Security Experts:

Russian Authorities Claim Capture of Mastermind Behind Carberp Banking Trojan

Russian authorities claim to have the mastermind behind the Carberp banking Trojan and other members of the criminal gang in custody.

The cybercrime ring, led by a 28-year old Russian national, allegedly has been in operation since 2009 and has stolen approximately $250 million from Ukrainian and Russian banks, according to a report in Kommersant Ukraine, a national publication. The arrests Wednesday were the result of a joint operation by the Security Service of Ukraine and the Russian Federal Security Service. Several individuals have already been released on bail, while others remain in house arrest.

Carberp TrojanWhile the article doesn't explicitly name Carberp as the banking Trojan developed by the ring, Aleks Gostev, a security researcher from Kaspersky Lab, voiced his confidence on Twitter that the group was behind the banking Trojan. "Carberp developers and mastermind were finally arrested in Ukraine," Gostev posted to Twitter Wednesday.

"I know, coz fighting cybercrime is my job," Gostev added.

The mastermind allegedly led a group of about 20 individuals ranging between 25 and 30 years of age, according to the Kommersant report. The members were living and working in Kiev, Zaporzhye, Lyov, Odessa, and Kherson prior to their arrest. Each member of the gang reportedly was responsible for only one part of the malware's development. Each developer worked remotely and sent their work to a server in Odessa, and the gang leader assembled the pieces to create Carberp, Kommersant reported.

"Generally, they do not know each other, everyone is responsible for their part of the software development unit," a source told Kommersant (Google Translate). Under Ukrainian law, the maximum prison sentence they will get is five years, Gostev noted on Twitter.

"Under the new Criminal Procedure Code, the economic crimes are not serious," the SBU told Kommersant.

"The main objective of the operation carried out by the Security Service and the Federal Security Service was to slow down the malware's development," Andrey Komarov, head of international projects at Moscow-based Group-IB told SecurityWeek. "Whether the arrests included the ringleader of the group have not yet been disclosed, nor is it known the exact roles the detained individuals played in the crime ring," Komarov added.

The members who have Russian citizenship may be extradited and tried in Russia, Gostev said.

About a year ago, authorities arrested and broke up a gang that used Carberp to steal $2 million from over 90 individual bank accounts. That particular gang just used the malware and was not responsible for developing the Trojan, which anyone willing to pay the price can now buy outright or rent for a period of time.

Similar to other active banking Trojans, Carberp could intercept information which could be used to break into online banking accounts and transfer funds. Its mobile component allows criminals to steal mobile transaction authentication numbers (mTANs) sent by banks to authorize specific transactions. Carberp was constantly modified and updated to ensure it would evade antivirus detection.

The Ukrainian SBU seized computer equipment as part of the arrests and will be examining the digital files for evidence, according to the report.

Cyber-crime in Ukraine is growing, with 139 cases of account fraud totaling over $116 million, according to the country's Interior Ministry. Authorities reclaimed 80 percent of the stolen funds within two hours, Kommersant reported.

Related: Eight Arrested in Moscow For Allegedly Stealing Millions Using Carberp Trojan

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.