ATM Malware Heist Suspects Arrested by UK Police

Law enforcement authorities in the United Kingdom have arrested three individuals suspected of being part of an eastern European criminal organization that uses malware to steal money from ATMs.

The suspects were arrested last week by officers of the London Regional Fraud Team (LRFT), a unit formed of detectives from the Metropolitan Police Service, the City of London Police, and the British Transport Police.

On Thursday, a 37-year-old man from Portsmouth was taken into custody. Officers later arrested two other suspects, a woman from Portsmouth and a man from Edmonton, who have been released on bail.

The criminal ring is believed to have stolen £1.6 million ($2.5 million) from a total of 51 ATMs located in London, Liverpool, Portsmouth, Doncaster, Blackpool, Brighton, and Sheffield. The attacks took place over the May bank holiday weekend.

According to authorities, the crooks physically broke into the targeted ATMs and infected them with malware. The malware allowed them to withdraw large amounts of cash, after which it deleted itself to make it more difficult to determine the cause of the attack. Due to the physical nature of the attack, no customer data was compromised, police said.

“An extensive, intelligence led investigation has uncovered what we believe is an organised crime gang systematically infecting and then clearing cash machines across the UK using specially created malware,” said Dave Strange, the head of the LRFT. “Cyber-enabled crime presents a major threat to our public and private sectors and to an increasing number of citizens. The only way to tackle this is by law enforcement and counter fraud agencies working in alliance, which is exactly what the London Regional Fraud Team and National Crime Agency have done over several months culminating in today’s arrest.” 

The National Crime Agency (NCA), which recently announced that it’s looking for cybercrime fighters, also contributed to the law enforcement operation.

 “The NCA provides specialist support to partners to present a collaborative response to serious and organised crime. This operation represents a significant disruption against a sophisticated criminal enterprise who used specialist malware to target cash points and steal large quantities of cash,” said Nigel Kirby, Deputy Director for the NCA’s Economic Crime Command.

Malware designed to allow the manipulation of ATMs is not new, but it can still be highly efficient. Earlier this month, Kaspersky reported identifying a new piece of malware that can be used to empty ATM cash cassettes. The threat, dubbed Backdoor.MSIL.Tyupkin, targets ATMs from a major manufacturer running 32-bit versions of Microsoft Windows.

The malware was identified during Kaspersky Lab’s research on over 50 ATMs in eastern Europe, but infections have also been spotted in the U.S., India and China.