Operation Pandora: over 56,400 cultural items confiscated and 67 arrests

Despite the restrictions imposed due to the COVID-19 pandemic, Operation Pandora, which combats the illegal trafficking of cultural items, enjoyed its most successful year to date in 2020, with over 56,400 cultural items confiscated. These objects included archaeological remains, furniture, coins, paintings, musical instruments and sculptures.

Pandora V took place between 1 June and 31 October 2020, with the participation of the Customs and police authorities of 31 different countries.

During the operational phase the authorities conducted tens of thousands of checks not only at various airports, ports and border crossings, but also in auction houses, museums and private houses. As a result, over 300 investigations were opened and 67 individuals were arrested.

Given the global nature of these crimes, operational coordination units working on a 24/7 basis were created by Europol, on the one hand, and by the World Customs Organisation (WCO) and INTERPOL, on the other, so as to promote the exchanging of information and to transmit alerts and warnings and carry out investigations in various national and international databases.

This operation was directed by the Spanish Civil Guard with internationally coordinated support from Europol, INTERPOL and the WCO. Pandora V was carried out within the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

Noteworthy operational data relating to the Pandora V operation

• A total of 27,300 archaeological remains were seized as a result of a single operation undertaken by the French Customs authorities. The suspect arrested now faces a prison sentence and a fine of several hundred thousand euros.

• During investigations on the Internet, Swedish police identified a popular work of art stolen in Sweden in 2019. During the same online auction, the police discovered a pair of 18th-century candelabra stolen from a Swedish church 8 years ago.

• The Italian Carabinieri reported over 2,700 cultural items confiscated, including ceramics, archaeological items, works of art and books for a value of 1,115,000 euros.

• The Greek police carried out 34 arrests and recovered a total of 6,757 antiques, including ceramic and marble artefacts, together with 6,452 coins, of which 5,333 were recovered in one single investigation. In one case, two Greek citizens were arrested for trying to sell 6 antiques made of marble and earthenware for 150,000 euros.

A total of 50 metal detectors were seized, of which 6 were seized directly from archaeological sites.

Europol, as the joint coordinator of this investigation, played a key role in carrying out the entire operation, facilitating the exchange of information and providing analytical and operational support. The WCO also assisted in the exchanging of intelligence between different agencies through a special user group created on its CENComm communications platform.

INTERPOL provided the connection between the participating countries in Western Europe and the Balkans, facilitating the exchanging of information through its system of secure communications.  An expert analyst provided support for the entire operation by checking the searches on the INTERPOL database of stolen works of art in order to locate and identify the stolen articles.


Aquest apunt en català / Esta entrada en español / Post en français

Combating child abuse online

The European Council and Parliament have reached an interim agreement on a temporary measure to allow providers of electronic communications services, such as web-based email and messaging services, to continue to detect, remove and report child sexual abuse online until permanent legislation announced by the European Commission is in place.

Protecting children against any form of violence or abuse is paramount for the EU. According to Portuguese Minister of State for the Economy and Digital Transition, Pedro Siza Vieira, they have agreed on effective and enforceable temporary rules to ensure that the activities of detecting, removing and reporting illegal material that certain electronic service providers carry out, purely on a voluntary basis, can continue, and the perpetrators can be caught and prosecuted.

In December 2020, the European Electronic Communications Code (EECC) entered into application, bringing with it a new definition of electronic communications services. This definition encompasses ‘number-independent interpersonal communications services’ (NI-ICS), which includes messaging services.

Some NI-ICS providers have been using specific technologies to detect child sexual abuse material on their services in order to remove and report it to law enforcement authorities for criminal prosecution.

As the ePrivacy directive of 2002, which ensures the confidentiality of communications and personal data in the electronic communications sector, relies on the definition of electronic communications services in the Code, NI-ICS are now subject to the confidentiality rules of the ePrivacy directive rather than those of the General Data Protection Regulation (GDPR). In contrast to the GDPR, the ePrivacy directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. Therefore, for services falling within the scope of the ePrivacy directive, a specific derogation is needed so that these valuable practices can continue.

The agreement provides for a derogation to articles 5.1 and 6.1 of the ePrivacy directive to allow providers to continue to detect, remove and report child sexual abuse material, and apply anti-grooming technologies. The Charter of Fundamental Rights and the GDPR will continue to apply in any case, and a number of extra safeguards will guarantee that privacy online is respected.

The Commission has announced that it will propose overarching legislation to tackle child sexual abuse online by the second quarter of 2021. That legislation will aim to provide a long-term solution to replace this temporary measure.

The interim regulation will apply for three years or until an earlier date if the permanent legal instrument is adopted by the legislators and repeals these temporary rules before then.


Aquest apunt en català / Esta entrada en español / Post en français

Serious and organised crime in the European Union

Europol has recently published a threat assessment of serious and organised crime in the European Union (EU), the SOCTA 2021. Published every four years, the SOCTA presents a detailed analysis of the threat of serious and organised crime facing the EU.

The SOCTA 2021 details the operations of criminal networks in the EU and how their criminal activities and commercial practices threaten to infiltrate and undermine our societies, economies and institutions, slowly weakening the rule of law. The report provides unprecedented information on Europe’s criminal underworld based on the analysis of thousands of cases and information supplied o Europol.

The key findings to come out of the SOCTA 2021 include:

Serious and organised crime has never posed such an extreme threat to the EU and its citizens as it does today.

The COVID-19 pandemic, and the economic and social consequences expected to follow, threaten to create the ideal conditions for organised crime to spread throughout the EU and beyond. A key characteristic of criminal networks, once more confirmed by the pandemic, is their agility in adapting to and capitalising on changes in the environment in which they operate.

Similar to a business environment, the core of a criminal network is composed of managerial layers and field operators. This core is surrounded by a range of actors linked to the crime infrastructure providing support services.

With close to 40% of criminal networks involved in the manufacture and trafficking of drugs, it remains the most significant criminal activity in the EU.

The traffic and exploitation of human beings, smuggling of immigrants, online and offline fraud and property crimes pose significant threats to EU citizens.

Criminals use corruption. Almost 60 % of the criminal groups reported on engage in corruption.

Criminals earn and launder billions of euros every year. The scale and complexity of money laundering activities in the EU have previously been underestimated. Professional money launderers have established a parallel underground financial system and use any means to infiltrate and undermine European economies and societies.

Legal business structures are used to facilitate virtually all types of criminal activity with an impact on the EU. More than 80 % of the criminal networks active in the EU use legal business structures for their illegal activities.

The use of violence by criminals involved in serious and organised crime in the EU appears to have been increasing in terms of the frequency of use and its severity. The threat from violent incidents has been augmented by the frequent use of firearms or explosives in public.

Criminals are digitally proficient. Virtually all criminal activities now feature some online component, and many crimes have migrated completely online. Criminals exploit encrypted communications to network with each other and use social media and instant messaging services to reach a larger audience to advertise illegal goods or spread disinformation.


Aquest apunt en català / Esta entrada en español / Post en français

Ransomware poses the most significant cybersecurity threat

According to those responsible for protecting organisations from hackers and cyber attacks, ransomware is the most significant cybersecurity threat faced by companies today.

A survey of information security professionals conducted by cybersecurity firm Proofpoint concludes that ransomware is expected to pose the main cybersecurity threat to their organisations over the next year. This opinion was shared by almost half (46%) of the respondents, together with other forms of external extortion by strangers.

Ransomware remains one of the most damaging types of cyberattacks. At the same time, for cybercriminals, encrypting networks and demanding bitcoins in exchange for the decryption key is the easiest and quickest way to make a substantial amount of money from a hijacked network.

A significant percentage of organisations will pay the ransom (which can amount to millions of dollars) because they see it as the fastest way to restore the network with the least additional inconvenience to the business. And it’s because these ransoms are often paid that ransomware continues to be such an attractive and lucrative option for cybercriminals.

Some of the other cyberattacks also considered some of the most problematic threats this year include phishing and business email compromise attacks.

While not as visible as ransomware attacks, all of these cyber-threats can cause problems for organisations, especially if hackers can combine attacks like phishing with attacks that compromise cloud-account login credentials to gain access to networks.

These types of attacks are often used in the early stages of efforts to compromise networks with ransomware, so protecting the network against a particular form of cyberattack can also help protect it from others.

Fortunately, improving security in one way or another seems to be a priority for the vast majority of organisations, if not all. However, cybercriminals will also endeavour to adapt and evolve. This is why organisations must allow no room for complacency when it comes to cybersecurity and having a solid understanding of their own networks.


Aquest apunt en català / Esta entrada en español / Post en français

What’s behind the worst prison massacre in Ecuador’s history?

The numbers are staggering, and the images of the violence that erupted inside several of Ecuador’s prisons in late February, even more so.

At least 79 inmates died in clashes between rioting rival gangs in prisons in Cuenca, Guayaquil and Latacunga. Even more disturbing is the extreme cruelty and violence of their members, which was exposed by the images of beheaded and dismembered bodies circulated on social media.

The South-American country is no stranger to prison violence. Ecuadorian President Lenin Moreno has had to order a state of emergency in the country’s prisons twice in the past two years. But what happened to bring about the worst prison massacre in the country’s history?

Firstly, an increase in drug trafficking. More than a third of the drugs produced in Colombia transit through Ecuador on their way to Europe and the United States. Ecuadorian gangs are not just arguing for the sake of it; in recent years, Ecuador has become the cocaine highway to the U.S. and Europe. This can be attributed to a shift in the strategy of Colombian drug traffickers, which means that more than a third of the growing cocaine production in Colombia currently reaches Ecuador.

Secondly, austerity. The increase in drug trafficking has translated to an increase in Ecuador’s prison population, which has not been matched by an improvement in monitoring and surveillance capabilities. In addition, as part of the austerity plans agreed with the International Monetary Fund, these sectors have also been affected by cuts, which at the time led to a wave of protests.

The government has had to turn to the army to deal with the violence in prisons. One of the consequences of the shortage of resources is a 70% deficit in the personnel needed to oversee prison security. With numbers like that, prison wardens have to be responsible for an average of almost 27 inmates, while the international standard recommends a ratio of one warden for every nine prisoners. This may help to explain the relative impunity with which drug traffickers operate inside prisons and the abundance of weapons inside penitentiary centres.

Lastly, overcrowding, which continues to hinder the proper management of Ecuadorian prisons. According to the Human Rights Council (HRC), Ecuador’s prison capacity is 28,500 people. But in May 2019, when the state declared the first state of emergency, there were 41,836 inmates in its prisons: an overpopulation of 42%.

As Insight Crime explains, overcrowding in prisons is a regional phenomenon that leads to human rights problems and a lack of control over prison systems. Being forced to intern the members of rival gangs in the same centres has also contributed to the bloody clashes in prisons.


Aquest apunt en català / Esta entrada en español / Post en français

Emotet, the most dangerous malware in the world, has been neutralised

Law enforcement and judicial authorities have succeeded in disrupting one of the most significant botnets of the past decade: Emotet. Investigators have now taken control of its infrastructure in a coordinated international action.

Emotet was one of the most professional and long-lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into a go-to solution for cybercriminals over the years. The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, it was sold to other top-level criminal groups who used it to deploy further illicit activities such as data theft and extortion.

The Emotet group managed to take email as an attack vector to the next level. Through a fully automated process, Emotet malware was delivered to victims’ computers via infected email attachments. A variety of different lures were used to trick users into opening these malicious attachments. In the past, Emotet email campaigns have also been presented as invoices, shipping notices and information about COVID-19.

All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email. Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.

Many botnets like Emotet are polymorphic. This means the malware changes its code each time it is used. Since many antivirus programmes scan the computer for known malware codes, a code change can make it harder to detect, allowing the infection to go initially unnoticed.

Thus, Emotet was much more than just simple malware. What made it so dangerous is that it was rented out to other cybercriminals who used it to install different types of malware, such as banking Trojans or ransomware, on a victim’s computer.

This type of attack is called a ‘loader’ operation, and given that other malware operators like TrickBot and Ryuk were able to benefit from it, Emotet was considered one of the most prominent players in the cybercrime world.

The infrastructure used by Emotet involved several hundreds of servers located all over the world. Each one had different functionalities designed to manage victims’ infected computers, spread the malware to new ones, serve other criminal groups, and, ultimately, make the network more resilient to takedown attempts.

To severely disrupt the Emotet infrastructure, law enforcement agencies teamed up to create an effective operational strategy. Eventually, law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside. Victims’ infected machines were redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupting the activities of cybercriminals.

The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust. It was carried out within the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).


Aquest apunt en català / Esta entrada en español / Post en français

Cyber-attacks on the healthcare sector increase by 45%

Cyber-attacks on global healthcare organisations increased at more than double the rate of those targeting other sectors in the last two months of 2020.

The latest data from security vendors covers the period from the beginning of November to the end of 2020, and compares it with the previous two months (September-October).

It revealed a 45% increase in attacks on the healthcare sector, versus less than half this figure (22%) for all other sectors. November was particularly bad, with the healthcare sector suffering 626 weekly attacks on average per organisation, compared with 430 in the previous two months.

Although the attacks span a variety of categories — including ransomware, botnets, remote code execution and DDoS — perhaps unsurprisingly, it is ransomware that displayed the largest increase overall and poses the biggest threat.

In fact, financially motivated cybercriminals have been going after the healthcare sector since the start of the COVID-19 crisis, well aware that hospitals and clinics are distracted with the huge surge in cases coming through their doors.

In April, Microsoft revealed how these groups are increasingly using more tactics to gain a foothold in networks, perform lateral movements and credential theft, and exfiltrate data before deploying their ransomware payload.

Central Europe experienced the biggest rise in cyber-attacks on its healthcare sector during the period (145%), followed by East Asia (137%) and Latin America (112%).

Europe recorded a 67% increase, although Spain saw attacks double and Germany recorded a 220% surge. Although North America (37%) saw the smallest rise regionally, Canada experienced the biggest increase of any country, at 250%.

Last year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cybercriminals hungry for more.

Furthermore, the usage of Ryuk ransomware emphasises the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign. This allows the attackers to make sure they hit the most critical parts of the organisation and have a higher chance of getting their ransom paid.

Virtual patching, employee education and being on guard at weekends, when attackers often strike, are crucial tools in the fight against cybercriminals.


Aquest apunt en català / Esta entrada en español / Post en français

2020 cybercrime report

Europol published its Internet Organised Crime Threat Assessment (IOCTA) last October. The IOCTA seeks to inform decision makers on a strategic, tactical and operational level about the threats posed by cybercrime. The 2020 IOCTA helps to set the priorities for the 2021 operational action plans, which follow the three priorities defined below:

1) To interrupt criminal activities related to computer system attacks.

2) To fight against the sexual abuse and sexual exploitation of children, including the production and transfer of material.

3) To target criminals involved in fraud and counterfeiting of non-cash payment methods, including large-scale payment card fraud (especially non-card fraud), emerging threats for other non-cash payment methods and the possibility of activities.

In addition, the IOCTA seeks to consolidate findings on current cyberthreats, which could contribute to the discussion on research and development priorities as well as planning on an EU level.

The outbreak of the COVID-19 pandemic has demonstrated the unfortunate potential of this crisis on our daily lives around the world. As physical boundaries became the norm, cybercrime has become more prominent than ever before. In any case, the COVID-19 pandemic demonstrated how cybercrime remains the same. However, cybercriminals are adapting the specific characteristics of their approach to the social context with a view to improving their success rate. The difference with COVID-19 is that, owing to the physical restrictions implemented in order to prevent the spread of the virus, which led to an increase in people working from home and accessing business resources remotely, many people and companies, who did not previously hold such an online presence, are now a lucrative target.

Traditional cybercrimes, such as phishing and cyber-skill scams, quickly exploited social vulnerabilities, with many citizens and businesses seeking information, answers and sources of help during this time. The spread of misinformation increases the chance of cybercrime occurring. The pandemic also gave rise to misinformation campaigns and activities.

Social engineering remains a major threat in the facilitation of other kinds of cybercrimes. The use of encrypted chat applications and industry proposals to expand this market entails a substantial risk of abuse, and makes it difficult for law enforcement agencies to detect and investigate criminal activity online.

Online communities of cybercriminals present considerable resistance and are continually evolving. Finally, live streaming of child sexual abuse continues to increase, and has become even more frequent during the COVID-19 pandemic.


Aquest apunt en català / Esta entrada en español / Post en français

How COVID-19 is affecting crime

Last month, Europol published a report on how COVID-19 has been affecting crime and terrorism in the EU.

While the pandemic is first and foremost a global public health crisis, it has also proven to have a significant and potentially long-lasting impact on the organised crime and terrorism landscape in Europe, as well as the ability of Member State law enforcement authorities to counter security threats.

While Europe is in the grip of a second wave of the pandemic, the impact of COVID-19 on crime has changed over time. Although some types of crime are here to stay, others come and go with the evolution of the pandemic and its measures. Greater awareness has, however, reduced the impact of some types of crime.

Europol’s report highlights some of the criminal activities to have gained prominence, such as the distribution of counterfeit personal protective equipment, and fake pharmaceutical and sanitary products. An increase in robberies of medical facilities and pharmacies has also been reported.

The area of child sexual abuse has remained a grave concern during the pandemic; with children spending more time online, the risk is potentially increased.

While the number of domestic robberies and common thefts has generally declined in the immediate aftermath of the introduced COVID-19 control measures, these crimes have been on the rise since the easing of the lockdown restrictions. There has been a notable rise in the number of reported robberies of unoccupied commercial premises, ATM attacks, copper theft and light construction vehicle theft.

Criminals have also used various types of schemes involving deception, such as the impersonation of representatives from public authorities or medical staff to gain access to private homes and businesses and steal from them.

Pandemic-themed campaigns have appeared across a wide range of cybercrime activities, including phishing campaigns, ransomware, malware and business email compromise attacks. Healthcare and health-related organisations have also been targeted and fallen victim to ransomware attacks.

The impact of the crisis on the EU drug market appears to have been limited. Some criminals had adapted their modus operandi for the distribution of drugs in order to circumvent barriers. An increase in violence and tensions between drug users has also been identified.

The impact of the pandemic on terrorism and violent extremism has been limited and primarily involved some extremists adapting narratives and propaganda materials to the COVID-19 topic.


Aquest apunt en català / Esta entrada en español / Post en français

Has the Government of El Salvador entered into agreements with the “maras”?

A few days ago, the Salvadoran newspaper El Faro reported that the country’s steep decline in homicides, hailed as the Government’s main achievement during Nayib Bukele’s little over a year-long leadership, was being called into question by a press investigation which claims the success can be attributed to a pact with the ‘mara’ Salvatrucha gang (MS13).

The newspaper published a report, citing official documents and statements from one of the gang’s leaders, which suggest the Government has been in negotiations with MS13 since June 2020, and that the pact would include electoral favours during the 2021 elections.

El Faro’s investigation indicates that negotiations between the Government and the “maras” include the groups’ commitment to back the current officialdom in the election next February. In return, the government has allegedly promised to repeal laws and weaken the maximum security regime in prisons if Bukele’s Nuevas Ideas party gains control of the Legislative Assembly and wins the right to choose the 84 MPs and 262 local governments.

Meanwhile, according to police data, between January the 1st and September the 2nd this year, there were 829 homicides in the country. This figure represents a reduction of approximately 56% on the 1,871 violent deaths recorded during the same period in 2019.

If this trend continues, El Salvador will close 2020 with around 1,200 homicides, representing a murder rate of 18 per 100,000 inhabitants, its lowest figure since 1994.

The “maras” have been declared a terrorist group by El Salvador’s Supreme Court. Therefore, as the evidence supporting the Government’s alleged dialogue with the group mounts and the voices denouncing these links gain credibility, the US State Department and the North-American Congress are becoming increasingly concerned.

Despite the investigative reports, El Salvador’s president, Nayib Bukele, denied his government had made a pact with the “mara” Salvatrucha (MS13) gang to reduce the number of assassinations in exchange for more beneficial custodial terms. Bukele pointed out that the same people who had previously accused the Government of violating the terrorists’ human rights were now accusing it of granting them privileges.

The president recalled the events of last April when the “maras” increased the daily average number of murders for several days. In response, the Salvadoran Government ordered the prisons to confine the “maras” to their cells 24 hours a day, fix metal plates to the bars of their cell doors to prevent them communicating with signals, and ensure gang members were mixed in their cells, regardless of whether they belonged to rival gangs.

However, according to the El Faro newspaper, the decision to mix different gang members in the same prison cell was later repealed following talks between government officials and the heads of the criminal organisations; an accusation denied by the Government.


Aquest apunt en català / Esta entrada en español / Post en français