Security Experts:

Connect with us

Hi, what are you looking for?



ATM Malware Heist Suspects Arrested by UK Police

Law enforcement authorities in the United Kingdom have arrested three individuals suspected of being part of an eastern European criminal organization that uses malware to steal money from ATMs.

Law enforcement authorities in the United Kingdom have arrested three individuals suspected of being part of an eastern European criminal organization that uses malware to steal money from ATMs.

The suspects were arrested last week by officers of the London Regional Fraud Team (LRFT), a unit formed of detectives from the Metropolitan Police Service, the City of London Police, and the British Transport Police.

On Thursday, a 37-year-old man from Portsmouth was taken into custody. Officers later arrested two other suspects, a woman from Portsmouth and a man from Edmonton, who have been released on bail.

The criminal ring is believed to have stolen £1.6 million ($2.5 million) from a total of 51 ATMs located in London, Liverpool, Portsmouth, Doncaster, Blackpool, Brighton, and Sheffield. The attacks took place over the May bank holiday weekend.

According to authorities, the crooks physically broke into the targeted ATMs and infected them with malware. The malware allowed them to withdraw large amounts of cash, after which it deleted itself to make it more difficult to determine the cause of the attack. Due to the physical nature of the attack, no customer data was compromised, police said.

“An extensive, intelligence led investigation has uncovered what we believe is an organised crime gang systematically infecting and then clearing cash machines across the UK using specially created malware,” said Dave Strange, the head of the LRFT. “Cyber-enabled crime presents a major threat to our public and private sectors and to an increasing number of citizens. The only way to tackle this is by law enforcement and counter fraud agencies working in alliance, which is exactly what the London Regional Fraud Team and National Crime Agency have done over several months culminating in today’s arrest.” 

The National Crime Agency (NCA), which recently announced that it’s looking for cybercrime fighters, also contributed to the law enforcement operation.

 “The NCA provides specialist support to partners to present a collaborative response to serious and organised crime. This operation represents a significant disruption against a sophisticated criminal enterprise who used specialist malware to target cash points and steal large quantities of cash,” said Nigel Kirby, Deputy Director for the NCA’s Economic Crime Command.

Malware designed to allow the manipulation of ATMs is not new, but it can still be highly efficient. Earlier this month, Kaspersky reported identifying a new piece of malware that can be used to empty ATM cash cassettes. The threat, dubbed Backdoor.MSIL.Tyupkin, targets ATMs from a major manufacturer running 32-bit versions of Microsoft Windows.

The malware was identified during Kaspersky Lab’s research on over 50 ATMs in eastern Europe, but infections have also been spotted in the U.S., India and China.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.