KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
If someone knows about cybercrime here in Germany or Europe, he is the one. He is head of cybercrime of the Bundeskriminalamt, the Pendant to the FBI or Scotland Yard, etc. He joined the police 30 years ago. That's what I read.
Hopefully, I don't make another mistake. During that time, he held various managerial positions in the central services and organized in general crime departments. You are actually also the one who set the department of cybersecurities or cybercrime up. I think we are all looking forward to hearing from you. Welcome Carsten Malbert on stage. Good afternoon, everybody. I would like to take you now to the dark side of the power for 20 minutes. As he said, I am the head of the cybercrime division at the German Bundeskriminalamt.
In 2020, we started with a division to fight cybercrime. We look back to a very long tradition to fight cybercrime. We start with a small unit and we grew up to a unit and to a group in 2013.
In 2020, we decided to set up the division and now we are one out of 11 divisions within the BKA. Our mission is to fight cybercrime in a narrow sense, as we say. It is called cyberdependent crime. That is nearly an exception in the national and international context. We can focus on cyberdependent crime. We carry out investigations against those criminals who attack infrastructure in Germany and who attack federal authorities. We serve as a central agency in Germany to fight cybercrime. We coordinate the investigations in our federal states and we support their investigations.
We are the single point of contact to the Europol network and to the Interpol network for the German police as a whole. The structure of my division is very easy. It is based on two pillars. One is service and strategy and one is operations. At that time, we have about 250 members in our division and the fixed posts is by 310. 72% of them are sworn officers, police officers and 25% are IT experts, cyber analysts and cyber criminalists. Let's jump into the cybercrime scene. It's this one? What about the situation of cybercrime? Some figures and explanations.
Over the last years, there has been a significant increase in the number of cybercrime offenses in Germany. Since 2016, we faced an increase of 25%. More than 80% of the companies have been affected in the last years. The biggest internet association in Germany, the Bitkom, reported more than 200 billion euros damages for the German economy in one year since the last three years. And this year, they stated a new maximum value with 266.7 billion euros damage for the German economy. One thing is very clear. The increasing digitalization offers more and more opportunities for the criminal actors.
But we believe there are three more main reasons to explain that situation. The first one is the pandemic situation with the need to set up remote working structures. If we look back to the pandemic, very short after the pandemic started, we saw how the cybercriminals took advantage from the new conditions. They used the narratives for their phishing emails. In Germany, they set up fake websites to collect the emergency funds which were provided by the government for suffering self-employees. They anticipated the growth of the attacking targets very fast.
And for that reason, the number of cyber offences increased rapidly. And the second reason, the war between Russia and the Ukraine and the phenomena of a cyber war in addition to the physical attacks. Russia began the war in Ukraine and at the same time, cyber attacks in addition to the kinetic warfare started. Very characteristic was the hybrid use of cyber capabilities. The boundaries between state-controlled and crime groups blurred. Existing groups decided to stand on the respective side of the war parties, Russia and Ukraine. We faced a high threat of cyber attacks in Germany.
We feared both targeted attacks and collateral damage. But so far, no effective cyber attacks on critical infrastructures happened. In Germany, we suffered primarily DDoS campaigns of groups which named themselves on Telegram pro-Russian. For example, Killnet and NoName. And we suffer from damage due to the use of ransomware committed by crime groups. That has continuously a big impact on our economy and the public services. Those attacks are the most dangerous threat so far. And now the third reason, that is the development of a well-organized and very efficient underground economy.
A new criminal cosmos, we called it Fundamentals or Crime as a Service. We identified five criminal pillars and every pillar includes a variety of criminal services.
So, every actor needs infrastructure to commit crimes. That is the business of the resellers. They provide the criminal actors with infrastructure. Forums and Java services are the hubs for the criminal service providers and the communication channels for the criminal businesses. Stolen and compromised data available in criminal marketplaces are the raw material for the criminals. Malware coding is a very specialized business for well-educated persons and small groups. Malware crypting is a business to cover the code from the antivirus systems.
And counter-antivirus services prove that in an automated way. You can buy it as an abonnement as well. There are special services to get your illegal goods and the money safe. They offer drops and cashout services as well as exchanger services. And let us take a short example with a reference to the ransomware model. I will show you the initial access broker, the dropper and the ransomware groups and how they work together. When you look at the kill chain of ransomware attacks, first they need to compromise the systems. That is the task of the initial access broker.
They have usernames and the passwords and they do nothing with it. But they sell it to their clients. And the clients are the dropper or loader groups. They buy those data in order to compromise the systems and put a malware on it. And they do nothing with it. But they sell this malware accesses to other clients. And now the ransomware groups enter the stage. They rent this malware accesses and drop their ransomware on the compromised systems. And then the ransomware model begins to run. What about the criminals? Since 2015 they are well organized in an underground economy.
They don't look like hoodie gangs or script kiddies. They don't know each other personally. They know them by the usernames and the criminal services they offer. They can buy or rent those services offered in the Internet. And they are located all over the world. And they can act from safe havens if they want. They are organized as small groups but even like a legal company. And such an example you can see on the slide. This is the structure of the ransomware group Conti. The short history behind this information goes back to the Russia-Ukraine war.
And a Ukraine member of the group leaked the information after the other members decided to stand on the side of Russia. This group has a CEO who led the criminal business. They have a CFO like a legal company. And they have an HR section and an IT and operational units. The HR section is responsible for recruiting and training. The IT maintain a lot of service and services brought from the vendors of the underground economy. And the operational teams, they are your partners when you are compromised. They are weeks or months before you recognize it in your systems.
They read all the correspondence on the email server, check the system in order to encrypt the data effectively. Exfiltrate the data and publish it on the leak sites. And fix an appropriate price for the ransom. Since a few years they had a new idea to maximize their illicit profits. They organized a franchise system. With affiliates who rent the malware under conditions set by the core group. They had to pay a fee for that. 80% of the illicit profit go to the affiliate and 20% to the core group. So what's about this strategy to fight cybercrime?
We have a network of specialized cybercrime fighting organizations at international and national level. In Germany we organize it at federal level and in our federal states. With those we practice a very close cooperation. Our strategy to combat cybercrime is multidimensional. We are targeting actors, infrastructures and finances. Identifying actors is quite normal. We follow the traces the perpetrators left behind in the internet. Often perpetrators commit their criminal business from safe havens like Russia. There is no cooperation with the law enforcement authorities possible.
And we are not able to arrest the perpetrators because the authorities do not agree to an extradition. For that reason we developed the infrastructure approach. We clear up the criminal infrastructure and we took them over in order to seize it. In this way we take away the botnet and the servers with the respective services hosted on it. Those operations targeting as well the financial infrastructures of the perpetrators so that we are able to confiscate criminal cryptoassets and store it in our police wallets. How do we use this for successful operations against the criminal actors?
In my opinion it is very important to carry out successful operations. It is important to fight and to hit them in order to hold the pressure high and to demonstrate we can beat them effectively. Over the last years we made tremendous progress in the development of international alliances. And we practiced it. Let us get to the disruption of malware groups and illegal marketplaces as you can see on the slide. The first was Emotet. It was named the king of malware in 2018. They targeted Germany and other countries with a huge number of attacks and we were challenged to address the threat.
And Emotet was a dropper or loader group. We noticed there existed open investigations in other countries as well and we started an investigation in Germany in 2018 and we identified those partners who conducted investigations against the criminal actors behind Emotet. We came together to an international alliance. Main partners were Netherlands, France, the US, Great Britain, Canada, Lithuania and the Ukraine. Together we worked out a plan to take down the criminal infrastructure of the Emotet network. We were able to clear up the infrastructure.
They used hundreds of servers divided globally to international hosting providers and organized a three-tier architecture and a huge botnet with more than 55,000 victims. The trace led us to the system administrator in the Ukraine. The Ukraine national police organized a search, arrested and interrogated him. He was cooperative and gave us the full access to the network. The takedown strategy was built on two pillars and this part was an innovational approach to tackle the criminal infrastructure. We did something that nobody did before us worldwide.
We sent the binary again to all bots after we installed a new range of IP addresses. Then the bots communicated to our friendly servers and ignored the servers of Emotet. And secondly, we put the servers of the criminal group of the network. And that was a game against the time because we feared they could back during the operation. We had a team in the Ukraine, a team at Europol and a war room in Wiesbaden at our division location. In our war room, the dashboard showed us the number of bots which called to our friendly infrastructure over the time. In the end, we won.
About 55,000 bots said hello to our friendly infrastructure. On the single bots, we set the malware on quarantine and we informed all providers about the operation, national and international. Emotet was down in January 2021 and we noticed them after that operation 10 months later for the first time again. They came back on a new infrastructure, but not as dangerous as they occurred before. Hydromarket, the second pillar on the slide. Hydromarket was the biggest marketplace in the darknet.
In 2020, they had a turnaround of 1.3 billion euros. It was ruled by Russian people.
Mainly, they sold drugs on the marketplace. They had 17 million clients and 19,000 vendors. We identified the infrastructure and got access to the IT.
In 2021, we took over all 55 servers they hosted for their criminal business and we found Bitcoin worth 23 million euros on the servers and we put it in our police wallet. Another successful story is the takedown of ChipMixer. In March the year after, ChipMixer was the biggest service for money laundering in the darknet. On the biggest darknet platform, Hydromarket, it was obligatory to use for all clients and vendors. The total amount of money transferred with ChipMixer was worth nearly 3 billion US dollars.
Main users were even ransomware groups to transfer the illegal profits from the ransoms. We identified the servers and analyzed them for possible attack angles. We conducted technical operations on the servers and prepared the takedown. At the end, we used the access to the server infrastructure of ChipMixer to confiscate Bitcoins worth about 90 million euros and put it in our police wallet. KakBot was another dropper service. They maintained currently the biggest botnet. They succeeded on Emotet as the biggest dropper service worldwide. They had a botnet with more than 700,000 bots.
They caused damages from some more hundreds of million euros worldwide. The FBI was able to control the infrastructure and lead the takedown operation.
And again, we were successful. The criminal actors cannot get back on this infrastructure. In between, we took down the illegal marketplaces, Nemesis Market, Kingdom Market and Eggestools. Criminal vendors sold trucks, forged documents and cybercrime services.
This year, under the lead of Great Britain, the National Crime Agency, an international alliance took down the infrastructure of the ransomware group Lockbit and released an international warrant against the leader of the group. Over the last two years, they extorted more than 2,200 companies. Two more operations on Lockbit followed under the lead of the British NCA this year. And over the years, we learned that an operation against a single malware group is not effective enough. We can bring them down, but the other perpetrators, they switch to other services.
And we began to plan another operation, much bigger and against more illegal malware groups. And in May this year, we started the Action Day.
