Cybercrime forum with up to 300 users taken down

Darkode was one of the most prolific English-speaking cybercriminal forums in the world, used to trade and barter hacking expertise, malware and botnets, Zero Day Exploits, access to compromised servers, and to find partners for spam campaigns or malware attacks. The forum was a closed community of 250-300 active users. To join, potential candidates had to be invited and vetted by a trusted member of the forum.

Europol played a central coordination role in the takedown of Darkode, facilitating law enforcement activities prior to and during the actual operational action. Europol set up a dedicated command post with a direct secure communication link to the command centre in the US which was used to orchestrate the work effectively on the ground.

Participants:

• Lead: FBI, USA
• Law enforcement officers from: Australia, Brazil, Canada, Croatia, Colombia, Cyprus, Denmark, Finland, the Former Yugoslav Republic of Macedonia, Germany, India, Israel, Latvia, Nigeria, Bosnia and Herzegovina, Romania, Serbia, Sweden, United Kingdom, USA
• Joint Cybercrime Action Taskforce (J-CAT) located at Europol
• Takedowns and arrests coordinated from command posts set up by the FBI in Pittsburgh, USA, and Europol headquarters in The Hague, the Netherlands

Results: 28 individuals arrested, 37 houses searched, computers and other equipment seized.

3.2 million computers infected with Ramnit Malware

On 24 February 2015, Europol coordinated a joint international operation to target the Ramnit botnet⁷ that had infected 3.2 million computers around the world. This botnet was used by criminals to gain remote control of infected computers, primarily to steal passwords and disable antivirus protection. The malware, infecting users running Windows operating systems, exploited different infection methods such as links contained in spam emails. Representatives from the Member States’ law enforcement services, Microsoft, Symantec and Anubis Networks worked together with Europol officials to shut down command and control servers and to redirect 300 Internet domain addresses used by the botnet's operators.

Participants:

• Lead: United Kingdom
• Law enforcement officers from: Germany, Italy, the Netherlands
• Partners from the private sector: Anubis Networks, Microsoft, Symantec
• Joint Cybercrime Action Taskforce (J-CAT), located at Europol
• Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU)

60 arrests in a complex cybercrime investigation

On 18 and 19 June, Europol’s European Cybercrime Centre and Eurojust were involved in a coordinated action in Ukraine - joint investigation team (JIT) Mozart. JIT Mozart is one of the most complex cross-border cybercrime investigations that EC3 has to date supported, entailing more than 16 000 man-hours of investigative work, the exchange of more than 1700 operational messages, and intensive analysis of a large volume of complex data. EC3 supported the investigation by establishing the overall intelligence picture, and identifying crucial links between the malware attacks and the different investigations. Furthermore, Europol’s analytical work and forensic analysis helped to link the suspects to the actual crimes and to identify the high-value top targets. Both Eurojust and Europol provided funding for the JIT. The substantial volume of data collected and processed during the investigation is still being used to trace the cybercriminals still at large, and has to date generated multiple hits with other high-profile cybercrime investigations.

Participants:

• JIT members: Austria, Belgium, Finland, the Netherlands, Norway, United Kingdom
• Partner states: Estonia, Germany, Latvia, Moldova, Poland, Ukraine and the USA
• Actions: one coordinated in Ukraine in June 2015; more operational actions in Austria, Belgium, Finland and the Netherlands
• Results: 60 arrests in multiple jurisdictions (Belgium, Estonia, Finland, Latvia, Netherlands, and Ukraine); dismantling of a sophisticated cybercriminal organised crime group responsible for attacking e-banking systems in Europe, America, Australia and Asia.

Data is a key target and commodity for cybercriminals

The number and frequency of publically disclosed data breaches is dramatically increasing. Such breaches, particularly when sensitive personal data is disclosed, inevitably lead to secondary offences as the data is used for fraud and extortion.

Joint Cybercrime Action Taskforce (J-CAT)

The J-CAT is a country-led innovative framework for strengthening operational cooperation in fighting cybercrime, and operates from Europol’s headquarters and is supported by Europol’s European Cybercrime Centre. The J-CAT started as a six-month pilot in 2014 and was consequently extended. This extension came after the J-CAT successfully supported a number of important operations covering:

• high-tech crimes involving malware, botnets, and intrusion;
• crime facilitation (bulletproof hosting, counter-anti-virus services, infrastructure leasing and rental, money laundering, including virtual currencies);
• online fraud (online payment systems, carding, social engineering);
• various forms of online child sexual exploitation.

In 2015, the J-CAT was involved in eight successful operations, including operations Triangle, Bugbyte, Bluebonnet, R2D2 and B58 (Dorkbot), as well as one international crime prevention campaign: Blackfin. These activities were in cooperation with the private sector whose involvement is essential for tackling cross-border cyber threats.

The last J-CAT meeting for 2015 was attended by the US Attorney General, who highlighted the excellent level of cooperation between Europol and the US Department of Justice in tackling cybercrime, and announced the temporary deployment of a US prosecutor to The Hague to work closely with Europol’s European Cybercrime Centre and the J-CAT.

Trojan horse for Android used to steal information and money

Operation R2D2, led by German law enforcement authorities and supported by several other countries, targeted mobile malware and malware buyers. The specific malware in question was the DroidJack Remote Administration Tool (RAT)/ Android crimeware tool (SandroRAT). The Trojan horse program for Android devices opens a back door on compromised devices. It also steals information, and poses risks to money, privacy, data integrity and device access. The operation resulted in 20 house searches and 10 arrests in Europe, and 18 hearings in the USA.

Botnet infects over a million computers

Operation B58 resulted in the disruption of the Dorkbot botnet. The Win32/Dorkbot botnet has infected over a million computers in 190 countries worldwide since it was discovered in 2011. Commonly spread via USB flash drives, instant messaging programmes and social networks, Dorkbot causes damage by opening a backdoor on the infected computer, allowing for remote access and potentially turning it into a botnet. Investigators are in the process of determining the number of victims around the world that have been impacted by this botnet.

Card-present fraud on the decrease in Europe and on the increase overseas

Following the implementation of EMV (Europay, MasterCard, and Visa) chip card (‘Chip and PIN’) technology in the EU, card-present fraud has significantly reduced in Europe. This is because cardholders’ confidential data is more secure on a chip-embedded payment card than on a card with a magnetic strip.

However, card-present fraud has migrated to those countries where EMV technology is not yet fully implemented. The level of illegal transactions overseas has therefore sharply increased, as cards cloned in Europe are being used to withdraw money in non-EU countries.

In March 2015, the Indonesian National Police (INP) contacted Europol regarding the arrest of several European citizens accused of card skimming in Bali. Since no cooperation agreement was in place with Indonesia, Europol contacted the national experts from the country of origin of the arrested criminals for any data relevant to the case. As a result of analysis performed within the Europol database, various cases of illegal money withdrawals were identified. All of them were made with payment cards issued by EU banks and skimmed in EU countries. It turned out that Indonesia was one of the most affected countries. Europol also identified the EU countries with the most recent withdrawals and ongoing cases. Subsequently Bulgaria, Denmark, Germany, Hungary, Romania, Slovenia, and Europol met with the Indonesian National Police, a local prosecutor, the Immigration Service and representatives from the seven biggest banks. Another meeting was organised to develop relations with key countries in the region.

Awareness meetings were organised in other parts of the world to raise awareness about payment card fraud overseas and money withdrawals in these regions, e.g. in Bogota, Colombia and in Singapore. The meeting in Colombia was of particular relevance, as it resulted in the launch of a joint cross-border investigation into an organised crime group operating both in Europe and South America.

Financial fraud cybercrime group dismantled

On 9 June 2015, the joint international operation Triangle led to the dismantling of a group of cybercriminals active in Belgium, Italy, Poland, Spain, the United Kingdom and Georgia. These cybercriminals were suspected of committing financial fraud involving email account intrusions. Operation Triangle resulted in the arrest of 49 suspects, 58 properties were searched, and numerous laptops and tablets, hard disks, telephones, SIM cards, memory sticks, forged documents, credit cards, cash, and bank account documents were seized. It was coordinated by Europol and Eurojust, led by the Italian Postal and Communications Police, the Spanish National Police, the Polish Police Central Bureau of Investigation, and supported by UK law enforcement bodies. The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation.

Open image in new tab

More children exposed to sextortion

A growing number of children and teenagers own smartphones that they use to access social media and communication apps, and are increasingly present online. This facilitates the creation and distribution of large amounts of self-generated indecent material, making them vulnerable to sexual extortion. According to the UK media use survey, children aged 5-15 spend 12.5 hours online per week. 41% own a mobile phone, which increasingly have access to the internet, and 34% own tablet computers8. This trend will most probably increase exposing children even more to potential threats online.

Missing and exploited children

In 2015, Europol’s European Cybercrime Centre extended information flow from the US National Centre for Missing and Exploited Children (NCMEC) to now include a total of 19 European countries: Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Greece, Hungary, Latvia, Luxembourg, Malta, Norway, Poland, Romania, Slovakia, Slovenia and Sweden. This improved set up was possible through cooperation with the US Immigration and Customs Enforcement (ICE) who had a need to distribute NCMEC reports to EU Member States. US ICE provides Europol with information from the NCMEC tip line, which is then cross-checked by Europol and intelligence then provided to the concerned EU Member States. In 2015, more than 26 000 reports were disseminated.

Two-year-old girl rescued from sex abuse

A Romanian man suspected of sexually abusing his two-year old daughter, filming the abuse and posting the child abuse material online, was arrested and the child rescued by Romanian law enforcement authorities.

The case began when the US National Center for Missing and Exploited Children (NCMEC) received a report of suspected online child sexual abuse. NCMEC analysts passed the information to US liaison officers at Europol. Immigration and Customs Enforcement, Homeland Security Investigations (ICE HSI) special agents worked with the European Cybercrime Centre to immediately launch an investigation. Europol cross-checked and analysed all data, and produced an intelligence package for Romanian authorities. Romanian law enforcement authorities specialised in combating organised crime, and prosecutors, were rapidly involved. The suspected abuser, his victim and their location were soon identified. On 24 February 2015, Romanian police arrested the suspect and searched his home. Evidence found at the home matched that seen in the self-produced child abuse material that the perpetrator had posted online. The victim – the suspect's own daughter – was safeguarded.

Darknet used for exchanging child sex abuse material

Europol supported Italian law enforcement authorities to shut down a hidden service for distributing child sex abuse material online. The house of the Italian administrator was searched and 14 000 bitcoin wallets were seized.

Operation Babylon began two years ago, when the Italian Postal and Communications Police uncovered a hidden service within the Darknet that was facilitating the exchange of child sex abuse material. It was also servicing crime by hosting sellers of illegal commodities such as weapons, passport and identity documents, counterfeit and cloned credit cards, hacking services, and close to 210 sellers of drugs. The marketplace administrator earned a percentage from all of these transactions. The Italian State Police opened the investigation and was supported by Europol and undercover agents from the Italian National Centre for the Fight against Child Pornography Online (CNCPO). Investigators found thousands of online images of young victims being abused, which were being exchanged by paedophiles in many hidden online locations on the Darknet. Europol provided support and coordination during the operation, exchanged and shared vital information and intelligence, and deployed on-the-spot technical support in Campania, Italy.

Scanning the internet for child abuse

The Virtual Global Taskforce (VGT) is a collaborative partnership of law enforcement agencies that have come together to combat online child sexual abuse worldwide. The 2015 child sexual exploitation environmental scan was commissioned by the VGT Board of Managers to set its strategic priorities for the next four years. It is a public version of an assessment for law enforcement drafted by Europol. Its main conclusions revealed how:

• the live streaming of child abuse is no longer an emerging trend, but an established reality
• the use of Tor in proliferating child sexual abuse material is a key threat; restricted areas pose the highest risk to children
• children are at risk of harm from online grooming and solicitation for sexual purposes; blackmail through the dissemination of sexually explicit material depicting victims.

Protecting children from sexual abuse

Europol is actively involved with the Lanzarote Committee of the Parties, which was established to monitor the implementation of the Convention on the Protection of Children against Sexual Abuse and facilitate the collection, analysis and exchange of related information and good practices. In 2015, highlights included the adoption of an opinion on online grooming and the creation of a first monitoring report on how children in Europe are legally protected against sexual abuse in the circle of trust.

Europol advocates crime prevention

Europol cooperates with law enforcement authorities and the private sector in crime prevention. In the area of cybercrime, Europol supported a number of events in November 2015 as part of Operation Blackfin, a cybercrime awareness raising campaign led by the UK National Crime Agency, and supported by Europol’s European Cybercrime Centre and the J-CAT. Together with anti-virus companies, several pop-up events were organised across Europe and beyond (Colombia and Australia9). This initiative was aimed at educating the public about the threats they face online, and, most importantly, how to protect themselves. Law enforcement and industry partners offered advice to the general public at various locations, such as airports, shopping centres and train stations. In the UK alone, 2 500 people attended the campaign events. In Colombia, approximately 650 people attended the workshops and 85 infected PCs were discovered.

The Cybercrime Prevention Network was set up by Europol as an informal group that aims to join forces in communicating about cybercrime prevention and awareness. It is comprised of law enforcement prevention experts from EU Member States, with the participation of Interpol and the European Commission (DG Home). The network was consolidated in 2015 with an annual meeting taking place at Europol, and the development of a dedicated space on the Europol Platform for Experts (SPACE) for the exchange of best practices and expertise among its members.

Social media is increasingly becoming an inherent part of cybercrime prevention, with a large proportion of the target audience present online. Europol uses its Twitter account to provide updates on its latest activities, advice on prevention and awareness, and inform the public about other topics related to cybercrime and crime fighting.

Fighting the abuse of virtual currencies

In June 2015, Europol’s Virtual Currencies Conference offered an exceptional line-up of speakers to explain the concepts behind virtual currencies, and present ways to follow the flow of transactions on blockchain10 technologies and transactions to link criminals to crime. The event was organised for the second time by Europol and US ICE Homeland Security Investigations (HSI). The focus was on fighting the abuse of virtual currencies, such as Bitcoin, used for criminal transactions and money laundering. Participants were law enforcement practitioners involved in investigations of cybercrime, money laundering and asset recovery as well as representatives from the virtual currencies industry, the financial sector and academia. The conference launched a Tripartite Working Group between Europol, the Basel Institute and Interpol on the sharing of expertise concerning money laundering with virtual currencies.

News on the EU Financial Cybercrime Coalition

In June 2015, the second conference of the EU Financial Cybercrime Coalition was hosted at Europol with the aim of further strengthening cooperation between EU law enforcement and the financial sector. This annual conference is the largest event that brings together, at an EU level, law enforcement and the financial sector in the fight against cybercrime, and attracted 140 professionals from financial institutions and law enforcement services. The event resulted in several initiatives aimed at increasing the sharing of intelligence and further improving international law enforcement cooperation.

Training cybercrime experts

Europol’s new course on Payment Card Fraud Forensics took place in July 2015 at the Spanish National Police Academy in Ávila, Spain. The aim of the training was to increase forensic experts’ knowledge and expertise in the area of payment fraud forensics, such as the examination of skimming devices. During the course, 33 participants from various EU Member States learned about techniques to examine seized equipment, new trends and threats compromising card data and PINs in point-of-sale terminals and cash machines, as well as some payment card analysis tools. The course also covered ATM logical attacks, especially malware attacks, which are a developing threat in the area of payment card fraud. Europol also provides two other advanced cybercrime training courses: Combating Online Sexual Exploitation of Children and Open Source IT Forensics.