A Brazilian Trojan and 133 'mules' in Spain to loot thousands of bank accounts

Crime has no borders, much less when it acts through the Internet. The Spanish and Brazilian police, in collaboration with Interpol, have this Friday considered practically dismantled the plot that used the Trojan virus of Brazilian origin Grandoreiro to loot the bank accounts of more than 3,000 people in Spain and several thousand more in other Spanish- and Portuguese-speaking countries, with special incidence in Brazil, Portugal and Mexico, as reported this Friday by the Ministry of the Interior.

The arrest last Tuesday in São Paulo of the five leaders of the criminal network has been the culmination of Operation Ipanema which, since the end of 2020, has included the arrest, mainly in Madrid, but also in Seville, Barcelona and Valladolid, of another 133 people. All of them are considered mules, a term used in police jargon to refer to people who, for an amount of money or a percentage of between 10% and 20%, lend their identity to open bank accounts where the defrauded money is diverted. The operation is still looking for another twenty of these mules as well as the programmer of the malicious computer program, hidden in a third country.

The operation began in June 2020, when CaixaBank reported to the Cyberattack Group of the National Police that numerous clients of the entity were suffering from banking fraud after having seen how their computer equipment was infected by the Trojan. Grandoeiro. The contagion occurred by receiving false emails from the bank itself that invited them to click on links that caused the malicious program to be downloaded. He malware ―which already spread massively during the confinement caused by the covid-19 pandemic― remained inactive until the user consulted their electronic banking accounts online, at which time an image was loaded onto the victim's computer. that supplanted that of their banking entity (those known as mirror pages) and began collecting keys and credentials.

Once this information was obtained, the plot made money transfers to deposits opened in the names of the mules and, in some cases, they requested immediate loans of up to 30,000 euros. To do this, with the excuse of updating the software of the bank's security system, the cyber attackers asked the victims, through the fraudulent website they had installed, for the one-time automatic verification keys that they received via SMS messages on their mobile phones. Once the money arrived in the accounts opened by the plot, the mules They moved money quickly from one deposit to another – often open in third countries such as Belgium, France, Portugal or Brazil – and even made cash withdrawals to acquire cryptocurrencies in an attempt to make it difficult to track the funds. Bank customers only realized they had been victims when the money had already left their accounts.

The police investigations revealed that the frauds not only affected CaixaBank, but that Santander clients had also suffered similar scams – a car dealership in Pamplona suffered a fraud of 1.5 million euros – BBVA and Banco Sabadell, among others. others. Sources close to the investigation add that the plot had actually cloned the screens of the websites of practically all Spanish financial entities. So far, the Police have confirmed a completed fraud of five million euros in Spain alone, although they have also found indications that they had made attempts for another 100 million. Worldwide, investigators estimate that the plot consummated scams worth more than 120 million euros, but that it attempted scams worth 1,000 million.

The investigation in Spain began to yield results three months after the complaint. In September 2020, the first mules and in October of the following year there were more than a hundred detainees. “The operation has had three legs. The first, that of the mules, was the simplest. The second, that of the ringleaders of the plot, is the one that we have now concluded with the arrests in Brazil. The third is that of the person who developed the Trojan virus and who rents it to criminal groups like the one we have now dismantled. He is already identified, but we are still looking for him,” says Inspector Juan María Cabo, head of the Cyber ​​Attack Group of the National Police.

The police command highlights that scams by Grandoreiro suffered a sudden stop in Spain in May 2021, in the midst of an investigation, after banking entities implemented the EU directive that required double authentication to be required to make transfers. on-line. From that moment until the summer of the following year, fraud attempts by this Trojan practically disappeared. “We detected cases again in September 2022, although in much smaller numbers and with a peculiarity: they were no longer the result of mass shipments, but rather it was phishing [creación de páginas web similares a las reales del banco] specifically aimed at clients with a high economic level,” highlights Inspector Cabo. In fact, the operation is still open.

The complexity of the operation is demonstrated by the high number of police officers from several countries who have intervened. In addition to several units in Spain and agents from the Federal Police of Brazil, Europol, the EU police agency whose experts analyzed 53 samples of the Trojan recovered, and Interpol, the organization that brings together police officers from 196 countries and which is has been in charge of coordinating the operation over the last year and a half. The investigation is judicially directed in Spain by the National Court and the Computer Crime Prosecutor's Office.

Follow all the information Economy and Business in Facebook and xor in our weekly newsletter