Global law enforcement agencies have arrested a gang member behind the theft of £20 million ($30.7 million) via a piece of malicious software that records banking details, and are on the hunt for the remaining members.
The malware – known as Dridex – is believed to be developed by in eastern Europe and it's able to harvest bank details online in order to steal money from people. Global financial institutions and a variety of different payment systems have been targeted, the U.K.'s National Crime Agency (NCA), one of the authorities involved, said on Tuesday.
"Thousands" of Brits have been infected by Dridex, according to the NCA. Hackers send documents containing the malware and when users click on the link, the malicious code is downloaded into their computers. The NCA said mainly users if Microsoft's Windows operating system were affected.
Dridex does not only affect U.K. users and experts estimate it is responsible for $100 million losses worldwide.
The NCA worked with the U.K.'s intelligence service GCHQ, CERT-UK, Europol, the FBI in the U.S., German and Moldovan authorities for the operation.
It resulted in the arrest of Andrey Ghinkul, 30, from Moldova, who has been charged in a nine-count indictment of criminal conspiracy, unauthorized computer access with intent to defraud, damaging a computer, wire fraud and bank fraud by U.S. authorities. He was arrested in Cyprus in August with the news only announced this week. The FBI is now seeking his extradition.
"The indictment alleges that Ghinkul and his co-conspirators used the malware to steal banking credentials and then, using the stolen credentials, to initiate fraudulent electronic funds transfers of millions of dollars from the victims' bank accounts into the accounts of money mules, who further transferred the stolen funds to other members of the conspiracy," the U.S. Department of Justice said in a release.
Dridex activity had fallen off in September but the malware has seen a resurgence, security researchers said.
U.K. and U.S. law enforcement agencies are now working to "sinkhole" or stop infected computers from communicating with the criminals that control them.
"This is a particularly virulent form of malware and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes. Our investigation is ongoing and we expect further arrests to made," Mike Hulett, head of operations at the NCA's National Cyber Crime Unit (NCCU) said in a press release.
Security experts warned that Dridex allows hackers to not only steal financial information, but also personal information, which can then be sold to criminals online.
"Dridex is an information stealing Trojan, meaning that not only is the victim in risk of losing money due to a compromised bank accounts, but victims, especially employees compromised with Dridex, are also putting their company at risk because Dridex can perform activities such as stealing credentials from applications, perform keystroke logging and also download further malicious payloads, such as backdoors," Jens Monrad, systems engineer at FireEye, said in a note.