15 July 2021

Spanish police arrest 16 people for laundering funds stolen through Mekotio and Grandoreiro banking trojans


Spanish police arrest 16 people for laundering funds stolen through Mekotio and Grandoreiro banking trojans

The Spanish Civil Police (Guardia Civil) arrested 16 suspected members of a cybercriminal group that used banking trojans, such as Mekotio and Grandoreiro, to steal funds from victims in Spain.

The arrests were made last week in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos) as a result of a year-long investigation codenamed "Aguas Vivas". The police confiscated computer equipment, mobile phones, and documents for investigation.

The cybercriminal group used email spoofing to install malware on victims’ computers, which allowed them to divert large amounts of money to their accounts. The spoofed emails purported to be from organizations such as the Treasury, the Post Office or the DGT, among others, in which the recipients were required to pay tax debts, pay traffic fines or pick up packages. The messages contained a link, clicking on which led to installation of the Mekotio and Grandoreiro banking trojans on victims’ computers.

“Once installed on the computer, without the user noticing, it remained latent waiting to be activated the moment the user accessed any bank website, executing a banking transaction. At that time, the malicious software carried out an interception and modification of the data issued, making the beneficiary accounts of the money a total of 30 bank accounts belonging to the network. After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation,” the police said.

The authorities said they found evidence that the suspects stolen more than €276,470 from compromised bank accounts. The suspects also had access to bank accounts storing around €3.5 million, which they had not yet moved and stolen from their respective owners.

According to the police, €87,000 from €276,470 has been successfully recovered.

Grandoreiro and Mekotio (also known as Melcoz) are both part of a “Terade” of Brasilian banking trojans, operating in Latin America and Western Europe. According to Kaspersky, since January 2020 Grandoreiro has attacked mostly Brazil, Mexico, Spain, Portugal, and Turkey, while Melcoz has been actively targeting Brazil, Chile, and Spain, among other countries.

Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021