stole Millions from Banks: Report

A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB. 

A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB. 

Called “MoneyTaker” by Group-IB, the group has been focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US). The fraudsters might soon switch interest to financial institutions in Latin America, given the wide usage of STAR in the region, Group-IB researchers believe.

The group has performed successful attacks on banks in different countries, as well as law firms and financial software vendors. In total 20 companies were hit, including 16 in the US, 3 banks in Russia, and one IT-company in the UK.

The attacks caused losses of roughly $500,000 per attack on average, according to Group-IB’s analysis.

The hackers managed to fly under the radar for so long by constantly changing tools and tactics and carefully eliminating traces after completing their operations.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future,” Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence, says.

The first US attack attributed to the group was conducted in the spring of 2016. The hackers stole money by gaining access to First Data’s “STAR” network operator portal. Since then, MoneyTaker hit organizations in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.

Advertisement. Scroll to continue reading.

A total of 10 attacks were attributed to the group in 2016: 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a company in the UK, and 2 attacks on Russian banks. In 2017, the group hit 8 US banks and 1 law firm and 1 bank in Russia.

Group-IB has discovered that the group is using specific withdrawal schemes, where a single account is employed for each transaction. After the theft, the hackers continue to monitor impacted banks, the security researchers say.

By continuously exfiltrating internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs, etc.), the group stays updated on bank operations and can prepare future attacks.

Tools associated with MoneyTaker include the infamous Citadel and Kronos banking Trojans, and the ScanPOS Point-of-Sale (POS) malware. The hackers also used privilege escalation utilities compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016.

The group uses both borrowed and self-written tools. They developed an app with screenshot and keylogger capabilities for spying purposes. Compiled in Delphi, the app can also steal clipboard contents and can disable itself. The app includes 5 timers and an anti-emulation function in the timer code.

An attack on a Russian bank employed MoneyTaker v5.0, a modular tool capable of searching for payment orders, modifying them, replacing original payment details with fraudulent ones, and erasing traces. After the transaction, a concealment module also replaces the fraudulent payment details with the original ones in a debit advice. Thus, the payment order is accepted with the fraudulent details, but the response comes with the initial details instead.

MoneyTaker uses a distributed infrastructure that features a persistence server designed to deliver payloads only to victims with IP addresses in MoneyTaker’s whitelist.

The hackers use a pentest framework server with Metasploit installed on it. The hackers compromise a computer at the targeted organization, then leverage the pentesting framework for network reconnaissance, finding vulnerable applications, exploiting flaws, escalating systems privileges, and information collection.

Courtesy of fileless malware, MoneyTaker can easily hide tracks. When persistence is needed, the group uses PowerShell and VBS scripts, which are difficult to detect and easy to modify. The researchers also observed the group making changes to source code ‘on the fly’ during the attack.

To protect communication with the command and control (C&C) server, the group uses SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc. They also used the LogMeIn Hamachi solution for remote access.

In May 2016, MoneyTaker performed the first attack targeting card processing. Through the compromised network of a bank, the hackers gained access to First Data’s STAR network portal operators, which allowed them to make the necessary modifications and start withdrawing money.

After connecting to the card processing system, the group legally opened or bought cards of the hacked bank. Money mules with previously activated cards waited abroad for the operation to begin. The hackers then removed or increased cash withdrawal limits for the cards and removed overdraft limits, thus allowing the money mules to withdraw an excessive amount of cash from ATMs. 

Group-IB says they provided the uncovered information on MoneyTaker to Europol and Interpol for further investigative activities.

Related: Financial Attackers as Sophisticated as Nation-State Groups: FireEye

Related: Fileless Attacks Ten Times More Likely to Succeed: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...