A joint investigation by Spanish and British law enforcement authorities, coordinated by Europol and its Joint Cybercrime Action Taskforce (J-CAT), has resulted in the dismantling of an international cybercrime group involved in the design, development and selling of sophisticated software tools to render all types of malicious malware infecting thousands of computers worldwide undetectable by security products.
As a result of the investigation, 5 individuals were arrested (3 in Spain and 2 in the United Kingdom), and various premises searched in Barcelona, the Canary Islands and Liverpool. As a result of the searches in Spain, investigators seized 6 hard drives, a laptop, 2 external storage devices, 8 Bitcoin mining devices and numerous documents.
The tools developed by the crime group were used worldwide for the distribution of Remote Access Trojans and key loggers, that is, malicious software that takes full control of the victim’s computer stealing private and personal information, among others. The tools were promoted on hacking forums in exchange for payments, usually in bitcoins.
Europol has supported this complex investigation since the end of 2015 by providing information exchange, operational coordination, forensic expertise and on-the-spot support. The investigation, which had the participation of the Spanish National Police, the UK’s Regional Cyber Crime Unit for Tackling North West Serious Organised Crime (TITAN), as well as partners in the private sector, had two main phases. The first phase, carried out in the UK in April last year, led to 2 arrests. The second phase, carried out in Spain in April this year, led to 3 arrests.
To support the actions on the spot, experts from Europol’s European Cybercrime Centre (EC3) were deployed to the UK and Spain. This allowed for real-time intelligence analysis and cross-checks against Europol’s databases, as well as forensic support.
Investigations revealed that the criminal group has carried out its illicit activities since mid-2013, producing substantial profits.
This type of investigations is indicative of the growing use by cybercriminals of encryption and anonymity services for illegal purposes and concealing their activities, which was also identified as a key trend by Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2016.