Last week, Spanish police arrested 16 suspects for laundering funds stolen by other hackers with the help of banking trojans, the most notable ones being Mekotio and Grandoreiro.
The Guardia Civil, which is Spain’s oldest law enforcer agency, has arrested 16 suspects in various provinces and the country’s capital Madrid.
The authorities searched houses and seized devices for investigation, part of an operation that authorities named “Aguas Vivas” (translated as “Living Waters”).
During the raids, the police found evidence that attackers stole over €276,470 from various bank accounts, and had access to other accounts storing around €3.5 million, which they didn’t steal yet.
The Grandoreiro and Mekotio strains are believed to have been developed by cybercrime groups operating out of Brazil. While Mekotio is a new threat, the Grandoreiro trojan is a well-known and popular name in the cybersecurity industry and has been around since 2016.
Both trojans are designed to steal sensitive information from customers of up to 30 different banks. They can also silently collect usernames and passwords by way of malspam emails with spoofed addresses mimicking legitimate organizations.
The attackers used the two trojans to gain access to the victim’s accounts and then stole and sent funds to accounts that were under their control.
“One characteristic in which all the victims agreed is that, once they carried out any banking operation through the web, their computers restarted several times until access was blocked, later observing that large amounts of their money had been transferred to unknown accounts,” Guardia Civil officials said in a press release last week.
“After that, the money was split by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder possible police investigations,” the agency added.
Authorities did not reveal if the 16 suspects were responsible for distributing the malware. However, they noted that the arrested criminals were heavily involved in laundering the stolen funds.
The arrest of 16 suspects in Spain confirms reports by security firms, such as ESET and Kaspersky, that the groups operating in Brazil have been updating their banking trojans to target European banks.
Mekotio and Grandoreiro continued to evolve throughout 2020 and became more sophisticated. According to ESET, these two banking trojans became more prevalent last year.
