How French Internet investigators dismantled a large hacker network in Switzerland and Ukraine

Their malicious activities affected 1,800 victims in 71 countries, and their impunity ended at dawn on Tuesday in a resounding crackdown called Operation Fifth Element. After two years of careful investigation under the auspices of Europol, an international team of 50 police officers – including experts from the Judicial Police – carried out a coordinated arrest in Ukraine and Switzerland of 12 cybercriminals. They paralyzed and blackmailed their targets powerful “ransomware”, Malware that encrypts, in other words, making the data of a computer, server, corporate network, or local authority completely unreadable.

The investigation began with a complaint by a large French company that was attacked in early 2019 by LockerGoga ransomware. Then the Specialized Public Prosecutor’s Office of TGI in Paris took over the judicial police, which focus and coordinate in a hexagonal form investigations related to cyber-attacks of the type “ransomware”.

Led by the Central Bureau of Information and Communication Technologies Crime Prevention (OCLCTIC), online investigations included cyber hackers from eight countries where the hackers were prevalent: the Netherlands, Norway, Germany, the United Kingdom, and the United States. but also Ukrainian Police Services The Swiss are planning the arrests. The European Cybercrime Center (EC3) hosted seven coordination meetings in The Hague.

The inspectors first returned to the C2 server, which was controlling and communicating with the malware. An unexpected stroke of luck: they were in France and allowed them to return to the others. With the help of European experts, they then mapped the criminal infrastructure and then analyzed the means of communication between the ransomware and their victims. Finally, they followed the “money path”, that is, the addresses of the bitcoin wallets where the ransom sometimes went. “The advantage of IT is that it leaves traces that allow us to follow tracks,” smiles a police source.

Criminal structure of specialists

Those arrested are considered part of a A real organized gang with well-defined roles. Some of them were responsible for hacking into the target’s computer systems. Mainly large companiesThanks to all the tools available to hackers: theft of passwords and IDs, a brute force attack or a massive “phishing” campaign.

After gaining initial access, thugs in Ukraine deployed the Trickbot malware and set up deep stealth attack tools like Cobalt Strike. These specialists then secretly moved into their victims’ networks and remained in hiding, sometimes for months, before turning on data encryption and claiming Pay a ransom in Bitcoin to decrypt it Or avoid posting it online.

Historic Ransomware Player

Investigators are suspected of spreading LockerGoga ransomware, which has been active since 2019 and specializes in attacking industrial systems. But also MegaCortex and Dharma malware that were among The first to pull the data before making it unreadable Without decryption key.

Then other cybercriminals based in Switzerland took responsibility for laundering the ransom by passing the extorted bitcoins through crypto-shaking services, which complicates their traceability. Then they converted this virtual money into cash. Police recovered $52,000 and confiscated several luxury cars. They also shut down computers and other electronic devices in order to gather evidence and unearth further investigation leads. The total damage is estimated at 100 million euros.