ATM malware gang member arrested in Romania

The City of London Police have arrested a man in Romania charged with involvement in a campaign that installed malware on to ATMs around the UK

ATM exploits have a long and prolific history
ATM exploits have a long and prolific history

A Romanian man has been extradited to the UK and charged with offences relating to his involvement in a prolific ATM malware campaign.


A 30-year-old man was arrested in the western city of Bacău in Romania by local police on Tuesday 20 September assisting members of the London Regional Fraud Team (LRFT).


He is believed to have taken part in an ATM malware campaign in 2014 that stole £1.5 million pounds from UK cash machines. Over the May 2014 bank holiday weekend, the gang hit 51 ATM machines around the UK in London, Bognor Regis, Brighton, Liverpool and Portsmouth. The machines were literally broken into and had the malware directly installed on them. After the deed was done and the money was stolen, the malware deleted itself making it harder to identify the culprit.


This new arrest is merely the latest in a string relating to that campaign.


In January, Teofil Bortos, 36, from Newham in London admitted to his role in the campaign and was sentenced to seven years in prison. Nearly a year before that Grigore Paladi was sentenced to five years in prison for his role in the gang. According to City of London police, the investigation into the campaign is still ongoing.


Detective inspector Matthew Mountford, head of the London Regional Fraud Team said in a statement that this extradition “demonstrates the persistence of the London Regional Fraud Team to track down and bring to justice those involved in this case.”


One of the main barriers to successfully arresting cyber-criminals is so often jurisdiction. However, in this case, said Mountford, “overseas law enforcement have been extremely co-operative, especially in Romania.”


ATM scamming has a long and storied history. Originally it took the form of skimmers, attached to ATM machines which would then steal the details of any card inserted into that machine. Devices evolved to become smaller, more conspicuous and more able to defeat increasingly difficult security measures on the cards.


Its natural progression would of course be, malware. The malware, inserted remotely through hacking the bank or directly into the cash machine, will infect the ATM's core, the part which interfaces with the bank itself.


David Emm, principal security researcher at Kasperky Lab told SCMagazineUK.com that, “in contrast to a traditional card skimmer, there are no physical signs that the ATM is infected, leaving the attackers free to capture data from cards used at the ATM, including a customer's bank account number and PIN, or steal cash directly.”


Whether this new arrest signifies a blow against ATM malware is yet to be seen. Emm added, “The police have already arrested other suspects for their alleged involvement in this crime, so it's possible that others are involved, though it's not possible to be sure.  The successful conviction of those involved in cyber-criminal activities is always positive, not least because it underlines the fact that such activities are not risk-free”.

Sign up to our newsletters