Anti-Money Laundering (AML) , Cybercrime , Fraud Management & Cybercrime

6 Suspects Arrested in Maltese Bank Hacking Heist

Malware-Wielding Gang Moved $14 Million to US, UK, Hong Kong and Czech Accounts
6 Suspects Arrested in Maltese Bank Hacking Heist
National Crime Agency officers serve a warrant last week in London. (Photo: NCA)

Police in the United Kingdom have arrested six suspects as part of a months-long money laundering investigation tied to the theft of €13 million ($14.4 million) from a Maltese bank.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

On Feb. 13, 2019, malware-wielding hackers hit Bank of Valetta, Malta's oldest financial institution and also one of the largest. The hackers initiated transactions, moving money to bank accounts in the U.S., U.K., Czech Republic and Hong Kong, according to local media reports. About 30 minutes after it detected the fraudulent transactions, the bank suspended operations, began trying to reverse the fraudulent transfers and worked with international law enforcement partners.

As part of the investigations into the bank heist, which has been tied to an organized crime gang, Britain's National Crime Agency says it arrested two men, ages 22 and 17, last week in London.

On Thursday, working with the Police Service of Northern Ireland, NCA agents arrested another man, age 39, in Belfast.

On Thursday night, the NCA detained a 33-year-old man at Heathrow Airport after he returned to the U.K. from China. He's been questioned and released on bail.

On Friday morning, two men - ages 23 and 24 - turned themselves in at a police station in Belfast, where they were arrested and remain in custody.

All of the six suspects have been charged with violating money laundering, fraud and theft statutes.

NCA officers arrest a 39-year-old suspect in Belfast on Thursday

Officers say that of the €13 million stolen on Feb. 13, 2019, about $1.1 million was transferred to a bank account in Belfast.

"In the following hours, a number of card payments and cash withdrawals totaling £340,000 ($447,000) were made from the account before a block could be put on them," the NCA says in a statement. "They included payments to high-end stores such as Harrods and Selfridges in London, around £110,000 ($145,000) spent on Rolex watches at a store in London, and payments for a Jaguar and Audi A5 from a car dealership."

The NCA says it's "still seeking a number of other suspects" as its investigation continues.

“Our 12-month investigation, carried out with the help of the Malta Police Force Economic Crime Unit, has focused on a number of individuals we suspect may have been involved in laundering money on behalf of the organized crime group who carried out the cyberattack," says David Cunningham, the NCA's branch commander for Belfast.

“Working with our law enforcement partners at home and overseas we are determined to do all we can to target and disrupt those involved in organized crime, here in Northern Ireland and across the rest of the U.K.”

It's unclear what strain of malware was allegedly used in the February 2019 heist, how much of the stolen €13 million has been recovered, and whether the transfers were made via fraudulent SWIFT interbank transactions (see: Malaysia's Central Bank Blocks Attempted SWIFT Fraud).

Police in Malta referred all inquires to U.K. police. But the NCA didn't immediately respond to a request for comment.

Bank Suspended Operations After Attack

Bank of Valetta's quick response to the online thefts likely helped forestall even greater losses.

The bank announced on Feb. 13, 2019, the day that the attack occurred, that it had quickly suspended operations after it detected suspicious activity.

Photo: Bank of Valetta

The attacks were detected at the start of business on a Wednesday morning, and all bank functions - "branches, ATMs, mobile banking and even email services" - were suspended just 30 minutes later, Times of Malta reported.

The bank quickly issued an alert and apology to customers. "The bank would like to assure its clients that customer accounts and their funds are in no way impacted or compromised and that the bank is working relentlessly to resolve the issue and have its operations running at the earliest possible time," it said in a Feb. 13 statement.

The government of Malta is one of the bank's clients, and officials at the time told the Maltese that their social security payments, due to be processed the next day, would be safe.

"It is no joke having a bank that controls half the economy shut down for a whole business day, but at this stage caution trumped every other consideration," said Joseph Muscat at the time, when he was serving as the country's prime minister.

On Feb. 14, 2019, the Bank of Valetta announced that almost all services had been restored, after "rigorous overnight testing of the bank’s IT systems" had been successful.

"The bank once again wants to reassure its clients that customer deposits and customer accounts were in no way affected by this cyberattack," it said. "This unfortunate incident proved that the contingency plans in place and the preventive measures taken by Bank of Valletta were appropriate and that these measures safeguarded the bank, its customers and stakeholders."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.