Polish law enforcement reported on the elimination of a hacker group that was engaged in various forms of illegal activity: extortion attacks, malware distribution, banking fraud, SIM card swapping, fake online stores and even bogus messages about building mining at the request of customers.
Currently, four suspects have been arrested:
- Kamil S., also known by the pseudonym Razzputin, is a member of many Russian-language hacker forums, including Exploit and Cebulka;
- Pavel K., known under the pseudonym Manster_Team, is mainly involved in banking crimes;
- Janusz K., involved in most of the group's crimes;
- Lukasz K. appears to be a prominent figure in the underworld.
Four more suspects are under investigation, in court documents they appear as Mateusz S., Radoslaw S., Ioana S. and Beata P.
According to Polish media reports, law enforcement agencies became interested in the activity of this hack group in the summer of 2019, when the attackers first reported a bomb threat at a school in Лęczyca. Investigators say a man named ukasz K. found and hired hackers online, who agreed to send a bomb threat message to the school for a fee, and the email looked like it was written by a competing business partner of the school.
As a result, the man, whose identity was forged and used in the letter of the hackers, was arrested and spent two days behind bars before the police figured out what had happened. When the businessman was released, he hired a private detective to track down the real culprits of the incident, who wrote a fake bomb letter.
According to investigators, when the hackers realized what was happening, they hacked into a Polish mobile operator and in revenge issued invoices in the amount of several thousand zlotys both in the name of the detective and in the name of the businessman himself.
But the hackers did not limit themselves to just one threat of a bomb allegedly planted in the school. The fact is that other fictitious reports of bomb threats, including at the Western Railway Station in Warsaw, are also associated with this hack group. However, the most high-profile incident took place on June 26 and 27, 2019, when their hackers were hired to send out bomb threats to 1,066 kindergartens across Poland. As reported by the Polish TV channel TVN24Then the evacuation affected 10,536 people in 275 kindergartens across the country.
Law enforcers report that for every fake threat of this kind, the hackers forgave a payment of 5,000 zlotys (about 99,000 rubles).
As mentioned above, sending such messages was far from the only source of income for the group. Although initially the attention of law enforcement officers was attracted precisely by the reports of the planted bombs, the investigation soon revealed that a long train of other crimes was trailing behind the attackers.
As it turned out, the group was most often involved in the distribution of malware through phishing emails. Polish news site Otopress reports that the hackers were associated with at least 87 different domains that were used to spread malware. It is known to be malware for Windows and Android, including well-known threats such as Cerberus, Anubis, Danabot, Netwire, Emotet, and njRAT. According to authorities, the total number of victims of the group is in the thousands.
Hackers stole personal data from users infected with various malware, which were then used to steal money from banks with weak security systems. However, even if the bank had multi-factor authentication mechanisms, hackers did not get lost. In such cases, they used information stolen from people to order fake documents on the darknet, and then with their help deceived employees of mobile operators and ordered a reissue of victims' SIM cards (such attacks are usually called SIM swap).
For example, posing as the real owner of the number, the fraudster claims that he has lost or broken the SIM card and is trying to transfer the number to a new one. Then he steals the accounts linked to the phone number, in fact, stealing other people's identities completely. Historically, such attacks are often used to steal large amounts of cryptocurrency, from bank accounts (after all, intercepting 2FA codes is becoming quite easy) and even to steal expensive Instagram accounts… It is also worth mentioning that this is the way Twitter heads of Twitter were hacked in this way last year and almost compromised the BlockFi cryptocurrency platform.
Polish media reported that by swapping SIM cards, the hack group was able to steal 199,000, 220,000 and 243,000 zlotys (about 4,000,000, 4,300,000 and 4,800,000 rubles) in three separate incidents. Moreover, in another case, the attackers set their sights on stealing PLN 7,900,000 (RUB 155,670,000) from one person, but the bank employees suspected a catch and called the victim's phone number to confirm the transaction. Since the SIM card had already been changed, the call eventually reached the hackers, and the bank employee did not recognize the voice of a regular customer, which he knew well from previous conversations, which led to the blocking of the transaction.
In addition to the above, the group was engaged in another type of "business": hackers created about 50 fake online stores selling non-existent goods. Thus, the attackers managed to deceive more than 10,000 buyers.