The Guardia Civil, within the framework of the “Sangil” operation, has proceeded to arrest and investigate 20 people (8 of whom have already entered provisional detention), belonging to a criminal organisation of cybercriminals specialised in committing fraud at the national level.
The organisation is believed responsible for defrauding more than 5 million euro. In the operation, a total of 6 house searches were carried out located in the towns of Madrid, Alcorcón (Madrid) and Boadilla del Monte (Madrid).
A total of 5 bank accounts of entities located both in Spain and in Ibero-American countries have been blocked by court order, in addition another 100 bank accounts have been blocked by the police, and on a preventive basis.
The operation began in 2020 after a complaint filed at the Jaraíz de la Vera Guardia Civil Post (Cáceres), by a company representative, for the alleged making of four non-consensual transfers, for a total value of 14,000 euro. Likewise, it revealed the attempted transfer of another 9,000 euro, made from different accounts of his company.
The complainant informed the agents that when he was preparing to make an online transfer, the computer crashed, appearing a notice from his bank informing him that the system was being restructured. When this notice disappeared, he was again asked for the access codes to the bank’s online operations, which he did several times because, apparently, the system failed, later verifying, through a call to the bank, that they had been made several fraudulent transfers to accounts unknown to him.
Continuing with the investigations, the agents detected an infestation of the complainant’s computer equipment, which had allowed cybercriminals to intercept the web pages of the banking entities visited, thus obtaining their online banking access credentials to subsequently carry out fraudulent transfers.
This is a highly advanced technique, known in cybercrime slang as “Man in the browser”, which led investigators to attribute the events to a criminal group specialising in cybercrime.
From the investigations carried out, it was possible to obtain information on more than 30 beneficiary bank accounts of illegally transferred amounts, with an initial defrauded amount of close to 400,000 euro. For this reason, the researchers requested sensitive information from the different banking entities involved that could provide relevant data for the investigation.
The second part of the investigation consisted of the technical analysis of the infected electronic devices and the fingerprint created in the commission of the scams, which involved an exhaustive analysis of more than 1,000,000 IP addresses that had been used to commit the criminal acts.
As a result, the researchers were able to establish that the same IP address controlled the online operations of various bank accounts of the organisation. Likewise, third parties, not involved in the events, whose Wi-Fi networks had vulnerabilities had to be ruled out.
Likewise, it was possible to determine that the malware used to commit the scams was the same as that used in the course of another investigation carried out last year, (operation aguasvivas), in which fraudulent transfers worth more than 3 million euro were stopped, aside from the banking Trojan, there were also matches in some of the people involved.
The organisation was structured in five levels. At the first levels, there were the “recruiters”, who were in charge of recruiting the banking products associated with a person, such as account or bank card numbers.
On the other hand, there were the “rescuers”, dedicated to withdrawing money from ATMs, after receiving fraudulent transfers, and the “programmers”, specialised in manufacturing the malware with which, through the massive sending of spam mail, managed to infect numerous computers of the victims.
They also had the “Changer Crypto”, in charge of exchanging currencies for virtual currencies and with the “Cash Legal”, which moved the defrauded amounts. Finally, and at the top level, was the “top” of the organisation, in charge of coordinating the members of the rest of the levels, and in which 5 people were detected.
Each one of the members of these levels obtained a percentage of the benefits that the criminal activity brought them, which would have meant, for each member of the leadership alone, an economic benefit of close to 500,000 euro, which added to the earnings of the rest of the members, brings the total amount defrauded by the organisation to 5 million euro.
Given the complexity of the operation, and the security measures adopted by the members of the organisation to make it difficult to trace, its exploitation was carried out in five phases, carried out between the months of May and November of this year.
In the first phases, 3 house searches were carried out, in the towns of Alcorcón (Madrid) and Madrid, arresting and investigating 16 people in the towns of Madrid, Santiago de Compostela, Bilbao, Alicante, Zaragoza and Cornellá de Llobregat.
As a result of these arrests, it made it possible to locate the senior members of the organisation, carrying out another 3 house searches in homes in Madrid and Boadilla del Monte (Madrid), locating in the latter the operational base of the organisation where 3 people were arrested.
Finally, and after learning that one of the authors, with an important role within the organisation, had fled to the United Kingdom, planning to return to Spain in the near future, he was arrested at the Adolfo Suárez Madrid-Airport. The detainee also had a valid search and arrest warrant issued by the Court of 1st Instance and Instruction No. 1 of Coria (Cáceres), which ordered his immediate entry into provisional detention.
To date, 100 people have been identified, between companies and individuals, victims of fraudulent transfers made by the organisation.
The operation has been carried out by agents of the Guardia Civil, belonging to the Technological Crimes Team (EDITE) of the Organic Unit of the Judicial Police (UOPJ) of Cáceres, together with the Team @ of this Command and directed by the Court of First Instance and Instruction No. 3 of Plasencia (Cáceres), and coordinated by the Delegate Prosecutor for Computer Crime of the Province of Cáceres.
