Carbanak / FIN7 — multi-bank ATM and SWIFT campaign

The Carbanak campaign — first publicly disclosed by Kaspersky in February 2015 and documented in depth as new variants emerged through 2018 — was the first criminal cyber-operation to demonstrate that a financially motivated group could compromise the operational fabric of a bank with the discipline and patience usually associated with state intelligence services. The group, also tracked as FIN7, used spear-phishing emails carrying malicious Microsoft Office documents to gain footholds in bank corporate networks, then spent weeks or months inside the network learning the bank’s internal procedures before triggering theft.

Three theft mechanisms were observed across the campaign. The first was direct ATM cash-out: operators inside the bank’s network would send commands to specific ATMs to dispense their entire cash cassette at a pre-arranged time, with money mules waiting at the machine. The second was SWIFT-style payment manipulation: the operators would identify accounts within the bank and inflate their balances by directly editing the database, then transfer the inflated balance out through wire transfers, with the manipulation timed so that the audit trail would show a legitimate balance at the moment of transfer. The third was online-banking theft: operators would identify high-value commercial accounts and conduct transfers from them, often using the bank’s own internal wire systems to mask the theft as a legitimate transaction.

Total losses across the campaign were estimated by Kaspersky and subsequent researchers at approximately $1 billion across more than 100 banks in 30+ countries between 2013 and 2018. Russian, Ukrainian, Chinese and several European banks were named as victims at various points; specific bank names were largely not disclosed publicly because the affected institutions preferred to absorb the losses rather than face reputational damage from disclosure. The group also pivoted, mid-campaign, into a parallel point-of-sale-malware operation against US restaurant chains and retail brands, repurposing the same intrusion infrastructure to steal payment-card data.

In March 2018 Spanish national police arrested an individual described as the alleged leader of the Carbanak group in Alicante, Spain, in an operation co-ordinated by Europol with Belarusian, Romanian and Taiwanese police forces and the FBI. Several FIN7 indictments followed in US federal court in 2018 against named Ukrainian nationals. The arrests reduced the group’s operational tempo but did not end FIN7 — researchers tracked continued activity under the same TTPs through 2024, including pivots into Black Basta and other ransomware affiliations.

Defender takeaway: Carbanak is the case study for “the attacker spends weeks learning your bank before they steal anything”. The operators reached the ATM-management network and the bank’s internal payment systems by classic enterprise lateral movement: phish a back-office user, harvest credentials, find a domain admin, traverse the network at leisure. None of the steps required a zero-day. The defensive controls that would have stopped this intrusion at any of the lateral-movement steps — phishing-resistant authentication, privileged-access workstations for domain administrators, network segmentation between back-office Active Directory and the operational SWIFT/ATM environments, behaviour-based detection on unusual database queries against ledger tables — were all available to the affected banks at the time. The reason the intrusions succeeded is that they applied to internal systems controls that had been designed only for the perimeter. Carbanak forced the financial-services industry to accept, over five years and a billion dollars in losses, that internal segmentation and Zero Trust principles are necessary not optional in a payment-processing environment.