Page 31 - Bloomberg Businessweek July 2018
P. 31
Bloomberg Businessweek
THE HEIST ISSUE
say. As for Katana, Sanchez says he handled the most crit- track down another mule, whom they followed to the
ical and complex task: He allegedly conducted the recon- railway station. They watched him stash the three cash-
naissance of banking systems and then shuffled money stuffed suitcases in lockers and waited to see who came
around the network like an air traffic controller. In his to collect them. It was Colibaba and Pencov, who are now
hands, it was art as much as science, the police say. “This serving four and a half years in prison. Colibaba’s iPhone
guy is in another league, he’s like Rafa Nadal playing ten- contained photos of stacks of cash in different currencies
nis,” Yuste says. “There are few people in the world capa- about the size of the piles in the suitcases, and, Tseng
ble of doing what he did.” says, email exchanges with a man who appeared to be in
Just as the police started to make strides, the charge of the operation. They traced the man to Alicante.
Carbanak crew opened another front, says Kaspersky’s Yuste and Sanchez say Katana didn’t ease up on the
Emm. In the first half of 2016, the thieves sent spear- bank raids. In early 2017, mules extracted $4 million from
phishing emails that looked like messages from legit- ATMs in Madrid after Katana allegedly took control of
imate financial institutions. When bank employees accounts inside Russian and Kazakh lenders. That was a
opened the emails’ attachments, they downloaded mal- mistake, because it enabled Yuste to get judicial approval
ware based on a program called Cobalt Strike, which to wiretap Katana’s phones. The funny thing is Katana
is designed to let security officers hack their own insti- didn’t need the money, Sanchez says. Katana was launder-
tutions to find vulnerabilities, like in a war game. The ing his money through a Bitcoin warehouse he’d bought in
Carbanak-Cobalt gang was able to extract $12 million China, had already converted most of his cash into Bitcoin,
per heist, says Europol. The thieves’ nimbleness was and was constructing a mansion in Alicante. “It was a kind
sobering. “Sometimes the investigation looked good,” of game for him,” Sanchez says. “To attack a bank wasn’t
Ruiz says, “and sometimes it looked like we’d reached about ‘Let’s steal a million dollars.’ It was, ‘Let’s crack the
a dead end.” security the bank is putting in our way.’ ”
Earlier this year the detectives learned Katana and his
T he Carbanak crew did have one weakness that wasn’t partners were preparing to up their game with the release
of a more potent version of Carbanak. On the morning
easy to finesse: humans. On July 16, 2016, six days after
the suspected Russian mules Berezovsky and Berkman of March 6, a police officer knocked on the door of his 49
allegedly hit ATMs in the wake of Typhoon Nepartak, apartment. Katana answered with a resigned look. He
two other men linked to the thefts landed in Taipei. After didn’t resist as more than a dozen armed cops entered
clearing customs at Taiwan Taoyuan International Airport, and bagged his laptop and other evidence. In addition
Mihail Colibaba and Nicolae Pencov took a taxi to the cen- to jewelry and two BMWs in his name, they found 15,000
tral railway station. There they entered the baggage stor- Bitcoins, then valued at about $162 million. Law enforce-
age facility and, after receiving access codes by text, took ment officials worldwide were jubilant.
suitcases from three separate lockers, according to police. Yet experts point out that even if Katana was the mas-
The bags held NT$60 million in bundles of crisp blue termind, he was just one guy in a crime that surely must
NT$1,000 notes. The men then checked into the Grand have had many authors. Unlike the bank jobs of yore, dig-
Victoria Hotel across from the city’s mammoth Ferris ital heists are amoeba-like ventures that divide over and
wheel and holed up in their rooms for the next 24 hours. over again as the malware proliferates. “We’ve already
At about 8 p.m. the next day, they enjoyed a leisurely din- seen the modification of Carbanak and multiple groups
ner at the hotel’s restaurant. Their job was nearly done. using it,” says Kimberly Goody, an analyst at security soft-
As the pair left the dining room, police confronted them ware maker FireEye Inc. “Same case with Cobalt.”
and took them into custody. They’d been under surveil- In recent weeks, employees at banks in the Russian-
lance since they left the railway station the day before. speaking world have been receiving emails that appear
They have the sloppy tradecraft of their alleged accom- to be from Kaspersky, the security company that
plices, Berezovsky and Berkman, to thank for their cap- unearthed Carbanak. The messages warn recipients
ture. After the police got hold of the bank card one of that their PCs have been flagged for possibly violating
the men had dropped the prior Sunday, Hsin-Yi Tseng, the law and they should download a complaint letter
a 28-year-old detective in Taipei’s Criminal Investigation or face penalties. When they click on the attachment, a
Bureau, coordinated a citywide sweep to map out the version of the Cobalt malware infects their networks. It
scope of the ATM heists. She had scores of officers scan turns out cyberheists may not die even when their sus-
security camera footage, and her colleagues managed to pected perpetrators are nabbed. <BW>
“EVEN IF KATANA WAS THE MASTERMIND, HE WAS JUST ONE GUY IN A CRIME THAT SURELY MUST HAVE HAD MANY AUTHORS”
