Europol's arrest of the alleged leaders of the Carbanak crime ring is positive news for cybersecurity across the globe. The manner in which the individuals were caught demonstrates the importance of public-private partnerships and the global nature of cybercrime. The inclusion of police agencies in at least five countries shows how difficult it can be to track a single actor though all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals.
Carbanak's downfall was brought on by what ends up bringing down most organized crime groups: accounting. This reinforces the need for law enforcement organizations to continue focusing on traditional 'follow the money angles' as much as cyberforensic capabilities. As long as you cannot make major purchases with cryptocurrencies, the Achilles heel of any organized crime activity will be laundering money and taxes. Pinching these types of actors from both a prevention of movement in cyberspace and a reduced ability to enjoy their illicit gains often results in the largest successes for law enforcement. What remains to be seen is whether this arrest will result in a serious degradation of Carbanak’s capabilities or merely a short term hindrance while the group refocuses its activity.
What made Carbanak stand out was its organization and planning. The amount of money they stole, combined with the length of operation, make Carbanak one of the most successful, well-known groups out there. However, three things make the impact of the arrest still a largely unknown quantity.
Is Carbanak hierarchical or amoebic?
Does catching the "leader" result in an unrecoverable loss of organization and capabilities or will the groups simply adjust and keep going? I don't think anyone has enough insight into Carbanak to know for sure.
How diffuse are their techniques?
Cybercrime is a copycat game for the most part. This arrest makes a larger dent in cybercrime if there is no one waiting in the wings to take up this type of intrusion against financial institutions. Unfortunately, now that people have seen how this works, there are already plenty of copy cats. If Carbanak goes down, but the technique still works, others will take their place.
How effective is this as a deterrent?
Perhaps more effective than if you look at the impact on actual operations is the deterrent effect of the arrest. Carbanak had a lot of mystique around them both in terms of the size of their heists and their ability to operate. The arrest of the ringleaders might discourage other groups to grow quite as large and cross as many borders.That effect would have the largest impact on overall trajectory of cybercrime.
Despite their notoriety as being the billion dollar cybercrime group, Carbanak's activity has always been small in comparison to the overall cybercrime market. Even if we are generous and give them double their reported earnings, sitting at $3 billion lifetime earnings is roughly $500 million a year and that is less than half a percent of estimated global cybercrime a year. Taking out half a percent of global cybercrime is a large deal in terms of a single bust. In terms of how much cybersecurity professionals see the difference, it looks more like a rounding error.
The loss of traditional financial institution's support in tracking crime makes law enforcement's job much more difficult. However, we are already seeing attempts to regulate the space for tax purposes. Law enforcement and regulators will get more creative in how to make cryptocurrency more government friendly. Until they do, a lot of the work will focus more on finding gaps than on actually tracing money as it flows through the system. Right now cryptocurrency is very similar to tax havens that don't share information readily. That problem will continue to expand as cryptocurrency becomes mainstream, but this is a known problem and, therefore, one that someone will find an answer to, even if it makes investigations take significantly longer in the meantime.
How important cooperation was in leading to these arrests can't be overstated. It is exceedingly rare these days that people hack within their own borders using only infrastructure within that same country. The Internet is global by nature and so too are the criminals who reside on it. The two largest impediments to combating cybercrime from a law enforcement angle are trained professionals and jurisdiction. The ability to work across borders, share information and reduce the blind spots that cybercriminals have available to them to hide in is often the key difference between a successful arrest and a cold case.