Joint Operation by the National Police of Spain, Federal Police of Brazil, and INTERPOL: Disruption of an organization dedicated to infecting computer systems of online banking customers.
Members of this network launched attacks from Brazil, using the Grandoreiro Trojan, targeting various countries worldwide, with a significant impact on Spain, as well as Brazil, Mexico, and Portugal.
In this operation – where 133 “mules” were arrested in Spain and the five ringleaders in Brazil – a significant blow has been dealt to the criminal organization responsible for distributing one of the major banking viruses.
It is estimated that the criminal organization’s profits since its inception exceed five million euros in Spain alone, potentially reaching up to 120 million euros globally.
Thirteen home searches were conducted in various Brazilian locations, along with the issuance of 13 arrest warrants by Brazilian authorities.
Agents of the National Police, in a joint operation with the Federal Police of Brazil and Interpol, have dismantled an organization dedicated to infecting online banking clients’ devices. This network launched attacks from Brazil, using the Grandoreiro Trojan, targeting various countries worldwide, with a significant impact on Spain. As part of this operation, led by Brazil, 133 individuals in Spain (receiving the money) and the five ringleaders in Brazil have been arrested. It is estimated that the criminal organization’s profits since its inception exceed five million euros in Spain alone, potentially reaching up to 120 million euros globally.
The operation began in 2020 in Spain related to a Grandoreiro banking Trojan malware. This malware infiltrated the electronic devices of thousands of users of online banking in Spanish and Portuguese-speaking countries, particularly in Brazil, Spain, Portugal, and Mexico.
Campaigns involving phishing emails impersonating banks
The criminals’ method to infect victims involved launching phishing campaigns impersonating banks by sending emails to digital banking users in various countries. Once opened, these emails discreetly installed the virus on the recipient’s device. After the virus was installed, it automatically detected customers’ online banking accesses, communicating with cybercriminals who loaded an image onto the victim’s computer, impersonating their bank. They claimed it was to install a security module, avoiding real-time detection.
Simultaneously, cybercriminals interacted in the victims’ open sessions, conducting bank transfers and immediate credit contracting. Under the pretext of updating the bank’s security software, the attackers requested victims’ single-use SMS verification codes through the fake screen the deceived users were viewing. Many of them unknowingly ended up providing these codes, authorizing bank transfers. Victims often only realized these fraudulent operations later, making it challenging to block the transfers and recover funds.
The organization’s ringleaders, located in Sao Paulo (Brazil), were responsible for launching attacks against clients of Spanish banking entities. However, the part of the organization receiving money from fraudulent transfers was in Spain.
Given the complexity of the investigation and its international aspect, a direct communication channel was established between the Cybercrime Units of the Federal Police of Brazil and the National Police, coordinated by Interpol and with the collaboration of Europol, to carry out the operation.
133 arrests in Spain
Efforts by the agents, in collaboration with banks, led to the arrest of 133 individuals receiving money from fraudulent transfers. These arrests took place over two years, from the discovery of the banking malware infection in 2020 to the downfall of the ringleaders in Brazil in 2024.
This operation dealt a severe blow to the criminal organization responsible for distributing one of the major banking viruses that operated worldwide, with a significant impact on Brazil, Mexico, Portugal, and Spain. The results of the operation and the analysis of electronic devices are expected to provide more information about cyberattacks on Spanish clients.
This police operation joins other significant ones in which the National Police has participated during 2023, including the dismantling of infrastructures of major organizations like Hive, Blackcat, or the dismantling of one of the most significant underground markets for the sale of stolen access credentials worldwide, GenesisMarket.
Recommendations from the National Police to avoid falling victim to these attacks:
- Do not open emails from unknown individuals.
- Do not click on links in unfamiliar emails.
- Keep software, especially the operating system, updated.
- Refrain from providing passwords and banking information via phone or through links received in SMS.
- Use original software.
- Report incidents to the National Police if in doubt or suspicion of being a victim of fraud.
