IOCTA 2021 Published by Europol

Europol has published its Internet Organised Crime Threat Assessment for 2021 (IOCTA 2021).  This highlights 5 Key Threats:

  • Ransomware affiliate programs enable a larger group of criminals to attack big corporations and public institutions by threatening them with multi-layered extortion methods such as DDoS attacks.
  • Mobile malware evolves with criminals trying to circumvent additional security measures such as two-factor authentication (2FA).
  • Online shopping has led to a steep increase in online fraud.
  • Explicit self-generated material is an increasing concern and is also distributed for profit.
  • Criminals continue to abuse legitimate services such as VPNs, encrypted communication services and cryptocurrencies.

IOCTA 2021 looks into the (r)evolutionary development of these trends, catalysed by the expanded digitalisation of recent years.

  • Criminals have been quick to abuse the current circumstances to increase profits, spreading their tentacles to various areas and exposing vulnerabilities, connected to systems, hospitals or individuals.
  • While ransomware groups have taken advantage of widespread teleworking, scammers have abused COVID-19 fears and the fruitless search for cures online to defraud victims or gain access to their bank accounts.
  • The increase of online shopping in general has attracted more fraudsters.
  • With children spending a lot more time online, especially during lockdowns, grooming and dissemination of self-produced explicit material have increased significantly.
  • Grey infrastructure, including services offering end-to-end encryption, VPNs and cryptocurrencies continue to be abused for the facilitation and proliferation of a large range of criminal activities.

This has resulted in significant challenges for the investigation of criminal activities and the protection of victims of crime.

“Cybercrime is a reality and law enforcement worldwide needs to catch up,” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre (EC3), ”…….Only by working together can we create innovative ideas and practical approaches that can put a halt to cybercrime acceleration. It is essential to establish the environment and resources required to do so,” he added.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The 11th EAST EPTF meeting took place on 10 November 2021.

EAST EPTF holds 11th Meeting

The 11th Meeting of the EAST Expert Group on Payment and Transaction Fraud (EPTF) took place on Wednesday 10th November 2021.  Due to the Covid-19 situation, it was conducted as a virtual meeting and was chaired by Rui Carvalho, EAST Development Director.

The meeting was attended by 17 key representatives from Card Issuers, International Banks, Law Enforcement, Payment Processors and Solution Providers.

Europol, INTERPOL and the Swedish Police provided the law enforcement perspective, and Group-IB presented on the developing Classiscam fraud.

Short presentations were also made by Cartes Bancaires, HSBC, ING BankMasterCard Members’ AssociationPAN-Nordic Card AssociationSIBs, and Trend Micro.  Social engineering linked to non-banking fraud continues to be an issue of concern.

EAST EPTF, which meets three times a year, adds value to the payments industry by using the unique and extensive EAST National Member and EAST Global Member platforms, and the Associate Member network, to provide information and outputs that are not currently available elsewhere.  It is a is a specialist group that discusses security issues affecting the payments industry and that gathers, collates and disseminates related information, trends and general statistics.

EAST National & Global Members represent 35 countries and outputs from the group are presented to EAST Global Congress Meetings.  There are 212 EAST Associate Member Organisations from 52 countries and territories.

#SellSafe – Safety Awareness for Online Shopping

EuropolEFECC launched the #SellSafe awareness campaign on 3 November as part of their 2021 eCommerce Action.

Organised crime groups are continuously adapting online fraud methods to exploit both online shoppers and e-commerce companies.  Their opportunities are growing!  Since the start of the pandemic the number of businesses selling online has increased, and the average shopper is using online services several times each week.  New technologies such as Secure Customer Authentication (SCA) or Two-Factor Authentication (2FA) have made online purchasing more secure, but cybercriminals are still finding ways to steal cash from online shoppers.

Europol launched the #SellSafe awareness campaign along with the Merchant Risk Council and participating countries.  This follows a successful campaign last year which highlighted the top tactics for fighting online fraud. The aim of the new campaign is to make e-commerce more secure by promoting safe online purchasing methods and by helping new merchants to open their first online shop without the risk of cyberattacks.

From 1 to 31 October 2021 law enforcement authorities from participating countries, supported by Europol and the Merchant Risk Council, joined forces in a coordinated action against online fraud as part of the 2021 eCommerce Action.  This resulted in 46 arrests linked to fraudulent transactions.  The criminal modus operandi involved the use of certain mobile apps associated with banks in order to make transfers and purchases illegally.  In 2019 an operation by Europol’s European Cybercrime Centre (EC3) led to 60 arrests as part of their #BuySafePaySafe action.

The 2021 #SellSafe participating countries include: Albania, Austria, Belgium, Colombia, Croatia, Greece, Hungary, Ireland, Italy, Georgia, the Netherlands, North Macedonia, Poland, Portugal, Slovenia, Slovakia, Spain, Switzerland and the United States.

The participating countries will promote the campaign through their social media channels using the #SellSafe hashtag to help online shoppers understand the risks of e-commerce fraud.

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and online transactions.  The next EPTF meeting will take place on 10 November 2021.


To protect online shoppers and merchants, Europol has provided a number of helpful tips to stay one step ahead of the scammers and to prevent financial loss.

Tips to protect your e-business:

  • Ensure all employees are aware of the fraud issues affecting online stores
  • Stay up to date on the types of payment fraud affecting businesses and have the tools in place to prevent them. Your national payments organisation will have details on payment fraud types
  • Get to know your customers in order to be able to verify their payments

Tips for online shoppers:

Never send your card number, PIN or any other card information to anyone by e-mail

  • Never send money to anyone you don’t know
  • Always save all documents related to your online purchases
  • If you are not buying anything, don’t submit your card details

Find more tips on how to protect yourself and your business from e-fraudsters here.

More general advice on how to shop safely online is available here.

EAST Publishes Fraud Update 3-2021

EAST has just published its third Fraud Update for 2021. This is based on country crime updates given by representatives of 22 countries in the Single Euro Payments Area (SEPA), and 6 non-SEPA countries, at the 5th (virtual) EAST Interim Meeting held on 6th October 2021.

The following countries supplied full or partial information for this Update:

Armenia; Austria; Belgium; Canada; Cyprus; Finland; France; Germany; Greece; Hungary; Italy; Liechtenstein; Luxembourg; Malta; Mexico; Netherlands; Norway; Poland; Portugal; Romania; Russia; Slovakia; South Africa; Spain; Sweden; Switzerland; Ukraine; United Kingdom.


Fraud Update

To date in 2021 the EAST Expert Group on Payment and Transaction Fraud (EPTF) has published two related Payment Alerts and one related Security Alert, and the EAST Expert Group on All Terminal Fraud (EGAF) has published six related Fraud Alerts.

Fraud Update

To date in 2021 EAST EPTF has published one related Payment Alert.



To date in 2021 EAST EPTF has published one related Payment Alert and EAST EGAF has published two related Fraud Alerts.




To date in 2021 the EAST Expert Group on ATM and ATS Physical Attacks (EGAP) has published two related Physical Attack Alerts.

The full European Fraud Update is available to EAST Members (National, Global and Associate).

Information on the Fraud Definitions and Terminology used by EAST can be found as follows:






Dark Web vendors and buyers taken out by International Police Operation

Police forces across the world have arrested 150 alleged suspects involved in buying or selling illicit goods on the dark web as part of a coordinated international operation involving nine countries.  Over €26.7 million (USD 31 million) in cash and virtual currencies were seized in this operation, as well as 234 kg of drugs and 45 firearms.

Operation Dark HunTOR, was composed of a series of separate but complementary actions in Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom and the United States, with coordination efforts led by Europol and Eurojust. This follows on from the takedown earlier this year of DarkMarket, the world’s then-largest illegal marketplace on the dark web.  At the time, German authorities arrested the marketplace’s alleged operator and seized the criminal infrastructure, providing investigators across the world with substantial evidence.  Europol’s European Cybercrime Centre (EC3) has since been compiling intelligence packages to identify the key targets.

As a result, 150 vendors and buyers who engaged in tens of thousands of sales of illicit goods were arrested across Europe and the United States.  A number of these suspects were considered as High-Value Targets by Europol.

EFECCThe arrests took place in the United States (65), Germany (47), the United Kingdom (24), Italy (4), the Netherlands (4), France (3), Switzerland (2) and Bulgaria (1).  A number of investigations are still ongoing to identify additional individuals behind dark web accounts.

In the framework of this operation the Italian authorities also shut down the DeepSea and Berlusconi dark web marketplaces, which together boasted over 100,000 announcements of illegal products.  Four administrators were arrested, and €3.6 million in cryptocurrencies was seized.

Europol’s EC3 facilitated the information exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague, the Netherlands.

Ransomware Gang Arrested in Ukraine

ransomwareOn 28 September 2021 a successful coordinated Police operation took down an international ransomware gang in Ukraine.  A coordinated strike by the French National Gendarmerie (Gendarmerie Nationale), the Ukrainian National Police (Національна поліція України) and the United States Federal Bureau of Investigation (FBI), with the coordination of Europol and INTERPOL, led to the arrest of two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million).  This resulted in:

  • 2 arrests and 7 property searches
  • Seizure of US$ 375,000 in cash
  • Seizure of two luxury vehicles worth €217,000
  • Asset freezing of $1.3 million in cryptocurrencies

The organised crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards.  The criminals deployed malware and stole sensitive data from these companies, before encrypting their files. They then offered a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.

Europol supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy.  Its cybercrime specialists organised 12 coordination meetings to prepare for the action day, alongside providing analytical, malware, forensic and crypto-tracing support.  A virtual command post was set up by Europol to ensure seamless coordination between all the authorities involved.

The following law enforcement authorities took part in the investigation:

  • France: National Cybercrime Centre of the National Gendarmerie (C3N)
  • Ukraine: Cyber Police Department of the National Police of Ukraine
  • United States: Atlanta Field Office of the Federal Bureau of Investigation
  • Europol: European Cybercrime Centre (EC3)
  • INTERPOL : Cyber Fusion Centre

The operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including social engineering and ransomware.

National & Global Fraud Intelligence sharing – 5th Interim EAST Meeting

The fifth Interim Meeting of EAST National and Global Members took place on Wednesday 6th October 2021. Due to the Covid-19 situation, it was conducted as a virtual meeting. The meeting was chaired by Veronica Borgogna from AXEPTA BNP Paribas.  The key focus was on the sharing of global, regional, and national, payment and terminal fraud intelligence.

Law enforcement overviews were provided by Europol, the Gulf Cooperation Council Police (GCCPOL), the United States Secret Service (USSS) and INTERPOL.  Two presentations were made by Europol: one from the European Cybercrime Centre (EC3) covered recent successful cross-border operations; the other covered Physical ATM attacks across Europe.  The GCCPOL presentation covered payment and fraud issues seen by their 6 member countries focussing on Technological Fraud (crimes committed using different forms/types of machines and technology) and Non-Technological Fraud (conducted directly against the victim). The USSS presentation covered Covid-19 pandemic relief fraud and the INTERPOL presentation covered recent issues relating to financial crimes in the LATAM region.

Private sector fraud intelligence updates were received from 28 countries, either directly or via regional/global updates by Citi, HSBC and Worldline.  Regional Updates were also provided for ASP, MENA and LATAM. Each update covered Fraud Types, Fraud Origin, Due Diligence and Physical Attacks (ATM, ATS and CIT).  The importance of raising consumer awareness to counter the rising threats related to social engineering remains a key issue.

EAST Fraud Update 3-2021 will be produced early next month, based on the country updates provided at the Interim EAST Meeting.  EAST Fraud, Payment and Physical Attack Updates are available on the EAST Intranet to EAST Members.

The next meeting of this group, scheduled for 9th February 2022, will hopefully be the 1st EAST Global Congress, which is planned as Hybrid Meeting.  This is dependant on the prevailing status of the Covid-19 pandemic and the meeting will revert to a virtual Interim Meeting if required.

ATM Explosive Attacks fall in Europe

EAST has published a European Payment Terminal Crime Report covering the first 6 months of 2021 which shows a significant fall in ATM explosive attacks.

While overall ATM related physical attacks were up 2% (from 1,829 to 1,873 incidents), mainly driven by a rise in vandalism, ATM explosive attacks (including explosive gas and solid explosive attacks) were down 52% (from 505 to 241 incidents).  Attacks due to ram raids and ATM burglary were down 42% (from 405 to 234 incidents).  Losses due to ATM related physical attacks were €4.9 million, a 61% decrease from the €12.6 million reported during the same period in 2020.  35% of these losses were due to explosive attacks, which were down 58% from €7.6 million to €3.2 million.

EAST Executive Director Lachlan Gunn said, “The first 6 months of this year have been influenced by the Covid-19 pandemic, although travel restrictions have eased across Europe. This significant fall in explosive attacks at ATMs is welcome news for all of us, given the destructive nature of such attacks and the resultant risks to life and property. However, the prize remains an attractive option for criminals and the average cash loss per successful solid explosive attack is now estimated at €40,877. To address the issue our EGAP expert group has worked closely with Europol and other Law Enforcement Agencies, and all parties remain vigilant to the threat.”

ATM malware and logical attacks against ATMs were down 74% (from 129 to 33) and all but one of the reported attacks were Black Box attacks. A Black Box attack is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser, to ‘cash-out’ or ‘jackpot’ the ATM. Related losses were down 37% from €1.0 to €0.63 million. Most such attacks remain unsuccessful.

Terminal related fraud attacks were down 24% (from 3,631 to 2,775 incidents). Card skimming fell to another all-time low (down from 321 to 279 incidents) and transaction reversal fraud (TRF) at ATMs decreased by 100% (down from 108 to zero incidents). Total losses of €102 million were reported, down 6% from the €109 million reported during the same period in 2020. Most losses remain international issuer losses due to card skimming, which were €86 million.

A summary of the report statistics under the main headings is in the table below.


The full Crime Report is available to EAST Members (National, Global and Associate)

ATM Explosive Attack OCG taken down by Police

An organised crime group (OCG) specialised in ATM explosive attacks has been taken down by a coordinated cross-border police operation.  9 suspects were taken into custody after the action by a joint investigation team (JIT) between the Dutch and German authorities.  The 18-month investigation was coordinated by Europol and Eurojust.

The criminals produced step-by-step tutorials on how to blow up ATMs and have been linked to at least 15 ATM attacks in Germany.  The ATMs were blown open using homemade improvised explosive devices (IEDs), posing a serious risk to life.  During one test run by the criminals, one suspect died and another was seriously injured.

Some key facts relating to the investigation are:

  • It was initiated in February 2020 after authorities in Osnabrück, Germany, identified suspicious orders of ATMs from a German company.
  • Special surveillance measures were put in place, which led the investigators to Utrecht, the Netherlands, where a 29 year-old individual and his 24 year-old accomplice were running an illegal training centre for ATM attacks.
  • The pair was ordering different models of ATMs and recording tutorials on how to most effectively blow them up.
  • Links were also established between this criminal organisation and at least 15 ATM attacks in Germany. The total damage, including both the losses and the property damage, is estimated at approximately €2,150,000.

The investigation culminated in a series of police raids on 28 September for which two Europol experts were deployed in the field.  Seven house searches were carried out in the Netherlands in the triangle of Utrecht, Amsterdam and the Hague, resulting in the arrest of three suspects.  These three individuals are currently in custody in the Netherlands and are to be extradited to Germany.

Given the cross-border nature of this case, a Joint Investigation Team (JIT) was set-up in April 2021 between the Dutch and German authorities with the assistance and financing of Eurojust.  Furthermore, the Agency organised the judicial cooperation and supported the execution of European Investigation Orders (EIOs).

In addition, an Operational Taskforce (OTF) was set up between Europol, Germany and the Netherlands to pool investigative resources and expertise.  In the framework of this OTF, 18 operational meetings were held at Europol to prepare for the final phase of the action.

ATM explosive attacks are a growing concern, as they often put innocent lives in danger.  In order to prevent and tackle this type of crime, close cooperation between law enforcement and the ATM industry is paramount.  Europol and the European Crime Prevention Network (EUCPN) have worked on a number of recommendations to prevent physical attacks against ATMs.

The EAST Expert Group on ATM and ATS Physical Attacks (EAST EGAP) is a European specialist expert forum for discussion of ATM,  ATS and CIT related physical attack trends, attack methodologies and counter-measures, threat protection, and for the provision of regularly updated lists of manufacturers of ATM protective devices.

The EAST EGAP meets twice each year to enable in-depth and technical discussion to take place.  The Group held its 16th Meeting on 1 September 2021.  To date it has published 46 Physical Attack Alerts for EAST members, 35 of which relate to ATM Explosive Attacks (22 Explosive Gas and 13 Solid explosive).

Online Fraud Group taken down in coordinated Police Action

An organised crime group (OCG) specialising in online fraud has been taken down by the Spanish National Police (Policía Nacional), supported by the Italian National Police (Polizia di Stato), Europol and Eurojust.

The OCG, linked to the Italian Mafia, was engaged in a wide range of online fraud activities such as phishing, SIM swapping and business email compromise (also known as CEO Fraud).  Hundreds of victims were defrauded and the illegal gains were laundered through a wide network of money mules and shell companies.  In just one year of operation the illegal profit is estimated at around €10 million.  The OCG was also involved in drug trafficking and property crime.

The successful combined police operation lasted over a year.

Overall results:

  • 106 arrests, mostly in Spain and some in Italy
  • 16 house searches
  • 118 bank accounts frozen
  • Seizures include many electronic devices, 224 credit cards, SIM cards and point-of-sale terminals, a marihuana plantation and equipment for its cultivation and distribution.

Criminal Network

The OCG was very well organised in a pyramid structure, which included different specialised areas and roles. Among the members of the criminal group were:

  • computer experts, who created the phishing domains and carried out the cyber fraud;
  • recruiters and organisers of the money muling;
  • and money laundering experts, including experts in cryptocurrencies.

Most of the suspected OCG members are Italian nationals, some of whom have links to Mafia organisations. The suspects, located in Tenerife in the Spanish Canary Islands, tricked their victims, mainly Italian nationals, into sending large sums to bank accounts controlled by the criminal network.

EFECCCross Border Cooperation

Europol facilitated the information exchange, the operational coordination and provided analytical support for the investigation. Two analysts and one forensic expert were deployed to Tenerife, and one analyst to Italy.  Europol also funded the deployment of three Italian investigators to Tenerife to support the Spanish authorities during the action day.

Europol’s Joint Cybercrime Action Taskforce (J-CAT) supported the operation. J-CAT is made up of cyber liaison officers from different countries who work from the same office on high profile cybercrime investigations.


The EAST Expert Group on Payment and Transaction Fraud (EPTF), which meets three times each year, focuses on the prevention of payment and transaction fraud, including SIM swapping and business email compromise, as well as related social engineering such as phishing.

To date the EAST EPTF has produced 20 Payment Alerts for EAST members, and has also published Fraud Terminology and Fraud Definitions to help standardise how fraud is categorised and reported.  The aim is for the terminology and definitions to be adopted globally when describing or reporting payment and terminal fraud.