← Home·Gallery·Techniques
Threat Intelligence Tarot
pentacles · 7
Criminal (Eastern European - Ukraine/Russia)
G0008
risk 5/5
The Banker
Carbanak
Anunak · FIN7 (overlapping) · Cobalt Group
BanksFinancial institutionsATM networksSWIFT infrastructure
Active since ~2013 · Direct bank account theft, ATM jackpotting, SWIFT transfer fraud
The Banker did not rob a bank. It became a bank employee - spending months watching bank teller operations, learning transaction software, studying internal banking processes - then impersonated employees to transfer funds. One billion dollars. One hundred banks. No gun.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1059.003
Windows Command Shell
Execution
T1113
Screen Capture
Collection
T1021.001
Remote Desktop Protocol
Lateral Movement
T1657
Financial Theft
Impact
T1134
Access Token Manipulation
Privilege Escalation
Notable Operations
  • First billion-dollar cybercrime operation - $1B stolen from 100+ banks
  • ATM jackpotting - machines dispensing cash on command
  • SWIFT fraud at Bangladesh Bank - $81M stolen (linked operations)
  • 300+ financial institutions in 40+ countries targeted
Defenses
  • SWIFT Customer Security Programme controls implementation
    SWIFT CSP
  • ATM network monitoring and jackpotting countermeasures
    FSB guidance
  • Banking employee security awareness for spearphishing
    NIST SP 800-50
  • Anomaly detection on internal banking transaction systems
    NIST CSF: DE.AE
Reversed: Their Weakness
Carbanak's lead developer Denis Katana was arrested in Spain in 2018 after an unprecedented Europol operation involving law enforcement from 15+ countries - demonstrating that even the most sophisticated billion-dollar cybercrime operations can be dismantled through patient international cooperation.

Share this adversary profile

swipe to browse

← PreviousThe Dark CounterNext →The Second Stage
Related Adversaries
The Second Stage
TrickBot / Ryuk
3 shared TTPs
The Hospital Ward
Hive
3 shared TTPs
The Broker
TA505
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.