Pirated Movie Download Caused Hacking of Spain’s 2gether Exchange

Key facts:
  • The stolen amount, in bitcoin and ether, is currently valued at around €7 million.

  • A 2gether employee downloaded a pirated movie that concealed Trojan malware.

A Trojan malware that was hidden in a pirated movie was the gateway to the computer system of the 2gether exchange, which suffered a hack and millionaire theft of bitcoin (BTC) and ether (ETH) in 2020. As reported by the Civil Guard from Spain, it was a highly sophisticated attack.

In a release Officially, the police force reported that the Cybercrime Department team arrested 5 people allegedly related to the hack. Local media indicate that it could be the first case of these characteristics resolved by the police in Spain.

As reported by CriptoNoticias, 2gether, a Madrid-based startup focused on buying, selling and custody services for bitcoin and other cryptocurrencies, was the subject of a cyber attack at the end of July 2020. The managers reported that the attackers stole a number of cryptocurrencies, mostly bitcoin and ether, worth between 1.2 and 1.3 million euros. According to the police report, the stolen tokens currently have a value of EUR 6 million.


Through an operation, which they called Operation 3Coin, the police discovered that the attackers used a computer virus type RAT (Remote Access Trojan) to access the 2gether internal network. The virus entered the exchange’s system after an unsuspecting employee downloaded a pirated copy of a superhero movie from a malicious website onto a work computer.

Legend. The Spanish Civil Guard captured 5 people involved in the theft of bitcoin and ether from the Spanish exchange 2gether. Source: https://www.guardiacivil.es/es/prensa/noticias/8134.html#

An attack planned for 6 months

The attackers they took about six months to fully understand the operation of the company cryptocurrency exchange, before perpetrating the theft. According to the statement, “once they knew all the procedures, characteristics and structure of the company”, the hackers accessed the system using “an interposed computer network” to order the transfer of the assets to a wallet under their control.

The investigation findings allowed the police to identify and arrest the operator of the website from which the Trojan malware was distributed. Later, investigators found the other 4 people“who allegedly received part of the stolen cryptocurrencies.”

It was also learned that this week the police began to investigate another person, who was supposedly “exercising control” over the presumed leader of the group “through the consumption of drugs linked to rituals such as the Sapo Bufo” (alleged initiation trip with a hallucinogen).

The 2gether hack affected about 5,500 users who traded on the platform. The company had to face multiple complaints from those affected and even an attempted class action lawsuit. To maintain its operation, it turned to crowdfunding, through which it raised EUR 1.2 million.