Polish authorities have shut down today a hacker super-group that has had its fingers in a multitude of cybercrime operations, such as ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers.
Four suspects where arrested this week, and four more are under investigation.
According to reports in Polish media, the hackers have been under investigation since May 2019, when they sent a first bomb threat to a school in the town of Łęczyca.
Investigators said that an individual named Lukasz K. found the hackers on internet forums and hired them to send a bomb threat to the local school, but make the email look like it came from a rival business partner.
The man whose identity was spoofed in the email was arrested and spent two days in prison before police figured out what happened.
When the framed businessman was released out of jail, he hired a famous private investigator to track down the culprits behind the fake bomb alert.
Investigators said that when the hackers realized what was happening, they then hacked a Polish mobile operator and generated invoices for thousands of zlotys (the Polish currency) in the name of both the detective and the framed businessman.
Bomb threats against 1,066 kindergartens
Other bomb threats were also linked to the hacker group, such as bomb threats against the Western Railway Station in Warsaw, Poland’s capital.
But the most notorious incident the hackers were linked to took place in June 26 and 27, 2019, when they were hired to send bomb threats to 1,066 kindergartens across Poland.
In total, 10,536 people from 275 kindergartens were evacuated following their email threats, according to Polish TV station TVN24.
Investigators said that for each fake bomb threat they sent, the hackers asked for 5,000 zlotys (~$1,300) in payment.
Ransomware, RATs, phishing, SIM swapping
But Polish authorities said this wasn’t the group’s only method of income. While police started looking into the hackers because of the bomb threats, they also discovered a long list of crimes that tied back to the group’s members across the years.
Most of the time, the hackers distributed malware via email phishing attacks. Polish tech news site Otopress reports that the group was linked to 87 different domains used to distribute malware.
Infosec news site Zaufana Trzeciastrona (Trusted Third Party), said the group was involved in the distribution of malware strains for both Windows and Android devices, such as Cerberus, Anubis, Danabot, Netwire, Emotet, and njRAT. All in all, authorities put the number of infected victims in the thousands.
Investigators said that from infected users, the hackers would steal personal details, which they’d use to steal money from banks with weak security.
In case some banks had implemented multiple authentication mechanisms, the group would then use the information they stole from infected victims to order fake IDs from the dark web, and then use the IDs to trick mobile operators into transferring the victim’s account to a new SIM card.
Using this SIM card, the hackers would then reset passwords for the victim’s online accounts or bypass two-factor authentication (2FA) to steal money from victims.
Polish media says the group was able to steal 199,000, 220,000 and 243,000 zlotys ($50,000, $56,000, and $62,000) in three separate incidents using this technique.
The hackers also tried to steal 7.9 million zlotys ($2 million) from one victim, but this hack was stopped when the bank called the victim’s phone number to confirm the transaction. Because the victim’s phone number was SIM-swapped, the bank official reached the hackers and didn’t recognize its regular customer’s voice from previous conversations, and blocked the transaction.
Group also ran fake online stores
Furthermore, Polish officials also said the group also created 50 fake online stores where they sold nonexistent products to defraud more than 10,000 buyers.
According to Zaufana Trzeciastrona, the hacker group’s members arrested today were:
- Kamil S., also known under his hacker handle of “Razzputin,” and a member active on many Russian-speaking hacker forums like Exploit and Cebulka.
- Pawel K., operating under the pseudonym “Manster_Team,” mostly involved in banking crime
- Janusz K., involved in most crimes in one form or another
- Lukasz K., described as an important figure in the underground world.
Four others — Mateusz S., Radosław S., Joanna S. and Beata P. — are also under investigation for ties to the group.
Europol also issued a press release today about the hacker group’s arrests, suggesting that they most likely made victims outside Poland as well.