The download of a pirated movie with malware caused the theft of €6 million in cryptocurrencies in Spain

he recklessness of an employee, a computer virus hidden in the pirated copy of a superhero movie and the thieves' patience of months. These were the three key elements that led, in the summer of 2020, to the theft of six million euros in cryptocurrencies, one of the largest of this type of asset known to date in Spain

• The UCO has arrested five people who in 2020 stole the cryptocurrencies of 2gether, a company that guarded the savings of thousands of clients
• The film came with a poisoned gift: a  RAT (Remote Access Trojan) malware,  which is popularly known as a  Trojan .

Agents of the  Central Operative Unit (UCO) of the Civil Guard  have managed to solve this assault after discovering that cybercriminals managed to sneak into the systems of  2gether, a Spanish company for the custody of crypto assets , through the download that a worker of this company made of a movie and subsequently follow the trail of cryptocurrencies.

The so-called 3Coin operation has so far resulted in five detainees or investigations (four of them of Spanish nationality and one from a country of the former Eastern bloc), including the considered  mastermind  of the assault, and the recovery of part of the stolen , as detailed by the armed institute in a note. During the investigation, the agents have discovered that one of those arrested controlled others of those arrested through the witchcraft rite known as the  bufo toad , consisting of inhaling poison vapors from this animal, considered a hallucinogenic substance.

The investigations began on July 31, 2020, when 2gether reported having been the victim of a computer attack through which a significant amount of cryptocurrencies had been stolen. Specifically, 114 bitcoins and 276 etherums, which at that time had a value of 1.2 million euros. The number of customers affected by the theft exceeded 5,500. The Department Against Cybercrime of the UCO was able to determine that the computer attack had been carried out by means of a sophisticated  malware  (malicious computer program) of the  Trojan type called Nanocore, and that it had been introduced through the illegal download that, from his job, an employee had made in January 2020 of a superhero movie from a pirated multimedia content portal.

"Highly sophisticated", according to the Civil Guard, the computer virus was made from that moment with absolute control of the employee's computer, where it remained installed for seven months without being detected. In that time, the cybercriminals discovered in detail all the internal processes of the company and prepared the computer attack. This finally occurred on the last day of July of that year, to take advantage of the fact that the company was going to reduce its activity to a minimum when the summer vacations of most of its workers began. To do this, 24 hours before they accessed the system and deactivated the computer security measures. Thus, the day chosen to perpetrate the robbery, They were able to give electronic currency transaction orders without being detected through a network of interposed computers and telephone lines from third countries. "In 15 or 20 minutes they had extracted the cryptocurrencies," sources close to the investigation point out.

The stolen electronic coins were transferred to virtual wallets under the control of the criminals, where they had the funds immobilized for more than six months to avoid drawing police attention. "It is the usual practice in this type of cybertheft," add these same sources, who emphasize that once that time had passed, they began to move the cryptocurrencies through a complex network of electronic wallets to launder it. Civil Guard sources point out that two of the detainees already had a history of cybercrime and that all of them had this type of activity as their only activity. "One of them had a wallet through which they had spent 150 million euros in this type of asset," say the sources consulted.

The investigations of the specialized agents of the UCO allowed, at first,  to identify the alleged operator of the illegal download website from which the computer virus used in the attack was distributed. This charged just over 200 euros for allowing the network to use its platform to introduce computer viruses among the pirated audiovisual material it offered. In addition, the Civil Guard identified three other people, with no apparent relationship between them, who had allegedly received part of the stolen cryptocurrencies. This led to the fact that in November of last year, the agents arrested these four people, including the considered ringleader of the plot, in Tenerife (1), Bilbao (1) and Barcelona (2). One of those arrested in this last city is a young man who was legally considered a minor due to a disability.

buffalo toad

Cryptocurrencies worth 900,000 euros from the robbery were recovered in the registry of the homes of these four alleged suspects, in addition to abundant computer equipment. On one of the computers, the agents also located the  malware  used as well as details of the initial movements of the stolen cryptocurrencies. With the information recovered, the investigators reached a fifth party on Tuesday, who had received at least 500,000 euros in stolen cryptocurrency. This individual,  detained in Valencia, allegedly exercised tight control over other members of the group through witchcraft rituals . His computers, however, turned up virtually empty. The first analysis of his hard drives has revealed that he had formatted them two days after the arrest of his colleagues .

Sources:

https://elpais.com/economia/2022-02-23/la-descarga-de-una-pelicula-pirata-propicio-el-robo-de-six-million-euros-in-cryptomonedas.html