A typhoon was winding down in Taipei on July 10, 2016, but two men braved the rain to make a surprise withdrawal from First Commercial Bank: stacks of bills that the ATM spat out without either man touching a button. They were two of 15 "mules" stealing the equivalent of $2.6 million that night in an online hacking scheme that, since 2013, has stolen about $1.2 billion from banks in 40 countries—likely the biggest digital heist in history, Bloomberg reports. Investigators say that a group of cybercrooks dubbed the "Carbanak gang" has been using techniques usually employed by spies to hack into banks, move money around, and send cash to ATMs. "Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks," says the co-founder of a London intelligence firm.
The gang initially struck banks in Ukraine and Russia, where employees received emails from seemingly legitimate suppliers that contained Microsoft Word attachments; once opened, they allowed malware (known as Carbanak) to enter the bank's network, steal confidential data, take over PC cameras, and record keystrokes. Soon investigators traced Carbanak's coding to the home of Ukrainian citizen Denis Katana, a small, quiet man who allegedly moved money around bank accounts with the artistry of an elite hacker. Yet Katana hasn't been charged since his March arrest, and investigators say the gang's "phishing" campaigns are still penetrating banks with a new iteration of the malware. "There will be hundreds of people [involved]," a top researcher at Kaspersky Labs tells Wired. "Dozens of people that are working 24/7, that would be the real scale of the Carbanak group."