A joint investigation team (JIT) consisting of investigators and judicial authorities from six different European countries, supported by Europol and Eurojust, has taken down a major cybercriminal group during a coordinated action in Ukraine. With on-the-spot support from Europol, Austrian and Belgian law enforcement and judicial authorities, the action in Ukraine on 18 and 19 June resulted in the arrest of five suspects, eight house searches in four different cities, and the seizure of computer equipment and other devices for further forensic examination.

The aim of this JIT was to target high-level cybercriminals and their accomplices who are suspected of developing, exploiting and distributing Zeus and SpyEye malware – two well-known banking Trojans – as well as channelling and cashing-out the proceeds of their crimes. The cybercriminals used malware to attack online banking systems in Europe and beyond, adapting their sophisticated banking Trojans over time to defeat the security measures implemented by the banks. Each cybercriminal had their speciality and the group was involved in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.

On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities. This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks. The damage produced by the group is estimated to be at least EUR 2 million.

The recent action was part of the wider investigation that was launched in 2013 by the JIT members (Austria, Belgium, Finland, the Netherlands, Norway and the United Kingdom), and facilitated by Europol and Eurojust Last week’s results brings the total number of arrests in this operation to 60 – 34 who were captured as part of a ‘money mule’ operation run by Dutch law enforcement authorities.

Europol has provided crucial support to the investigation since 2013 including handling and analysis of terabytes of data, and thousands of files in the Europol Malware Analysis System; handling of thousands sensitive operational messages; production of intelligence analysis reports; forensic examination of devices; organisation of operational meetings and bi-monthly international conference calls. The enormous amount of data that was collected and processed during the investigation will now be used to trace the cybercriminals still at large. Both Eurojust and Europol provided funding for the joint investigation team.

Several action days took place during the course of the long-running investigation, which resulted in significant operational successes in Belgium, Estonia, Finland, Latvia, the Netherlands and Ukraine. Such results were possible thanks to intense cooperation between the JIT and law enforcement and judicial partners in Estonia, Latvia, Germany, Moldova, Poland, Ukraine and the US.