Imagine that you go to your bank’s website and a popup asks for your login and an access code sent to your email. These security checks keep changing and getting more annoying. The page takes longer than usual to load, but finally you are in.
Your balance is zero.
Your bank did not add the popup – it was malware developed by a Brazilian criminal network called Grandoreiro. When you logged in, Grandoreiro stole your username and password. It even took the access code your bank sends to your email. Members of this group got into your account, drained your funds, moved them through several front accounts, bought some cryptocurrency, then sent the bulk of the money to a server in Brazil.
This is the story of how Gradoreiro was born out of Brazil’s online criminal underworld, and then spread around the world.
A New Threat
The first signs of Grandoreiro appeared in 2016, when a crude version of the malware written in the antiquated Delphi programming language, started spreading around Brazil. The attacks broke the rules that cybercriminal organizations respect in other parts of the world: ransomware gangs in the former Soviet Union, for example, avoided targets in their home countries to evade the gaze of local law enforcement. But Grandoreiro was attacking Brazilian banks from its base on Brazilian servers, with comments in the source code written in Portuguese. All the initial evidence pointed to local programmers running attacks on their home turf.
By 2017, law enforcement was on Grandoreiro’s trail, identifying the malware as a critical threat. But as authorities caught on, the developers adapted. The source code continued to evolve, with different criminals collaborating to improve their attacks. “The developers evidently share a lot of code between the groups,” Golo Mühr, a malware analyst with IBM X-Force, which investigated Grandoreiro, explained to InSight Crime. While Grandoreiro has become the most notable Brazilian banking malware, there have been several others with similar characteristics, such as Guildma, Javali, and Melcoz, according to the cyberthreat research company Securelist.
The programmers continued to refine their malware, learning how to evade antivirus software, inhibit malware analysis, encrypt the attackers’ online traffic and add new features for its criminal users. By 2020, the group began looking for new targets, setting its sights internationally. Attacks began targeting banks in Argentina and Peru. Grandoreiro spread throughout Latin America, and then Europe, and is now active around the world.
A Criminal Menagerie
As Grandoreiro expanded, it needed new recruits to take on specialist roles, while the core members enjoyed the bulk of the profits.
The scheme works as follows: At the top are the developers offering malware-as-a-service. They write the code, improve the malware, control the servers, and then recruit others to do the dirty work. “This is a way of making sure that if one of them goes down, or one of them is arrested, the others can continue to function because their connections to the one that has been taken out are minimal,” Enrique Hernández González, Assistant Director of Cybercrime Operations at INTERPOL, told InSight Crime.
Those at the top, who authorities have yet to identify, recruit cell leaders, often in other countries. These leaders then go about setting up the phishing scams and recruiting money mules. The phishing schemes involve fake emails pretending to be legitimate services or authorities, such as Argentina’s tax branch (Administración Federal de Ingresos Públicos – AFIP), and often have a degree of urgency. The email has a link to a malicious site or an attachment which downloads seemingly innocuous software with Grandoreiro’s malware hidden inside.
Grandoreiro often imitates authorities to trick victims into installing malware. Credit:Segu-Info
In the spirit of the famed horse of ancient Greece, this tactic of hiding malware within another program is called a Trojan. Once the malware is installed, Grandoreiro allows the criminals to control parts of the victim’s computer via remote access. This style of malware is called a Remote Access Trojan, typically referred to by the acronym RAT. One click, and Grandoreiro has infected your laptop.
“Once a victim is lured into running it, which can happen in a lot of different ways, the malware runs silently in the background and gathers information on the victim, any installed security software, as well as any banking applications found on the infected system. Then, Grandoreiro waits until the victim uses one of the targeted banking apps or online banking sites,” explained Mühr.
How it works depends on the malware’s version. It may be a fake window that is laid over the legitimate site of your bank. Maybe it is a popup that asks for your username and password. It can even steal tokens for multi-factor authentication. Grandoreiro can control your mouse, record every key you press, see what you are copying and pasting, or turn on your webcam.
Members of this criminal network may use your stolen credentials to log into your accounts from their computers, or they may just work directly on your now controlled device.
Once in your account, the money mules step in. Large international transfers out of an account raises alarm bells, so instead, cell leaders recruit locals in the targeted countries to lend the ring their accounts. These may be trusted friends and family members, or strangers recruited through a Telegram ad.
An ad on Telegram offers $200 to $500 a day to work as a money mules. Credit:Securelist
The stolen money bounces through several of the mules’ accounts, with their owners getting a small cut of each transaction. Though the mules do very little active work, they play a key role in breaking up the money trail.
“Mules are a very important part of the criminal organization,” said Enrique Hernandez Gonzalez, Assistant Director of Cybercrime Operations at INTERPOL. Although it may seem that many times they are the lowest level, and many times they are not even professional mules because they are people recruited with false job advertisements just to move funds, without them, the criminal organization could not really move those funds,”
The ring then buys and sells cryptocurrency to further obscure transactions. Then, the cell leader takes their cut and sends the rest of the cryptocurrency – about 70% of the total – to a server in Brazil. This entire process, from draining an account to the fund arriving in Brazil, takes around 20 minutes, José María Cifuentes, a prosecutor with Argentina’s Cybercrime Unit, told local media.
Grandoreiro and Its Creators Survive
With Grandoreiro robbing banks on the international stage, global law enforcement has sprung into action. But despite a series of arrests in Brazil and Argentina, Grandoreiro is still running strong.
Authorities in Brazil arrested five alleged members of the network in January 2024. They are suspected of stealing around $3.9 million. Caixa Bank, one of the primary targets of the malware in Spain, estimates that the network would have gotten up to €110 million if they had not been detected when they were.
Argentine authorities dismantled a local cell in May of the same year, arresting 16 people suspected of having stolen around $1.6 million. They followed up with more arrests in January and February 2025.
These disruptions have only been hiccups in Grandoreiro’s international operations. Those at the top remain at large, and the malware continues to evolve. It has now split into two main branches, which are being developed separately. How these versions of Grandoreiro infect victims’ computers and where they are active is distinct, meaning there are now likely two different groups behind the malware, according to Mühr.
This kind of resilience is not unique to Grandoreiro: criminals operating through the internet have coordinated and organized through private forums and encrypted messaging from their beginning. These cells operate with significant independence, making it hard to learn about the full network, even if a cell is completely infiltrated.
And while these criminal hackers still mainly operate in parallel to global drug trafficking organizations and other more traditional criminal networks,, these criminal spheres grow closer by the day, warned Hernandez Gonzalez.
“We are seeing that there is more and more of a relationship between all kinds of crime and cybercrime, and this is translating into applying all those protective measures that, because of the nature of cybercrime, they have been applying from the beginning,” he said.
![23rd Apr: A Tragedy Foretold: Flight 3054 (2025), 3 Episodes [TV-14] (6/10)](https://thedailyusnews.com/wp-content/uploads/2025/04/23rd-apr-a-tragedy-foretold-flight-3054-2025-3-episodes-tv-14-6-10-260x200.jpg "23rd Apr: A Tragedy Foretold: Flight 3054 (2025), 3 Episodes [TV-14] (6/10)")
