Connect with us

Hi, what are you looking for?



Hybrid Bank Heists Net Millions in Cash for Criminals

Sophisticated and Stealthy Bank Attack Combines Cyber and Organized Crime

Organized crime and cybercriminals are working together to steal large amounts of cash from banks. The money is taken in multiple but relatively small amounts from ATMs. Organized crime sets up the accounts and collects the cash, while cybercriminals hack the banks and manipulate the accounts.

Sophisticated and Stealthy Bank Attack Combines Cyber and Organized Crime

Organized crime and cybercriminals are working together to steal large amounts of cash from banks. The money is taken in multiple but relatively small amounts from ATMs. Organized crime sets up the accounts and collects the cash, while cybercriminals hack the banks and manipulate the accounts.

The details come from a study (PDF) published today. In mid-to-late 2017, Trustwave SpiderLabs was asked to investigate a number of bank breaches that had occurred in post-Soviet countries — and found a series of common features. Money was being stolen via ATMs from what appeared to be legitimate accounts. Because the accounts were ‘legitimate’, alarms were not raised; and in many cases the thefts only became apparent long after the event.

The process requires an alliance between organized crime (such as Mafia, Yakuza, etc) and cyber criminals. Organized crime controls the manpower — the mules. The mules are supplied with fake IDs. They establish rogue accounts with the targeted banks, and request debit cards. Once the debit cards are received, they are sent outside of the country — part of keeping the attack low profile is not to steal money via ATMs in a country where the bank has a presence.

The next stage is for the cybercriminals to compromise the target bank. This would normally be by phishing and social engineering. “While the physical activities involving application for accounts and debit cards were taking place at the bank’s various branches in the country,” notes the report, “the cyber attackers gained initial entry, moved laterally and compromised multiple systems inside the bank’s network.”

From here the attackers crossed over to the bank’s third-party processor using the established connectivity between bank and processor. The next stage was privilege escalation within the processor, and the delivery of multiple payloads. Key was Mipko, which is advertised as an ’employee monitor’. This enabled them to locate the privileged accounts that could alter customer card conditions.

This allowed the attackers to locate and alter the conditions on the rogue accounts. They activated the overdraft settings and changed the limit from the default value of zero to ranges varying from $25,000 to $35,000. All of this was coordinated with the cash withdrawals via overseas ATMs.

Advertisement. Scroll to continue reading.

“The physical counterparts stationed at various locations in Europe and the Russian Federation” notes the report, “then cashed out substantial amounts of money for each of these cards from ATM terminals. Cash withdrawals across the region began within minutes of the first OD property change made to the debit cards on the card management application… Within the next few hours the operation concluded, removing up to USD$10 million from each bank.”

The process from account manipulation to foreign cash withdrawals took only about five hours. But the withdrawals were not the final act of the attack. “Almost two hours after the last withdrawal occurred the criminals wiped the server,” Thanassis Diogos, SpiderLabs managing consultant, told SecurityWeek. “They were sure that their actions would trigger an investigation, so they were most probably trying to remove evidence from the crime scene. And they succeeded to a point because the internal server used for maintaining external connections had nothing to do the with card processing infrastructure. So the IT department never associated the failure of that system with the incident — it was only at the point of log analysis that it pointed to that system.”

SpiderLabs has seen the same process in four separate banks (two in Russia, and two in post-Soviet states); and is investigating a possible fifth in Africa. It is not clear whether it is the same gang in all cases. “The malware used differs per case but methodology was the same,” said Diogos. It could be the same gang using different malware under different conditions, or it could be different gangs altogether, since “underground forums share these ideas.”

One thing that is clear is the growing cooperation between organized crime (feet on the street) and criminal hackers — although at this stage it is not clear whether hacking crews are contacting criminal gangs, or criminal gangs are recruiting hacking crews. “One way or another,” said Diogos, “the spread of electronic devices and data digitization has come under crime’s scope.”

The total amount lost to this particular methodology is not known. It is generally believed that financial institutions do not own up to all of their losses in order to maintain faith in their brand. 

“Our investigations have revealed victim losses currently around approximately USD$40 million. However, when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD. All global financial institutions should consider this threat seriously and take steps to mitigate it.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...