Carbanak Gang

The Carbanak Gang is a Russian cybercrime group specializing in financially motivated attacks targeting point-of-sale (POS) systems and payment infrastructure. Operating under aliases including Carbanak, the group compromises vendors providing POS technology to retail and hospitality sectors, exploiting vulnerabilities in web portals to deploy malicious code. Their operations focus on credential theft, remote access establishment, and payment system infiltration, enabling further network penetration across merchant environments. The group historically leverages Carbanak malware alongside Dridex banking trojans for initial infections, maintaining persistence through backdoors designed to harvest passwords and exfiltrate sensitive data. Their attacks prioritize financial institutions, retailers, and service providers reliant on POS terminals, with documented incidents involving credit card data theft.

The group’s 2016 campaign against Oracle’s MICROS unit and five other POS vendors demonstrated global reach, compromising servers to access over a million payment terminals. Tactics include targeting third-party service providers to infiltrate downstream merchant networks, exposing contact information and facilitating lateral movement. Distinguishing attributes include specialization in supply-chain attacks against payment technology vendors, enabling broad credential harvesting from retail customers. While some victim organizations confirmed limited data exposure, the collective compromise highlighted the gang’s focus on monetizing payment system access rather than direct consumer data theft. Their operational security and malware tooling reflect sustained capabilities in breaching financial infrastructure across multiple jurisdictions.