Romanian Police Shut Down International ATM Malware Gang

Romanian Police Shut Down International ATM Malware Gang

Romanian Police Shut Down International ATM Malware Gang

Europol and Eurojust assisted Romanian law enforcement in arresting an international cybercrime group that compromised ATMs using the Tyupkin (Padpin) malware. The group stole money via special PIN pad codes, without a credit card inserted in the machine.


Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT) arrested eight suspects on Tuesday, January 5, 2016, charging them with suspicion of establishing an organized crime group, illegal access to computer systems, computer fraud, disrupting information systems, modifying computer data, and illegal operations with destructive software and hardware devices.

Authorities describe the group as led by two of their members, one from Romania and one from the Republic of Moldova, while the other six were charged with scouting feasible ATMs, compromising ATM integrity, and later carrying out the ATM attacks.

Europol classified the group’s attack as “jackpotting,” a technique where cybercriminals infect the ATM with malware and make it spit out cash.

This group’s tactics were a little bit different, as DIICOT reports. Instead of emptying the ATMs in a single go, the group slowly stole money in multiple attacks, taking around $1,000 with each visit.

Criminals only targeted NCR ATMs

According to DIICOT, the group targeted only portable ATMs made by the NCR Corporation. The reason is that the ATMs’ back panel was easy to reach, where they inserted CDs in the ATMs’ CD-ROM slot.

Most of the time, ATMs were compromised and then robbed during weekends, when street traffic was scarce, and the group could act more freely. Most of the attacks occurred on Saturday nights.

The group targeted ATMs in Romania, Hungary, the Czech Republic, Spain, and Russia. Estimated damages are valued around €200,000 / $217,000.

Once attackers emptied the ATMs, the Tyupkin malware was programmed to self-delete. A more recent version of the Tyupkin malware, GreenDispenser, was detected by Proofpoint in September 2015, targeting ATMs in Mexico.

SOURCE