Operation Crossbill: how the police cracked an international malware gang

Bob Burls Independent researcher
Graham Cluley Independent researcher

Convictions for malware-related cybercrime are uncommon. International jurisdictions can complicate the investigation and prosecution of such offences. But the cops do sometimes get their man...

This presentation is a case study into an investigation by the UK Police force of a malware gang, codenamed 'Operation Crossbill'.

It concerns the distribution of SpyEye malware, fraud and money laundering by a group of three criminals who were convicted in June 2012.

The criminals targeted UK and European online banking customers and used a complex and highly organized network infrastructure to commit their crimes.

In all, the criminals netted over $150,000 from their scheme and would have made much more if the police had not arrested them.

The offences included the construction and distribution of SpyEye malware delivered by drive-by downloads, account takeover fraud and money laundering via online financial accounts. The investigation also revealed the use of bespoke web injection code designed to defraud a European bank.

One of the presenters was involved was involved in the enquiry from the outset of the case, and the other works for an anti-virus company that assisted the investigation.

The presenters will describe how the pieces of the jigsaw were put in place to bring the offenders to justice in this complex investigation, and illustrate their talk with photographs taken at the scene of the arrest and data captured from the criminals' own computers.

The presentation will start from the initial forensic examination of a SpyEye Command and Control server and associated malicious code leading to the identity of the criminals.

It will also include details of how the malware artefacts found on fraud victims' computers was traced back to the offenders. It was discovered that the criminals used multiple bogus identities and over 100 domains to facilitate their criminal operation.

The aim of the presentation is to give the audience some insight into a complex multi-jurisdictional technical investigation.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.