ATM Withdrawal
Law enforcement arrested the leader of a cyber gang that stole more than $1 billion from banks. Nina Ruecker/Getty Images

European Union Agency for Law Enforcement Cooperation, known as Europol, announced Monday that it arrested the leader of a hacker gang that stole more than $1.2 billion from banks around the world.

The gang leader wasn’t identified by name, but was taken into custody by Spanish National Police in Alicante, following a five-year crime spree in which hackers used malware to steal from ATMs.

According to Europol, the scheme started in 2013, when the hacking group started producing the Carabank and Cobalt malware — two attacks that became notorious for targeting financial institutions.

The attackers would send spear phishing emails — targeted emails sent to employees of a bank and laced with malicious code — that would infect the victim’s machine and provide the hackers access to the bank’s computer network.

Once the hackers gained access, they would begin to spread malware throughout the bank’s internal network. The malware would infect the bank’s servers and provide the attackers with the ability to control ATMs operated by the bank.

With unfettered access to the bank’s servers, the hackers could run rampant. They could transfer funds to other bank accounts that they operate, adjust the balance of bank accounts and force ATMs to spit out cash that could be collected by members of their gang. The stolen money was often converted into cryptocurrencies in order to launder the money and hide it from the authorities.

Taking down the leader of the gang behind the attacks, which hit more than 100 financial institutions worldwide, took a concerted effort from law enforcement agencies. Europol, the FBI and authorities in Spain, Romania, Belarus and Taiwan all contributed to the takedown of the gang’s leader.

"This global operation is a significant success for international police cooperation against a top level cybercriminal organization,” Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said in a statement.

“The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality," Wilson said.

While details about the hacking group are still sparse, previous reports may give insight into where the attackers are operating from. A 2015 report from cybersecurity firms Group-IB and Fox-IT suggested the Cobalt malware had ties to a group operating in Ukraine and Russia.