Modern bank robbers combine digital expertise with actors on the ground to accomplish thefts larger than ever possible. Hackers can take control of interconnected computer networks by exploiting vulnerabilities in a single entity. Cybercriminals employ many paymentA transfer of funds which discharges an obligation on the part of a payer vis-à-vis a payee. More instruments (cards, cashMoney in physical form such as banknotes and coins. More, crypto-assets) and channels (from ATMs to the SWIFT network) to hide their activities from incumbents and authorities.
Alongside natural disasters (the most recent being the Uri snowstorm in Texas and hurricane Ida in New Orleans), cybercrimes and cyberattacks evidence the vulnerability of digital financial infrastructures to disruptions and shutdowns. The computer networks of banks, payments processors, and ATM operators are not an exception.
In 2008, hackers infiltrated the computer network of RBS WorldPay, the payment processor of the Royal Bank of Scotland Group. After raising the withdrawal limits on payroll debit cards and gift cards, the criminals employed gangs of cashers or money mules to withdraw funds in at least 280 cities worldwide. Cashers withdrew $9 million in less than 12 hours from over 2,100 ATMs.
“These types of cyber criminals use sophisticated hacking techniques to compromise computer systems and then utilize a global network of co-conspirators to withdraw millions of dollars from ATM machines around the world,” said Kenneth Cronin, U.S. Secret Service special agent.
In 2014, hackers attacked bank-owned ATMs in Ukraine using a self-destructing malware code targeting ATM software. Unlike jackpot techniques involving drilling or melting holes to connect to the ATM black box, schemers left ATMs undamaged. The terminals were fully loaded with cash on Friday but found empty on Monday. The attack raised no alarms in Ukrainian banks’ computer systems.
“Large-scale international attacks on the ATM network already happened in the past, but never before were cybercriminals able to carry out such an attack affecting only the ATM network itself and leaving no trace at all,” said Denis Gasilin, head of marketing at SafenSoft, a Russian software security company.
Between 2010 and 2013, cyber thieves targeted Indian and U.S. card processors, banks in the United Arab Emirates, and the ATMs of commercial banks across the world. After raising the withdrawal limits for Visa and MasterCard prepaid debit cards, hackers employed cashers in at least 24 countries to withdraw funds from ATMs. In 2015, Germany deported the scheme’s main suspect to the United States.
“When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system,” said Kim Peretti, a former U.S. cybercrime prosecutor and partner in the law firm Alston & Bird.
Between 2013 and 2016, the “Carbanak” syndicate targeted banking entities worldwide. First, attackers sent spear-phishing e-mails to unsuspecting bank employees with attachments infected with the malware programs Carbanak and Cobalt. When employees opened the attachments, hackers gained access to their banks’ computer networks.
Hackers sent funds abroad via SWIFT transfers or withdrew them via remotely-hacked ATMs. At specific times, unprompted ATMs spit out cash without cards or PINs, and cashers would be ready to collect the funds.
Hackers converted cash into crypto assets, buying prepaid cards linked to digital wallets. The thefts arose to an estimated €1 billion. In 2018, after an investigation tying a 2016 incident in Taiwan to Belarus and Spain, EuropolA body created within the European Union (EU) which supports the EU Member States in the fight against terrorism, cybercrime and other serious and organised forms of crime, like currency counterfeiting. More arrested the head of the Carbanak syndicate in Alicante.
“[Hackers] managed to get access to the whole banking system. They managed to remotely control ATMs and they managed to transfer moneyFrom the Latin word moneta, nickname that was given by Romans to the goddess Juno because there was a minting workshop next to her temple. Money is any item that is generally accepted as payment for goods and services and repayment of debts, such as taxes, in a particular region, country or socio-economic context. Its onset dates back to the origins of humanity and its physical representation has taken on very varied forms until the appearance of metal coins. The banknote, a typical representati... More from one account to another. Due to the extreme level of complexity, banks did not realize they were coming under attack,” said Anton Shingarev, chief of staff at Kaspersky Lab.
North Korean hackers have targeted payment systems worldwide to procure hard currencyThe money used in a particular country at a particular time, like dollar, yen, euro, etc., consisting of banknotes and coins, that does not require endorsement as a medium of exchange. More for the country’s military since 2016, when they attempted to steal $951 million from the Central Bank of Bangladesh through computers with SWIFT access.
North Korean-sponsored units such as the BeagleBoyz and the Lazarus Group “have become the world’s leading bank robbers,” said John C. Demers, assistant attorney general for national security at the U.S. Department of Justice. North Korean hackers have infected the websites of financial regulators, and government agencies compromising their visitors’ servers and targeted crypto exchanges.
In 2021, North Korean attacks on cryptocurrency platforms extracted nearly $400 million worth of digital assets, one of its most successful years on record, according to blockchainAn unchangeable digital record where transactions are processed and verified by a network of independent computers rather than by a single referee. This decentralised structure has been described as an open distributed ledger. It supposedly enhances security as there is no single entity to be hacked. It also protects personal identity and guarantees that governments can’t block transactions or otherwise manipulate the payments space. The blockchain is the underlying technology supporting most ... More research firm Chainalysis. A United Nations panel of experts monitoring North Korea sanctions has accused Pyongyang of using stolen funds to support its nuclear and ballistic missile programs to circumvent sanctions.
In 2016, after stealing data from South Africa’s Standard Bank, North Korean hackers contracted the Japanese yakuza to hire local money mules to withdraw $16 million from roughly 1,700 7-Eleven ATMs using nameless debit cards. ATMs at 7-Eleven were the only terminals in the country accepting foreign cards.
In a 2017 attack, North Korean hackers stealing funds from the Taiwanese Far Eastern International Bank covered their tracks with a fake ransomware attack. The false criminal extortion hid ATM withdrawals around the world.
North Korean hackers have excelled in so-called FASTCash attacks against interbank payment switches and ATM operators such as Redbanc in Chile. Payment switches track and reconcile transactions between ATMs and commercial banks. By controlling a payment switch, hackers can operate ATMs worldwide at once, relying on local gangs of cashers to pick up the withdrawn funds in dozens of countries.
“If you can do this, then you no longer have to put malware on 500 ATMs. That’s the advantage, why it’s so clever,” said Kevin Perlow, technical threat intelligence team at a large financial institution, during the Black Hat 2020 security conference.