The most dangerous hacking operation in the history of banks | Kings of the Dark Web?

On September 13, 2017, the IT director of a Russian bank was living a normal life with everything going well. But at exactly 3 a.m. on that date, he called the bank’s accounts manager with a trembling voice and said, “Contact the IT team immediately because the situation is very serious.”

Without asking for details, the IT employee contacted Kaspersky and requested that they send a specialist to the bank immediately. He told them, “It seems the problem that has baffled the world has now reached Russia.” Indeed, Kaspersky sent an IT expert to the bank within fifteen minutes. The expert met with the bank’s IT employee, and the surprise was that someone had managed to control the primary domain controller—the unit that controls all the bank’s computers.

To clarify, if you control this unit, you control everything in the bank. The IT director and Kaspersky expert sat in front of the main server and watched the hacker sending data to China without any logical reason. The Kaspersky expert was shocked by the strength and scale of the breach and initially lost hope of stopping it, but he began searching for malicious software to minimize the damage.

After a long search, he found a program that allowed the hacker to monitor and control the computer remotely. At one strange moment, the expert opened Microsoft Word and typed “Hello” in Russian. For minutes, nothing changed, then suddenly the mouse pointer moved, and a message appeared on the screen. The hacker replied in Russian, “You will never catch us.” The expert responded, “We will catch you.” The hacker answered, “No, my friend, you won’t.”

This marked the start of a psychological war between professional hackers and the cybersecurity team. This was the beginning of one of the most dangerous hacking operations in history.

But who won in the end? The hackers or the banks, security forces, and investigators?

The entire story is highly classified, and only limited names and data have been disclosed because revealing the details of such a theft could cause a global economic crisis.

The story began in 2014 when the group’s sole mission was to quietly monitor internal banking systems and gather information without carrying out any real hacking—just testing vulnerabilities and waiting for the right moment.

On April 8, 2014, they started their plan by sending a phishing email with an infected Word document to a low-level employee at a Ukrainian bank. The document exploited a vulnerability in Microsoft Word, unleashing malware that opened a backdoor into the entire banking system.

They were then able to watch everything on that employee’s computer, recording every keystroke and password entered. The employee was unaware his device was compromised. This employee effectively became the gateway to a much larger breach, gradually spreading into all the bank’s servers and devices.

After nearly two years of surveillance, the hackers executed their first major theft on July 10, 2016, in Taipei, Taiwan.

During this theft, two gang members wearing surgical masks entered a bank. One stood at the entrance observing, while the other stood calmly at an ATM machine without withdrawing cash or entering a PIN. Suddenly, the ATM started dispensing money continuously. The gang member calmly collected the cash into his bag and fled before a stranger approached the ATM. The stranger, who attempted to withdraw money, was shocked to see cash strewn all over the floor but didn’t take any.

This wasn’t an isolated event; the exact operation occurred simultaneously at 20 locations worldwide, causing confusion among bank managers who initially thought it was a software glitch or a coincidence.

The gang was highly organized with specific teams for each phase: reconnaissance, penetration testing, monitoring, data collection, analysis, planning, and execution.

Their theft methods were sophisticated. They transferred money from fake accounts into their own while manipulating balances so the bank’s internal systems wouldn’t notice any suspicious activity.

They also collaborated with on-the-ground “cash handlers” who physically collected the money from ATMs.

In one month, they stole over $50 million using this method.

After stealing billions from over 100 banks in 30 countries, Kaspersky, Taiwanese police, and various international security agencies began tracking the gang.

In 2018, authorities raided the home of the gang’s Ukrainian leader, Denis, who lived a lavish life in Spain. They confiscated his possessions, including two BMW cars, half a million dollars in jewelry, and 15,000 bitcoins worth over a billion dollars today.

Denis was a programming genius but used his skills more as a personal challenge than just for wealth.

Authorities arrested several gang members, but the network remains large and complex. Some sources suggest the gang is part of the Russian cyber army, though no official evidence confirms this.

The key lesson: never open suspicious links or log in to unknown websites, even if sent by trusted people, because hackers are everywhere.