The Bagsu banker case

Thursday 3 October 15:00 - 15:30, Green room

Benoît Ancel (CSIS)

The carding ecosystem is constantly evolving. The actors have to adapt their methodology in order to continue to steal from the banks with a good cost-effectiveness ratio. To maintain this balance, the carders have moved towards infrastructure-as-a-service, making the analyst’s work more and more complex.

Researchers at CSIS Security Group have discovered the infrastructure of a quiet banking trojan actor that has been targeting German users since at least 2014. Our presentation aims to give a technical insight into the whole operation: infrastructure, multi-platform trojans, money laundering schemes, and the recent move towards malware-as-a-service markets like Dreambot, Trickbot, Emotet or even Cobalt Strike.

With this presentation, we want to show how an actor progresses in the carding business, from the development of his own malware to his first million euros stolen.

We aim to show the big picture of the carding ecosystem and discuss the challenges that come with the model.



Benoît Ancel

Benoît Ancel is a malware analyst specialized in tracking carder infrastructure. After working as a  reverse engineer for six years in France with Stormshield, he is now part of the threat intelligence team of CSIS in Denmark. His research interests include malware hunting, reversing, and tracking money laundering. His latest publications include "Dreambot, Business Overview" and "The Wolf in Sheep's Clothing - Undressed". He spends his free time documenting the history of the profit-driven cybercrime business.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.