A Brazilian Trojan and 133 'mules' in Spain to loot thousands of bank accounts

Archive image of a National Police agent. LEÓN NATIONAL POLICE

Crime has no borders, much less when it acts through the Internet.

The Spanish and Brazilian police, in collaboration with Interpol, have this Friday considered practically dismantled the plot that used the Trojan virus of Brazilian origin

Grandoreiro

to loot the bank accounts of more than 3,000 people in Spain and several thousand more in other Spanish- and Portuguese-speaking countries, with special incidence in Brazil, Portugal and Mexico, as reported this Friday by the Ministry of the Interior.

The arrest last Tuesday in São Paulo of the five leaders of the criminal network has been the culmination of Operation Ipanema which, since the end of 2020, has included the arrest, mainly in Madrid, but also in Seville, Barcelona and Valladolid, of another 133 people.

All of them are considered

mules

, a term used in police jargon to refer to people who, for an amount of money or a percentage of between 10% and 20%, lend their identity to open bank accounts where the defrauded money is diverted.

The operation is still looking for another twenty of these

mules

as well as the programmer of the malicious computer program, hidden in a third country.

More information

The police warn of a new bank fraud that combines three types of cyber scam

The operation began in June 2020, when CaixaBank reported to the Cyberattack Group of the National Police that numerous clients of the entity were suffering from banking fraud after having seen how their computer equipment was infected by the Grandoeiro Trojan

.

The contagion occurred by receiving false emails from the bank itself that invited them to click on links that caused the malicious program to be downloaded.

The

malware

- which already spread massively during the confinement caused by the Covid-19 pandemic - remained inactive until the user consulted their electronic banking accounts online, at which time it loaded onto the victim's computer. an image that impersonated that of their bank (known as

mirror pages

) and began to collect passwords and credentials.

Once this information was obtained, the plot made money transfers to deposits opened in the names of the

mules

and, in some cases, requested immediate credits of up to 30,000 euros.

To do this, with the excuse of updating the bank's security

software

, the cyber attackers requested the victims, through the fraudulent website they had installed, for the one-time automatic verification keys that they received via SMS messages in their mobile phones.

Once the money arrived in the accounts opened by the plot, the

mules

moved the money quickly from one deposit to another - often opened in third countries such as Belgium, France, Portugal or Brazil - and even made cash withdrawals to acquire cryptocurrencies in a bid to make it harder to track funds.

Bank customers only realized they had been victims when the money had already left their accounts.

The police investigations revealed that the frauds not only affected CaixaBank, but that Santander clients had also suffered similar scams - a car dealership in Pamplona suffered a fraud of 1.5 million euros - BBVA and Banco Sabadell, among others. others.

Sources close to the investigation add that the plot had actually cloned the screens of the websites of practically all Spanish financial entities.

So far, the Police have confirmed a completed fraud of five million euros in Spain alone, although they have also found indications that they had made attempts for another 100 million.

Worldwide, investigators estimate that the plot consummated scams worth more than 120 million euros, but that it attempted scams worth 1,000 million.

The investigation in Spain began to yield results three months after the complaint.

In September 2020, the first

mules

were arrested and in October of the following year, more than a hundred were arrested.

“The operation has had three legs.

The first, that of the

mules

, was the simplest.

The second, that of the ringleaders of the plot, is the one that we have now concluded with the arrests in Brazil.

The third is that of the person who developed the Trojan virus and who rents it to criminal groups like the one we have now dismantled.

He is already identified, but we are still looking for him,” says Inspector Juan María Cabo, head of the Cyber ​​Attack Group of the National Police.

The police command highlights that Grandoreiro

scams

in Spain came to a sudden halt in May 2021, in the midst of an investigation, after banking entities implemented the EU directive that required double authentication to be required to make

online

transfers .

From that moment until the summer of the following year, fraud attempts by this Trojan practically disappeared.

“We detected cases again in September 2022, although in much smaller numbers and with a particularity: they were no longer the result of mass mailings, but were

phishing

[creation of web pages similar to the bank's real ones] aimed specifically at clients with a high economic level,” highlights Inspector Cabo.

In fact, the operation is still open.

The complexity of the operation is demonstrated by the high number of police officers from several countries who have intervened.

In addition to several units in Spain and agents from the Federal Police of Brazil, Europol, the EU police agency whose experts analyzed 53 samples of the Trojan recovered, and Interpol, the organization that brings together police officers from 196 countries and which is has been in charge of coordinating the operation over the last year and a half.

The investigation is judicially directed in Spain by the National Court and the Computer Crime Prosecutor's Office.

Follow all the information on

Economy

and

Business

on

Facebook

and

X

, or in our

weekly newsletter