Saturday, April 1

Five cybercriminals arrested for stealing 6 million euros from a cryptocurrency custody company

The Civil Guard has dismantled a group of cybercriminals who in the summer of 2020 attacked a Spanish company dedicated to the custody of cryptocurrencies, materializing the theft of six million euros in cryptocurrencies belonging to thousands of investors, an operation that has been settled with cico detainees and that it is the first case of these characteristics resolved in Spain.

The facts were brought to the attention of the Department against Cybercrime of the Central Operational Unit (UCO) of the Civil Guard, which in view of the high number of people affected and the value of what was stolen, initiated this investigation with absolute priority.

Due to the data initially collected, as well as the use of a sophisticated RAT (Remote Access Trojan)-type malware better known as a Trojan, the lateral movement in the company’s computers, and the time that the authors were inside it, made us think that behind this attack could be authors of the APT type (Advanced Persistent Threats), linked to sophisticated groups of cybercriminals.

Downloading a pirate file

Thus, it was possible to conclude that it had its origin in the illegal downloading of a film from a “pirate” multimedia content portal, by a worker of the aforementioned company. The files that made up that film contained a highly sophisticated computer virus that allowed attackers to gain complete control of the employee’s computer and use it as cover to gain access to the company.

This download occurred more than half a year before the events occurred, allowing the attackers to know in detail all the internal processes of the company and prepare the computer attack.

The stolen cryptocurrencies were transferred to wallets under the control of the attackers, where they were immobilized for more than six months trying not to attract police attention. It was after that time, once they felt safe, that they began to move cryptocurrencies using a complex network of money laundering electronic wallets.

Likewise, the agents were able to identify the alleged operator of the illegal download website from which the computer virus that led to the attack was distributed. Other avenues of investigation allowed the identification of four more people, who allegedly received part of the stolen cryptocurrencies, all of them with no apparent relationship.

Records in various cities

For all these reasons, in November 2021, UCO Cybercrime Agents carried out four house searches in the provinces of Tenerife, Bilbao and Barcelona, ​​proceeding to the arrest and investigation of 4 people, who were seized with computer equipment. of great interest for the investigation, as well as cryptocurrencies worth 900,000 euros, related to the theft.

Once all the material intervened in these records was analyzed, the agents were able to verify traces of the alleged authorship of the attack by one of the detainees, locating the Trojan-type malware used and the traceability of the cyberattack, as well as the initial movements of the cryptocurrencies. stolen and the payment thereof to the owner of the download website from which the virus was launched.

Confirmed the alleged authorship of the cyberattack, the investigation focused on the identification of the possible recipients of the stolen cryptocurrencies and their link with the first, reaching the researchers to another individual, who received at least 500,000 euros in stolen cryptocurrency.

This same week, in the last phase of the operation to date, another person was investigated, who exercised control over the alleged perpetrator through the use of drugs linked to rituals such as the ‘Sapo Bufo’ .