Malware & Spywarecritical

Carbanak / FIN7: $1 Billion Stolen from Banks via Spear-Phishing and Custom Malware

The Carbanak/FIN7 criminal group stole over $1 billion from financial institutions across 30 countries by spending months inside bank networks studying internal processes, then mimicking them to silently instruct ATMs to dispense cash.

Global Banks / FIN7·2015·2 min read

Background

Carbanak (later attributed to the FIN7 criminal group) was first identified by Kaspersky Lab in 2015 after investigating suspicious ATM dispensing events. The operation demonstrated that patience, reconnaissance, and living off the land could extract more money from banks than any traditional exploit.

The Attack

FIN7 sent spear-phishing emails to bank employees with Word documents containing exploits. Once inside a bank network, they deployed a custom backdoor (Carbanak) and spent 2–4 months silently observing. They captured screenshots and video of operators' daily workflows, studied the processes for authorising ATM cash replenishments and SWIFT transfers, then impersonated those processes. They would instruct ATMs to dispense cash at specific times, with money mules waiting at the machines. In other attacks they inflated account balances and transferred the inflated funds before detection. They also sent fraudulent SWIFT messages directly.

Response

Interpol, Europol, and FBI coordinated a multi-year investigation. Three FIN7 members were arrested in 2018 in Ukraine. More FIN7 members were arrested in subsequent years. Kaspersky published a landmark report in 2015. Banks tightened monitoring of ATM software and SWIFT transaction anomalies.

Outcome

Over $1 billion was stolen from over 100 banks across 30 countries. The operation was active for at least four years. FIN7 continues to operate in various forms. The case demonstrated that the most effective bank robberies do not involve cracking safes — they involve quietly learning how a bank operates and then becoming an invisible employee.

Key Takeaways

  1. Banks must monitor for anomalous internal behaviour, not just perimeter intrusions — insiders and malware mimic normal activity
  2. Long dwell times (2–4 months of reconnaissance) mean that detection must happen during the surveillance phase, not after
  3. ATM software integrity monitoring and anomalous dispensing alerts are essential controls
  4. SWIFT transaction anomaly detection must be treated as a critical security control, not just an audit function
CarbanakFIN7ATM fraudSWIFTbanking malware

More in Malware & Spyware

2001critical

Code Red Worm Infects 359,000 Servers in 14 Hours

2 min readMalware & Spyware
2003critical

SQL Slammer: The Fastest-Spreading Worm in History

2 min readMalware & Spyware
2016critical

Mirai Botnet: IoT Devices Take Down the Internet's Infrastructure

2 min readMalware & Spyware