Stay tuned with CashEssentials news ! - beyond payments
By subscribing, you accept our Privacy Policy.

Smooth Criminals: Hackers, Cashers, and Global Money Heists

Categories : Cash does not require a technology infrastructure, Cash generates security, Costs of cash versus costs of electronic payment instruments
February 15, 2022
Tags : ATMs, Cryptocurrency, Cyberattacks, Digital payments, Technology
Hackers have long exploited computer vulnerabilities to rob banks remotely. These cybercrimes entail severe risks to banking systems worldwide.
Manuel A. Bautista-González

Ph.D. in U.S. History, Columbia University in the City of New York

Post-Doctoral Researcher in Global Correspondent Banking, 1870-2000 – Mexico and South America, University of Oxford

This post is also available in: Spanish

Modern bank robbers combine digital expertise with actors on the ground to accomplish thefts larger than ever possible. Hackers can take control of interconnected computer networks by exploiting vulnerabilities in a single entity. Cybercriminals employ many payment instruments (cards, cash, crypto-assets) and channels (from ATMs to the SWIFT network) to hide their activities from incumbents and authorities.

Alongside natural disasters (the most recent being the Uri snowstorm in Texas and hurricane Ida in New Orleans), cybercrimes and cyberattacks evidence the vulnerability of digital financial infrastructures to disruptions and shutdowns. The computer networks of banks, payments processors, and ATM operators are not an exception.

RBS WorldPay

 In 2008, hackers infiltrated the computer network of RBS WorldPay, the payment processor of the Royal Bank of Scotland Group. After raising the withdrawal limits on payroll debit cards and gift cards, the criminals employed gangs of cashers or money mules to withdraw funds in at least 280 cities worldwide. Cashers withdrew $9 million in less than 12 hours from over 2,100 ATMs.

“These types of cyber criminals use sophisticated hacking techniques to compromise computer systems and then utilize a global network of co-conspirators to withdraw millions of dollars from ATM machines around the world,” said Kenneth Cronin, U.S. Secret Service special agent.

Target: Ukrainian ATMs

 In 2014, hackers attacked bank-owned ATMs in Ukraine using a self-destructing malware code targeting ATM software. Unlike jackpot techniques involving drilling or melting holes to connect to the ATM black box, schemers left ATMs undamaged. The terminals were fully loaded with cash on Friday but found empty on Monday. The attack raised no alarms in Ukrainian banks’ computer systems.

“Large-scale international attacks on the ATM network already happened in the past, but never before were cybercriminals able to carry out such an attack affecting only the ATM network itself and leaving no trace at all,” said Denis Gasilin, head of marketing at SafenSoft, a Russian software security company.

Global Bank Robbers

Between 2010 and 2013, cyber thieves targeted Indian and U.S. card processors, banks in the United Arab Emirates, and the ATMs of commercial banks across the world. After raising the withdrawal limits for Visa and MasterCard prepaid debit cards, hackers employed cashers in at least 24 countries to withdraw funds from ATMs. In 2015, Germany deported the scheme’s main suspect to the United States.

“When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system,” said Kim Peretti, a former U.S. cybercrime prosecutor and partner in the law firm Alston & Bird.

The Carbanak Attacks

Between 2013 and 2016, the “Carbanak” syndicate targeted banking entities worldwide. First, attackers sent spear-phishing e-mails to unsuspecting bank employees with attachments infected with the malware programs Carbanak and Cobalt. When employees opened the attachments, hackers gained access to their banks’ computer networks.

Hackers sent funds abroad via SWIFT transfers or withdrew them via remotely-hacked ATMs. At specific times, unprompted ATMs spit out cash without cards or PINs, and cashers would be ready to collect the funds.

Hackers converted cash into crypto assets, buying prepaid cards linked to digital wallets. The thefts arose to an estimated €1 billion. In 2018, after an investigation tying a 2016 incident in Taiwan to Belarus and Spain, Europol arrested the head of the Carbanak syndicate in Alicante.

“[Hackers] managed to get access to the whole banking system. They managed to remotely control ATMs and they managed to transfer money from one account to another. Due to the extreme level of complexity, banks did not realize they were coming under attack,” said Anton Shingarev, chief of staff at Kaspersky Lab.

North Korea Strikes Back

North Korean hackers have targeted payment systems worldwide to procure hard currency for the country’s military since 2016, when they attempted to steal $951 million from the Central Bank of Bangladesh through computers with SWIFT access.

North Korean-sponsored units such as the BeagleBoyz and the Lazarus Group  “have become the world’s leading bank robbers,” said John C. Demers, assistant attorney general for national security at the U.S. Department of Justice. North Korean hackers have infected the websites of financial regulators, and government agencies compromising their visitors’ servers and targeted crypto exchanges.

In 2021, North Korean attacks on cryptocurrency platforms extracted nearly $400 million worth of digital assets, one of its most successful years on record, according to blockchain research firm Chainalysis. A United Nations panel of experts monitoring North Korea sanctions has accused Pyongyang of using stolen funds to support its nuclear and ballistic missile programs to circumvent sanctions.

Pyongyang’s ATM Heists

In 2016, after stealing data from South Africa’s Standard Bank, North Korean hackers contracted the Japanese yakuza to hire local money mules to withdraw $16 million from roughly 1,700 7-Eleven ATMs using nameless debit cards. ATMs at 7-Eleven were the only terminals in the country accepting foreign cards.

In a 2017 attack, North Korean hackers stealing funds from the Taiwanese Far Eastern International Bank covered their tracks with a fake ransomware attack. The false criminal extortion hid ATM withdrawals around the world.

North Korean hackers have excelled in so-called FASTCash attacks against interbank payment switches and ATM operators such as Redbanc in Chile. Payment switches track and reconcile transactions between ATMs and commercial banks. By controlling a payment switch, hackers can operate ATMs worldwide at once, relying on local gangs of cashers to pick up the withdrawn funds in dozens of countries.

“If you can do this, then you no longer have to put malware on 500 ATMs. That’s the advantage, why it’s so clever,” said Kevin Perlow, technical threat intelligence team at a large financial institution, during the Black Hat 2020 security conference.

This post is also available in: Spanish