How ATMs Become Jackpot Giving Slot Machines.

In 2011, Barnaby Jack (director of IOActve) demonstrated via an MIT Technology video here how it was possible to hijack an ATM, locally or remotely, so that cash could be extracted from it.

Image by Peggy und Marco Lachmann-Anke from Pixabay

In April this year,  Harry Hamburg of Exponential Investor stated that over $1.25 billion had been been “jack-potted” out by cash machines, in over 40 countries, since 2013. That is, the money had been obtained illegally, remotely, by hacking the ATM software protection.

Harry continued:

“Of course, had you managed to be at the right cash machine at the right time to collect this money, you’d have had to fight off a “money mule” to get it.

In fact, it was just one criminal gang, known as Carbanak.

Carbanak is responsible for what must be, by far, the biggest bank heist in history. The fact is, no one actually knows how much money it has stolen altogether.

A 2015 report by Kaspersky Lab put the figure around $1.25 billion. But that was before Carbanak developed its most sophisticated techniques. And it continued to operate until its alleged mastermind was caught last month.”

It is not clear whether this individual actually is ‘Mr. Big’ – the scale of the operation suggests it is not just one person masterminding the whole thing and the person arrested was not that bright about how the ill-gotten gains were used.

So, there is every chance Carbanak can still be stealing billions from banks, all around the world.

How Was this Achieved?
‘Bad’ software, malware as it has become known, appears to have gained entry via an email attachment. This particular brand of malware is called Carbanak and it has also become the name of the gang involved in the perpetration of the robbery.

An email appears to have been sent to bank employees that was designed to look like it was coming from another employee, with an attached Word document. And the Word document contained the malware.
We would never fall that that one, would we?

The reason the “WannaCry” hack (caused international problems across a range of organsiations, and the UK’s national Health Service was particularly prone to it) was so successful was because most of our institutions are woefully inept with computers. So inept that many of them – such as much of the NHS – kept their systems running on Windows XP. Windows XP is decades old and no longer receives security updates. WannaCry had no effect on up-to-date systems.


Once Carbanak malware got “in” the bank’s system, it replicated and infected more computers. It allowed the hackers to see what was happening on infected computers’ screens. The hackers could then see how real transactions and money moving looked.

“The hackers then used their malware to take control of the system and fake real transactions. They created extra money and then got cash machines to release it.

They had a network of money mules who were told which cash machines to wait at and when. Then these mules just collected the free money.

The money was then laundered – much of it through bitcoin (which, if you ever read my article on Monero, you’ll know isn’t very hard to trace).

Europol has made the infographic below.

Has the “mastermind” Been Caught?

This is how the tracking down was reported. Decide for yourself whether they have the person at the top of this organisation.

As “Wired” reported:

The key to tracking the man down to his Alicante home was through Taiwan and Belarus, Ruiz says. A report from Europol and security company Trend Micro published last year details how both countries saw ATMs dispensing cash to mules.

The report says $2.5m (£1.78m) was stolen from 41 Wincor Nixdorf ATMs operated by First Commercial Bank in Taiwan during July 2016 “without using cash cards or even touching the PIN pads”. After the attack arrests were made and malware was found within the bank’s system. “These were one of the typical ATM network attacks in Taiwan. They got access to the network in Taiwan and cashed out the money to mules,” Ruiz says.

“The police were able to arrest a number of these mules so we started to co-operate with Taiwan to see where this was coming from. This was an important element as this led to a group in Belarus and there we were able to connect this target. We were able to connect Taiwan, Belarus and Spain through the information exchanged with partners.”

Europol says “criminal profits” were laundered via cryptocurrencies. “Prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses,” the international agency said in its statement.

A report in El Mundo, Spain’s second-largest newspaper, claims Denis K [the mastermind] owned 15,000 bitcoins (currently valued around £84m) at the time of his arrest. Catalan newspaper El Periódico de Catalunyareported that the arrested man lived with his wife and son, drove two BMWs and had jewellery valued at €500,000 within the home. 

If you’ve ever seen any crime film or TV show ever, you’ll know flashing your cash isn’t a very good plan. Yet this mastermind had two BMWs and half a million euros’ of jewellery.

Europol also don’t give any information about how they actually tracked him down. Would mules really know very much about the people at the top of this sort of setup?

It ought to make a good film. However, this sort of thing does not get a great deal of media air-time, even in the current news silly season of August.

Why you’ve probably never heard about it

Harry remains on the case:

“While you could say this is the biggest bank robbery of all time, and has affected multiple banking institutions in many different countries, it didn’t really get much press.

Not while it was all going on, not at the time of the mastermind’s arrest, and not much since.

In fact, it’s very hard to find out which banks were actually affected.

This is because cybercrime is very very bad business for banks. Banks rely on their customers trusting that they will keep their money safe.

If you knew your bank had lost millions of its customers’ money to hackers, how would you feel? Would you really trust it to keep your money safe?

No, the thing most banks and big businesses that get hacked do is keep it quiet. The banks will have simply reimbursed any accounts that were affected and kept shtum.

I have actually been following this story since the Kaspersky report back in 2015; actually come to think it, since before then. And it has never made major news.

Sure, it gets a bit of coverage on Wired – a tech website, and one or two articles in Forbes. But given the scale of what’s going on, shouldn’t it be front-page news all over the world?

We only really hear about these hacking stories when it affects customer’s records, so the institutions are forced to tell us. Otherwise, it’s all kept as quiet as possible.

But rest assured, groups like Carbanak are operating all over the world, 24 hours a day. It’s just we rarely hear about them.”

Today, FBI Warns of Attack on ATMs (reported in Daily Telegraph and Daily Mail: 14.08.18).

The FBI has warned banks of a major hacking threat to cash machines worldwide in the next few days. America’s intelligence chiefs sent out a confidential alert last week to warn that cyber criminals are planning a global “cash-out scheme” using malware to take over ATMs and steal millions of dollars. The Telegraph notes that smaller banks with less sophisticated security systems are believed to be most vulnerable to an attack. Andrew Bushby, UK director at Fidelis Cybersecurity, said: “UK banks are a likely target – and this latest ‘ATM cash-out blitz’ will no doubt send shock-waves to financial institutions.” He added: “Whilst the financial services industry is heavily regulated, it doesn’t make banks immune from being attacked by cyber criminals … UK banks need to urgently take a look at their security posture.”


Leave a comment


Email(will not be published)*


Your comment*

Submit Comment


© Copyright 2016 The 3 Graces Co. Ltd                                                                Legal Disclaimer      Modern Slavery & Human Trafficking Policy Statement