analyst@nohacky:~/threat-actors$
cat/threat-actors/carbanak
analyst@nohacky:~/carbanak.html
active threatprofile
typeCybercrime
threat_levelCritical
statusActive
originRussia / Ukraine (assessed)
last_updated2026-03-27
CA
carbanak

Carbanak Group

also known as: Anunak Carbon Spider GOLD KINGSWOOD Coreid

The group that executed what Kaspersky called the "Great Bank Robbery" — an estimated $1 billion stolen from over 100 financial institutions across 30 countries by targeting bank employees rather than customers. Carbanak's operators spent months inside bank networks learning the internal operations of each victim, then impersonated bank employees to instruct ATMs to dispense cash, manipulate SWIFT transfers, and inflate account balances before draining them. Active since at least 2013 and confirmed active through subsequent campaigns, Carbanak represents one of the most financially successful cybercrime operations ever documented.

attributed originRussia / Ukraine (assessed, multinational crew)
suspected sponsorOrganized crime (financially motivated)
first observedDecember 2013 (compiled August 2013)
primary motivationFinancial theft — direct bank fund extraction
primary targetsBanks, Financial Institutions, Payment Systems
known impactEst. $1B+ stolen, 100+ institutions, 30 countries
mitre att&ck groupG0008
target regionsRussia, Eastern Europe, US, Germany, China, Global
threat levelCRITICAL

Overview

The Carbanak Group is a Russia- and Ukraine-based organized crime syndicate that operates one of the most technically sophisticated and financially impactful bank theft operations ever documented. The group is named after the Carbanak malware — a Carberp-derived backdoor first observed in 2013 — which it uses as its primary post-compromise implant. Kaspersky Lab discovered the campaign in 2014 during a forensic investigation into mysterious ATM cash dispensing at a Ukrainian bank, eventually mapping the full scope of the operation in collaboration with INTERPOL, Europol, and national law enforcement agencies across multiple countries.

The group's defining characteristic is its patience. Rather than conducting rapid smash-and-grab attacks, Carbanak operators spend two to four months inside each victim bank network before stealing anything. During this reconnaissance phase, they deploy the Carbanak backdoor's screen recording and video capture capabilities to watch bank employees perform legitimate operations in real time — learning the internal banking software, the specific procedures used for wire transfers and ATM management, and the individual workflows of administrators. Only after this prolonged observation period do they execute the theft, mimicking legitimate employee behavior so precisely that the fraud was often not detected until cash was already gone.

The group's cashout methods are distinctive and varied. ATMs were remotely instructed to dispense cash at predetermined times with no card or PIN interaction required; money mules positioned nearby collected the dispensed bills. SWIFT inter-bank transfers were initiated to actor-controlled accounts in China and the United States. Bank databases were directly modified to inflate account balances, with the difference then extracted through mule networks. Individual bank thefts ranged up to $10 million per institution. Kaspersky estimated total losses at up to $1 billion as of early 2015; Europol subsequently assessed that the figure exceeded €1 billion by the time of the 2018 arrest of the group's alleged leader in Spain.

An important distinction: MITRE ATT&CK tracks Carbanak (G0008) and FIN7 (G0046) as separate threat groups that both use the Carbanak malware. While the groups are frequently conflated — and likely share personnel, infrastructure, and tooling — MITRE notes that multiple threat groups have been observed using the Carbanak backdoor, making separate tracking necessary. FIN7 is primarily known for POS-focused attacks on hospitality and retail; the Carbanak Group (G0008) focuses on direct bank fund theft via institutional network compromise. The Cobalt Group, which also used Carbanak-derived tooling, is a third related cluster tracked separately.

Target Profile

Carbanak's targeting is narrower and more focused than many cybercrime groups. The group specifically pursues financial institutions where direct access to fund-transfer mechanisms provides the highest per-victim payout.

  • Banks and Credit Institutions: The core target category. Carbanak specifically seeks access to systems used by employees who manage wire transfers, ATM networks, and account databases. The initial victims were concentrated in Russia and Eastern Europe, with subsequent expansion into the US, Germany, China, and over 25 other countries. Each successful bank robbery averaged between $2.5 million and $10 million in losses.
  • Electronic Payment Systems: E-payment operators were targeted alongside traditional banks, with funds transferred to actor-controlled accounts via these systems during the initial campaign phase.
  • ATM Networks: Rather than targeting individual ATMs with physical malware (as in traditional jackpotting), Carbanak targets the bank's internal ATM management systems, then issues remote dispensing commands at scale — a fundamentally different and more capable attack model.
  • SWIFT-Connected Institutions: Banks with access to SWIFT inter-bank messaging infrastructure were targeted for high-value international wire fraud, with transfers routed to accounts in China and the US before further layering.
  • Geographic Scope: Confirmed targets include financial institutions in Russia, the United States, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the United Kingdom, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia, among others.

Tactics, Techniques & Procedures

Carbanak's TTP set is built around long-dwell reconnaissance, insider mimicry, and diverse cashout mechanisms. The group's methods closely resemble those of a sophisticated APT — the campaign was described by Kaspersky as "APT-style" — despite being financially rather than politically motivated.

mitre idtechniquedescription
T1566.001 Spear-Phishing Attachment Primary initial access vector. Carbanak sends spear-phishing emails to bank employees with malicious Office attachments (Word documents, CPL files) exploiting CVE-2012-0158, CVE-2013-3906, and CVE-2014-1761. Successful exploitation delivers the Carbanak backdoor shellcode. Drive-by download via the Null Exploit Kit was also observed as a secondary infection vector.
T1059.003 Windows Command Shell Carbanak executes commands via Windows command-line interfaces to create reverse shells, move laterally, and interact with banking applications and administrative systems. The malware can spawn interactive shell sessions and execute operator-supplied commands remotely.
T1055 Process Injection Carbanak injects its code into svchost.exe to persist as a service-like process, blending with legitimate Windows service activity. This injection technique reduces the visibility of malicious activity to host-based inspection tools.
T1113 Screen Capture A central reconnaissance capability. Carbanak captures screenshots and video of the infected system's screen at regular intervals, transmitting recorded footage to C2 infrastructure. Operators use this footage to observe bank employees performing legitimate operations — learning internal banking software workflows, ATM management procedures, and wire transfer processes before mimicking them.
T1056.001 Keylogging Carbanak logs keystrokes from compromised banking workstations to capture credentials for banking applications, internal portals, and administrator accounts. Keylog data is transmitted to C2 alongside screen capture footage.
T1078 Valid Accounts Carbanak uses legitimate banking employee credentials captured via keylogging and screen recording to authenticate to banking applications and perform fraudulent operations. This use of valid credentials makes detection particularly difficult, as the malicious activity is indistinguishable from authorized user behavior at the application layer.
T1565.001 Stored Data Manipulation Bank account databases are directly modified to artificially inflate account balances on mule accounts. The group then extracts the inflated balance through the banking system's legitimate withdrawal mechanisms, leaving the original account holder's balance appearing unchanged in customer-facing views.
T1071.001 Web Protocols (C2) Carbanak communicates with its C2 infrastructure via HTTP with RC2+Base64 encryption, inserting random file extensions (.gif, .htm, etc.) into requests to blend with normal web traffic. Google services were also documented as C2 channels in some campaigns. The malware fetches configuration files (kldconfig.plug) and receives operator commands via the C2 channel.
T1543.003 Windows Service Creation Carbanak installs itself as a Windows service configured for automatic startup, providing persistence across reboots. The malware sets the Termservice (Remote Desktop) service execution mode to Auto when RDP access is desired, enabling persistent remote access to compromised systems.
T1657 Financial Theft The ultimate objective. Carbanak operators execute bank theft via three primary mechanisms: remote ATM dispensing commands issued through bank management systems (cash collected by pre-positioned money mules); SWIFT wire transfers to actor-controlled accounts in China and the US; and direct database manipulation to inflate mule account balances before extraction.
insider mimicry model

Carbanak's threat model is fundamentally different from typical banking malware. Rather than attacking customers or intercepting transactions, the group attacks the bank itself — spending months learning internal operations before impersonating employees at the application layer. Detection requires monitoring for anomalous behavior by authenticated users, not just malware signatures on endpoints.

Known Campaigns

Confirmed or highly attributed operations linked to the Carbanak Group across its documented operational history.

The Great Bank Robbery — Anunak / Carbanak Campaign 2013–2015

The foundational Carbanak campaign, first described as "Anunak" by Group-IB and Fox-IT in December 2014 and later detailed as "Carbanak" by Kaspersky Lab in February 2015. Beginning with first infections in December 2013 and peaking in June 2014, the campaign compromised over 100 financial institutions across 30 countries. Individual bank thefts averaged $2.5 million to $10 million each. Primary victims were in Russia, followed by the US, Germany, China, and Ukraine. Cash extraction methods included remote ATM dispensing, SWIFT wire fraud, and database balance manipulation. Each robbery required two to four months of internal reconnaissance before any money was taken. Kaspersky estimated total losses at up to $1 billion.

Cobalt Group Phase — Cobalt Strike Adaptation 2016–2018

The Cobalt Group — assessed by Europol as linked to or overlapping with Carbanak — adapted the Cobalt Strike penetration testing framework into bank-heist tooling, continuing the financial institution targeting pattern. This campaign phase was confirmed active through at least 2018. On March 26, 2018, Europol announced the arrest of the alleged "mastermind" of the Carbanak and Cobalt Group in Alicante, Spain, in an operation led by the Spanish National Police. Europol assessed total losses from the combined Carbanak and Cobalt campaigns exceeded €1 billion. Despite the arrest, campaign activity continued, with the Hudson's Bay Company POS breach in 2018 attributed to the group.

SEC-Themed Spear-Phishing — US Financial Sector 2017

FireEye documented a spear-phishing campaign using SEC-themed lures to target US financial sector employees, delivering the Carbanak backdoor. This campaign expanded the group's US footprint and demonstrated continued adaptation of social engineering lures to current regulatory and business contexts. FireEye tracked this activity under the FIN7 designation, illustrating the ongoing tracking overlap between Carbanak and FIN7.

Google Services C2 Campaign 2017

Documented by Forcepoint, Carbanak operators adapted their C2 infrastructure to use Google Forms, Google Sheets, and other Google services as command-and-control channels — routing communications through trusted Google infrastructure to evade network-based detection that would block or flag connections to unknown or suspicious C2 servers. This technique demonstrated the group's ongoing investment in detection evasion at the network layer.

Continued FIN7-Overlap POS and Ransomware Operations 2018–Present

Despite the 2018 arrest and subsequent law enforcement actions against individual operators (including multiple Ukrainian national indictments in the US), the broader criminal organization continued operations. The Carbanak malware remained in active use by related groups, with BlackBerry documenting Carbanak delivery against a US automotive manufacturer in April 2024 via FIN7-linked infrastructure. Related ransomware operations including DarkSide, BlackMatter, and Black Basta have been linked by researchers to the broader FIN7/Carbanak criminal ecosystem, suggesting the group diversified into ransomware extortion as an additional revenue stream.

Tools & Malware

The Carbanak Group's toolset is centered on the Carbanak backdoor, supplemented by commodity tools, legitimate software abuse, and adapted penetration testing frameworks.

  • Carbanak (Anunak) Backdoor: The group's core implant and namesake. A Carberp-derived Windows backdoor that provides keylogging, screen capture, video recording, file operations, reverse shell, remote desktop (RDP configuration), credential theft, and C2 communication via encrypted HTTP. The malware injects into svchost.exe, installs as a Windows service, monitors for specific banking applications (BLIZKO, IFOBS) and sends alerts when they are detected, and can substitute payment details in financial software on command. C2 communication uses RC2+Base64 encryption with randomized file extension strings. Later variants dropped the use of digital signatures that had appeared in earlier samples.
  • Cobalt Strike (adapted): The Cobalt Group phase of operations adapted the commercial Cobalt Strike penetration testing framework — specifically its beacon payload and post-exploitation features — for use in bank heist operations. This represented a shift from wholly custom tooling to a weaponized commercial product.
  • Null Exploit Kit: A web-based exploit kit used as a secondary infection vector during the initial campaign phase, delivering Carbanak via drive-by download from compromised websites, in addition to the primary spear-phishing delivery method.
  • Money Mule Infrastructure: A human logistics network — documented as including Moldavian organized crime connections — used to collect cash from ATMs during jackpotting operations, accept wire transfer proceeds at drop accounts, and launder extracted funds before moving them to the criminal organization's control. The use of money mules insulates the technical operators from direct exposure during cashout.
  • Google Services (C2 abuse): Google Forms, Google Sheets, and related services were adapted as C2 communication channels in 2017 to blend malicious traffic with legitimate enterprise web communications.

Indicators of Compromise

The Carbanak backdoor has been in use for over a decade and has undergone multiple revisions. Static indicators from the 2014–2015 campaign wave are largely burned. Focus on behavioral detection patterns and network-level anomalies consistent with long-dwell espionage-style intrusions inside financial environments.

warning

Carbanak IOCs from the 2014–2015 campaign are over a decade old. The malware has been updated multiple times and is used by at least two distinct threat clusters. Static file hashes and historic C2 domains should not be used as the primary detection strategy. Prioritize behavioral indicators and anomaly detection within banking application environments.

behavioral indicators — carbanak intrusion pattern
behaviorCarbanak code injected into svchost.exe; no separate process created
behaviorTermservice configured to Auto startup; unexpected RDP enablement on banking workstations
behaviorOutbound HTTP with RC2-encrypted payloads bearing random file extensions (.gif, .htm, etc.) to unfamiliar hosts
behaviorScreen capture or video recording processes active on ATM management or wire transfer workstations
behaviorC2 traffic routed via Google Forms or Google Sheets (2017 variant)
behaviorIFOBS or BLIZKO banking application process monitored; C2 notification sent on detection
exploited cvsCVE-2012-0158, CVE-2013-3906, CVE-2014-1761 — Microsoft Office initial access exploits
config filekldconfig.plug — Carbanak plugin configuration downloaded from C2 on first contact

Mitigation & Defense

Carbanak's insider-mimicry model means that standard perimeter and endpoint controls, while necessary, are insufficient on their own. Financial institutions require defenses specifically designed to detect anomalous behavior by authenticated users inside banking application environments.

  • Deploy User and Entity Behavior Analytics (UEBA) on banking systems: Since Carbanak operators use valid credentials to perform fraudulent operations, anomaly detection at the user behavior layer is the primary control. UEBA should baseline normal patterns for wire transfer administrators, ATM management users, and database operators, then alert on statistical deviations — unusual access times, atypical transaction volumes, new destination accounts, and access from unfamiliar endpoints.
  • Patch Microsoft Office CVEs immediately: CVE-2012-0158, CVE-2013-3906, and CVE-2014-1761 were the documented initial access exploits for the original campaign. These should have been patched years ago; any institution still running unpatched Office installations is exposed to trivial initial access. Enable Protected View for all externally sourced Office documents.
  • Implement out-of-band confirmation for high-value wire transfers: SWIFT-connected institutions should require secondary, out-of-band authorization for any wire transfer above a defined threshold — phone confirmation to a pre-registered number, supervisor co-authorization, or hardware token approval. This directly counters the Carbanak SWIFT fraud method.
  • Separate ATM management network access from employee workstations: ATM remote management commands should only be issuable from dedicated, hardened management stations on isolated network segments — not from general employee workstations that could be compromised via phishing. Network ACLs should prevent ATM management traffic from originating on workstation VLANs.
  • Monitor and alert on account balance modifications outside of transaction flows: Direct database manipulation of account balances is a documented Carbanak cashout method. Any change to a stored account balance that is not the result of a logged, authorized transaction should trigger an alert. This requires integrity monitoring at the database level, not just the application layer.
  • Screen capture and video recording process detection: Carbanak's reconnaissance phase involves active screen and video recording on banking workstations. Deploy endpoint controls that alert on screenshot and screen recording processes on systems classified as handling sensitive banking operations.
  • Hunt for long-dwell intrusions — not just active alerts: Carbanak's two-to-four-month dwell time before any theft means that a compromised institution may have no active security alerts during the reconnaissance phase. Proactive threat hunting — searching for indicators of the Carbanak backdoor's injection pattern, unusual outbound HTTP with non-standard content patterns, and unexpected RDP service configuration changes — is necessary to detect the group during the observation phase before funds are stolen.
  • Security awareness training focused on financial spear-phishing: Carbanak's initial access relies entirely on bank employees opening malicious email attachments. Training should specifically address spear-phishing scenarios relevant to financial sector employees — regulatory-themed lures (SEC notices, compliance documents), vendor impersonation, and urgent payment instruction emails.
analyst note — tracking complexity

The Carbanak Group (MITRE G0008), FIN7 (MITRE G0046), and the Cobalt Group are tracked separately by MITRE despite sharing the Carbanak malware and likely sharing personnel. The practical implication for defenders is that the Carbanak backdoor's presence does not conclusively identify which specific cluster is operating in a network. Behavioral TTPs, victimology, and cashout method provide the most reliable differentiation: G0008 targets banks for direct fund theft; G0046 targets hospitality and retail for payment card data and ransomware; Cobalt Group focuses on bank ATM networks specifically. Attributing any specific incident requires multiple corroborating data points beyond malware identification alone.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile