Group-IB Report on the MoneyTaker Hacker Group

Researchers from Group-IB have released a report detailing the activities of the Russian-speaking hacker group known as MoneyTaker. Previously, there was little media coverage or cybersecurity attention given to this group. However, according to Group-IB, in just a year and a half, MoneyTaker carried out 20 successful attacks on banks and other legal entities in the United States, Russia, and the United Kingdom.

Main Targets and Geographic Reach

The primary targets of the hackers are card processing systems, the Russian interbank system ARM CBR (Automated Workstation of the Bank of Russia Client), and, reportedly, the American SWIFT system. Group-IB’s Threat Intelligence system suggests that financial organizations in Latin America may soon become targets as well.

In addition to banks, MoneyTaker has attacked law firms and financial software developers. In total, MoneyTaker is responsible for sixteen attacks on U.S. companies, three attacks on Russian banks, and one attack in the UK. In the U.S., the average loss per attack is $500,000. In Russia, the average amount stolen per incident (due to ARM CBR compromise) is 72 million rubles.

Stealth Tactics and Law Enforcement Involvement

Experts note that the group remained undetected for a long time by using a wide range of tools to bypass antivirus and anti-spam systems, erase traces of their attacks, and complicate post-incident investigations. All information about MoneyTaker’s activities has already been sent to Europol and Interpol.

“MoneyTaker uses publicly available tools, making attribution of incidents a non-trivial task,” says Dmitry Volkov, Head of Cyber Intelligence at Group-IB. “Incidents occur in different regions: one bank was robbed twice, indicating poor investigation after the first attack. We are revealing the connections between all 20 incidents we discovered and do not rule out new thefts. To reduce the risk, we have released a public report explaining how this group operates and why we believe all these episodes are the work of MoneyTaker.”

MoneyTaker Attacks: Past and Potential

The first attack linked to MoneyTaker occurred in spring 2016, when the group gained access to the STAR card processing system of FirstData and stole money from an unnamed U.S. bank. In August 2016, they successfully hacked a Russian bank using software for automatic money transfers via the Central Bank of Russia’s ARM CBR system.

In 2016, Group-IB recorded 10 attacks by MoneyTaker: 6 on U.S. banks, 1 on a U.S. IT service provider, 1 on a UK bank, and 2 on Russian banks. Only one attack (on a Russian bank) was quickly detected and prevented.

In 2017, attacks were limited to Russia and the U.S., but the total number remained the same: attacks on U.S. banks (8), a law firm (1), and Russian banks (1).

After thorough investigation, Group-IB analysts found connections between all 20 incidents, not only in the tools used but also in the group’s “signature,” such as using distributed infrastructure with disposable elements and unique money withdrawal schemes (using a new account for each transaction). Another trait: after a successful attack, the hackers continued spying on bank employees by forwarding incoming emails to Yandex and Mail.ru addresses in the format [email protected].

Other key findings included privilege escalation programs compiled from code presented at the Russian ZeroNights 2016 conference. Well-known banking trojans like Citadel and Kronos were also used, with Kronos being used to install the POS trojan ScanPOS.

Group-IB found that MoneyTaker always tries to steal internal documentation on banking systems in every country: admin manuals, internal instructions, change request forms, transaction logs, and more. Currently, Group-IB is investigating several cases involving copied SWIFT documentation, which may indicate upcoming attacks in Latin America.

Attack Arsenal and Evasion Techniques

Group-IB notes that MoneyTaker uses both borrowed and custom-developed software. For example, to monitor bank operators, the hackers wrote their own application functioning as a screenshot tool and keylogger. This app records keystrokes, takes desktop screenshots, and intercepts clipboard content. Written in Delphi, it uses five timers to trigger various functions (data capture, screenshot, data upload, self-disabling, etc.). The code includes anti-emulation features to bypass antivirus and automated analysis tools.

During an attack on ARM CBR at a Russian bank, the group used their own MoneyTaker v5.0 system—a modular program where each component performs specific actions: searching for payment orders, modifying them by replacing details with those of the attackers, and then erasing traces. The changes are made before the payment order is signed, so the altered order with fraudulent details is sent for approval.

To further cover their tracks, the concealment module replaces the attackers’ details in the debit confirmation back to the original after the transaction, making it appear as if the details were always correct. This gives the attackers extra time before the theft is discovered.

MoneyTaker uses a distributed infrastructure that is hard to trace. A unique feature is the use of a Persistence server, which delivers payloads only to real victims whose IP addresses are whitelisted.

For command and control, the attackers use a Pentest framework server with legitimate penetration testing tools. Metasploit manages the entire attack, handling network reconnaissance, vulnerability scanning, exploitation, privilege escalation, information gathering, and more.

After infecting a computer and gaining a foothold, the attackers explore the local network to obtain domain administrator rights and ultimately take full control of the network.

To remain undetected, the hackers use “fileless” malware that operates only in memory and is destroyed after a reboot. For persistence, MoneyTaker relies on scripts, which are harder for antivirus to detect and easier to modify. In some cases, the hackers changed program code “on the fly” during the attack.

To secure malware-server communication, they use specially created SSL certificates with trusted brand names (Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), not randomly generated ones.

Card Processing Attacks

The first card processing attack linked to MoneyTaker occurred in May 2016. After gaining access to a bank’s network, the group compromised the FirstData STAR network portal, made necessary changes, and withdrew funds. A similar incident happened at another bank in January 2017.

The attack scheme is simple: after gaining control of a bank’s network, the hackers check if they can access the card processing management system. They then legally open or buy cards from the compromised bank. Their “mules” (accomplices who withdraw cash) travel to another country and wait for the operation to begin. The attackers use their access to remove or increase withdrawal limits and overdraft limits on the mules’ cards, allowing them to withdraw large sums—even going into negative balances on debit cards. The mules withdraw cash from one ATM, then move to the next, and so on. The average loss per attack is about half a million dollars.