The Greatest Cyber Bank Theft Of All Time Is Still In Progress

In the good old days, if you wanted to rob a bank, you grabbed a mask and gun, then held up a bank. Today’s thieves are a little more surgical. Rather than steal all the bank’s cash, robbing everyone with an account all at one time, cyber thieves extract small amounts from many large accounts. They do it all without putting one toe inside of a bank.

The Carbanak gang, as they call themselves, hacked banks for about two years from 2013 to 2015 before a Russian security company detected their activities. By that time, the Carbanak gang had siphoned almost $1-billion over two years.

The worst part about this heist? It isn’t just a part of history. It may still be taking place… The last estimate was that they may hit 1.9-billion before it’s all said and done.

Carbanak Gang


(Actual Carabank theft in progress | source:

This is no Reno Gang. The members of this gang hail from all over the world, Russia, China, Ukraine, and other parts of Europe. They are more of a collection of hackers than traditional bank bandits.

To date, authorities have not arrested one cybercriminal connected with the Carbanak gang. That means there is a good chance they are still operational.

Kaspersky Labs



The security team who sniffed out the heist was Kaspersky Labs, Russia’s top developer for antivirus software. People have installed their antivirus software on machines around the world. You may even have Kaspersky’s software on your home computer.

They offer comparable products to other big-name antivirus software companies like Norton or Avast. Kaspersky stays relevant by staying ahead of global computer security issues. They track where and how thieves compromise security systems, then try to predict where they will strike next.

Kaspersky even makes predictions about the coming year. Kaspersky’s involvement in this heist came about when a Ukrainian bank requested assistance with a forensic investigation.

At first, they thought it was just another small-time malware attack. They were very wrong.

The Attacked



They believe the gang has targeted as many as 100 financial institutions over as many 30 countries. Attacks include companies include JPMorgan Chase & Co and Home Depot Inc.

In some cases, they stole data instead of money, data which may be more valuable than cash.

For individuals with a bank account in these places, there doesn’t seem to be any threat. The banks have insurance. They restore accounts, often without the individual ever knowing something happened.

The Attack(s)



The Carbanak Gang was able to siphon funds by installing malware on the drives of employees. This malware, known as Zeus and Spy Eye, Carbanak installed directly on the servers of these financial institutions.

These installations allowed Carbanak to watch the behavior of a bank employee so they could mimic that behavior at a later time, undetected by anyone watching. It just looked like normal bank behavior.

In one type of attack, the malware would target large bank accounts, then extracts small amounts of money, transferring the amounts to mule accounts.

In another, Carbanak would fraudulently inflate the balance of an account, then siphon off the additional funds. The balance returned to normal, evading detection by the account owner.

In yet another example, they would access the bank’s ATM, programming it to dispense large sums of money at a given time. One of the criminals would already be waiting to take the cash.



So far, Kaspersky can only see the damage after it happens, in the log files. It is possible to scan the drives of an institution to detect the presence of Carbanak. Kaspersky offers tips on how to do this on their site.

There shouldn’t be any reason you need to contact your financial institution about your accounts unless you see something out of the ordinary. In all likelihood, they are already ahead of this bit of history in the making.