TorRAT: four Dutch suspects arrested in EUR 1M digital fraud and money laundering case

UPDATE 2013-10-29: added link to article on TorRAT by Tanya Shafir posted on April 22nd 2013.

On October 24th, the Dutch Public Prosecution Service announced the following:

Hackers plunder back accountsOctober 24, 2013 – Public Prosecution Service

Hackers are suspected of looting bank accounts and making hundreds of fraudulent transfers by installing malicious software on the computers of Dutch bank account holders.

On Monday, the police arrested four men from Alkmaar, Haarlem, Woubrugge and Roden on suspicions of involvement in large-scale digital fraud and money laundering case.

Fake email messages were sent containing a link that activates the so-called banking malware, giving the hackers access to the computers of unwitting account holders. It invading `TorRAT’ manipulates the online banking by adding, modifying or deleting data. The malware adds new payments, or changes existing payment orders without the account holder being able to see it.


To protect their criminal activities the suspects made ​​use of TorMail, a free service that allows users to anonymously send and receive messages.

The fraudulent transfers have ended up in bank accounts of moneymules. They were recruited to make their bank accounts available or to open new bank accounts and handing off their credentials. To channel the stolen money, domestic and foreign companies were created and business bank accounts were opened.


Moreover, the defendants exchanged money that was supposedly criminally obtained for bitcoins, a form of electronic currency. One of the men managed itself a bitcoin exchange service where (cash) money can be converted into bitcoins. The Public Prosecution Service seized 56 bitcoins, which have been exchanged for more than 7700 euros.

The police investigation focuses on the period from spring 2012 to the present, and on more than 150 fraudulent transactions. Several banks and companies have reported cybercrime. The extent of the damage is possibly around one million euros.

The suspects are taken into custody for twee weeks by ​​the magistrate in Rotterdam.



2 thoughts on “TorRAT: four Dutch suspects arrested in EUR 1M digital fraud and money laundering case

  1. Any hints on how the takedown began? The fact that they police specifically cite Tormail – and that they apparently go ahold of the private keys for the associated bitcoinwallets – and that Tormail was compromised during the FreedomHosting/torsploit attacks of early August… one wonders if they’re related.

    The Hackernews article referenced use of “VPN services,” any hint as to whether that was the vector that betrayed the defendants?

    1. Alas, no further information about the investigation is available yet (AFAIK).

      Regarding Bitcoin: note that “seized 56 bitcoins”, despite the suggestive wording, does not necessarily imply that the police obtained private keys of any bitcoinwallet: 1) bitcoinwallets can be unencrypted; 2) the police might have acted as a fake seller to obtain the bitcoins; 3) other explanations may be possible.

      Regarding TorMail: we should consider the more Ockham-proof hypothesis that the suspects practiced insufficient OPSEC in their use of Tor, TorMail, other online activities, or offline activities (money mules leave a trace too).

      Regarding VPN services: I don’t know what Mohit based that claim on.

      OT: on April 22nd 2013, Tanya Shafir of Trusteer posted a description about the TorRAT malware: The malware was spread via Twitter, accompanied by the following pretext: “Our new King William will earn even more than Beatrix. Check his salary”. Very clever, as it piggybacked on an ongoing, somewhat fierce debate in the Netherlands about the Dutch monarchy and tax-paid salaries of the Dutch royal family.

Leave a Reply

Your email address will not be published. Required fields are marked *