Skip to content
Naked Security Naked Security

Mystery surrounds $2M ATM “jackpotting” attack in Taiwan

The crooks are alleged to have relied on malware implanted on the ATMs to make cardless "transactions".
Written by
July 18, 2016
Naked Security Banking hacked ATM malware

Mystery still surrounds a recent series of bank heists in Taipei, Taiwan.

Crooks apparently made off with NT$70,000,000 (more than US$2M) in a spate of fraudulent ATM withdrawals just over a week ago, leaving both the banks and investigators unsure quite what happened.

Usually, casher crews, who are the feet-on-the-street of the crooks behind banking cybercrime, take a stash of cloned cards and stolen PINs on a withdrawal spree, hitting ATM after ATM to suck hard cash out of unsuspecting users’ accounts.

But in the recent Taipei attack, no cards were inserted.

Apparently, the crooks jackpotted the ATMs in a series of cardless “transactions.”

Taiwanese authorities now say they are after two Russian nationals, who allegedly wore masks to try to dodge surveillance cameras.

They’re also alleged to have relied on malware implanted on the ATMs to provide a hidden feature to make the ATMs disgorge money without going through the usual transaction process.

They also carried out the attacks, whether by accident or design, while authorities were otherwise occupied by typhoon weather.

Unfortunately, it looks as though part of the reason the Russians are persons of interest in the investigation is that they left Taiwan on the Monday immediately following the fraudulent withdrawals.

That adds yet another layer of complexity to the case.

We can’t be sure, of course, that malware was involved, and if so, how the ATM network was breached.

But it’s always disappointing to hear of malware on specialised computers such as ATMs or cash registers, not least because you’d hope that trusted devices of that sort would be kept on a dedicated network of their own, to reduce their exposure to the rest of the world.

Sadly, as far as we can tell, that sort of network segregation seems to be the exception, rather than the rule.

If there’s a silver lining for customers, it’s the suggestion that the ATMs were reprogrammed to count out banknotes on demand, without linking the dispensed money to any account.

Of course, as a society, we all lose when this happens, but it sounds as though no individual customers will be left with phantom withdrawal posted against their accounts.

Want to segregate the computers on your own network? Personal laptops on one network, visitors on another, and IoT devices separate from both? The Sophos XG Firewall is 100% free for home use, including email scanning, web filtering, intrusion prevention, a VPN and much more.


About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

7 Comments

“… as a society, we all lose out when this happens, …”. Do we?
It’s the bank’s money that the crooks stole, so the bank loses out. The mechanism whereby we ALL lose out is obscure, to say the least. Unless we have shares in the bank, we need not lose out. If the bank decides to recover the lost cash from its customers, most of us can just change banks.

The USA has (IIRC) the Federal Deposit Insurance Commission, created for banks to prevent bankruptcy after a single large event such as robbery–thereby retaining confidence in the dollar. It’s a federal program and is basically a huge insurance plan for banks.

Were two million dollars stolen from a specific bank which is a member of the FDIC they’d be covered, and everyone would lose in taxes…save I suppose those few whose net gain would still be close to $2M.

Not sure if a Taiwanese bank would likewise have a safety net but expect something similar backing it.

Aside purely monetary measures, we all lose with the proliferation of yet one more story of criminals absconding with a windfall. We don’t need any more potential criminals pondering various schemes to be pushed to the wrong side of the fence. We all lose yet again.

Quite a few people think that crime diminshes society, in general as well as in specific ways. That $2m came from *somewhere*, and it went to the crooks. That certainly doesn’t sound like a positive outcome for the law-abiding amongst us…and I’m not sure how it could be considered neutral, either. If I’m right, then…we all lose, even if only by a very modest amount in collective terms.

(It’s a bit like saying that insurance fraud doesn’t hurt *you* because that’s the insurance company’s problem for not investigating harder, and it’s their loss, not yours…then being surprised when everyone’s premiums go up.)

Why the attacked ATM could disgorge NT$ automatically without refilling of new money(NT$) from the First Bank.
Charles Lin

The crooks extracted money from multiple ATMs, not just one ATM. As far as I know, none of the ATMs was refilled during the heist. ATMs can hold, what, pp to about US$20,000? So to drain $2,000,000 you’d need to hit 100 different ATMs, of the right model, belonging to the right bank.

The “casher crew” in this case were relying on card-present withdrawals (one per ATM) of around $800 each; operating on Broadway in New York city, they managed something like 3000 separate withdrawals in one outing:
https://nakedsecurity.sophos.com/2013/05/10/casher-crew-from-global-cyberheist-busted-in-new-york/

I’ve posted this on twitter in response to the story, but I guess you chose to ignore feedback there. You should update the story to include the details related to the fact the suspects have been caught and that the majority of the money has been recovered. There is a lot more to this story than an ATM hack, which if you were focusing on, why not give more details on the technical aspects? I feel validated to post it as the comments here are discussion who lost the “$2m[illion]”, when it’s been known that the money has been recovered due to investigations after the heist.

The details about the story which included that multiple suspects were named, fled the country, or where caught by Taiwanese police, were all released, in English, and a day before you posted this blog-post.

This information being left out seems disingenuous to any form of “reporting”, and makes it appear the article was to focus on the Fear Uncertainty and Doubt related to the caper.

The technical details are, I am sure you will agree, still mysterious. That’s what this was about…no FUD, no need to panic, and the cops are on top of it, at least in part.

(I read that a bit over half of the money was recovered. That’s good news!)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!