Up to a billion dollars may have been plundered from 100 banks worldwide in an unprecedented cyber heist by a gang of unknown hackers, according to a report by Kaspersky Lab.
The attacks, which took place in 30 countries over a two-year timeframe beginning in 2013, were perpetrated by a cybercriminal gang with tentacles in Russia, China and Ukraine.
Kaspersky says at least $300 million has been definitively lost in the spate of attacks, but that number could treble as banks try to pin down a series of $10 million transfers since initiated by the gang.
The crooks used a form of malware dubbed Carbanak, which provided access to bank networks and allowed the gang to overcome internal checks and balances by monitoring bank procedures via video surveillance and keystroke logging.
In some instances, actual customer accounts were artificially inflated and large sums transferred to bogus accounts, while in others the money was dispensed at pre-set times and destinations through cash machines under the control of the hackers.
The criminals established bank accounts in the US and China, reportedly with JP Morgan Chase and the Agricultural Bank of China. Kaspersky says that on average each bank robbery took between two and four months, with up to $10m stolen each time.
Late last year, forensics experts at Moscow-based Group-IB and Fox-IT of the Netherlands reported that a group of Russian cybercriminals which specialises in gaining access to the internal payments networks of banks had stolen more than $18 million over the past six months.
The group, which goes under the name Anunak, appears to have the same digital fingerprints as Kaspersky's Carbanak ring.