UK police arrest trio over £1.6 million cyber theft from cash machines

News by Tim Ring

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.

Police say it's the first time that the new method of hacking and stealing cash from ATMs directly, rather than targeting customers, has been used in Britain.

On Thursday, the London Regional Fraud Team (LRFT) – a specialist unit combining detectives from British Transport Police, City of London Police and the Met Police – arrested the suspected mastermind behind the attacks.

The 37-year-old was seized at a house in Portsmouth on suspicion of conspiracy to defraud and remains in custody.

Later that day, detectives arrested a 38-year-old woman in Portsmouth on suspicion of money laundering and a 24-year-old man in Edmonton, London on suspicion of conspiracy to defraud. Both have been bailed.

The three suspects are allegedly part of a gang who earlier this year physically broke into 51 cash machines in towns and cities across the UK, including London, Liverpool, Brighton, Portsmouth, Blackpool, Doncaster and Sheffield.

They installed malware on ATMs that over-rode their administrative code, allowing the gang to return later, over the May Bank Holiday weekend, and withdraw large amounts of cash from the machines, in some cases emptying them completely.

Detectives believe the malware subsequently deleted itself, making it difficult to identify the cause of the attacks. The physical nature of the attacks meant customer data was not compromised. The LRFT were helped to make the arrests by intelligence supplied by the National Crime Agency.

Detective Inspector Dave Strange, head of the LRFT, said: “We believe this is an organised crime gang systematically infecting and then clearing cash machines across the UK using specially created malware.”

A City of London Police spokesperson confirmed to “They access the ATM and then insert the malware which is on disk, then they take the disk away again. We believe it's the first time we've seen this type of malware used in the UK.”

Security firms have been warning of this new type of ATM attack for some time.

Earlier this month, Kaspersky reported that the malware suspected of being involved in the latest attack, Tyupkin, had been used to empty more than 50 cash machines in Eastern Europe. Kaspersky warned at the time that the malware had spread to other countries including the US, France, India and China.

The attack method first came to light last December when researchers presenting at the Chaos Communication Congress in Hamburg explained how cyber-thieves had physically cut into cash machines belonging to an unnamed European bank, to plug in malware-laden USB sticks that enabled them to empty the machines.

Speaking to, cyber-crime expert Kim Larsen gave more details of the new attack method.

Larsen, a senior client executive with Verizon, a special adviser to Europol's Internet Security Group and formerly chief of information security with the Danish national police, told SC: “The methodology used in the new attacks is not very different to the other types of attacks used towards ATM machines in general. The change is that they are targeting the financial institute and not the customers.”

Larsen explained: “The technology in ATM machines is often very outdated. So what they have done is create malware which, by entering some codes, gives them the ability to gain access to the administrative functions in the ATM machine.

“The codes that can be used are freely available I guess. They program this malware to be active at a certain point, often at night, then they come back, enter the codes and walk away with the cash.”

Larsen said thieves typically only target the most basic and unguarded cash machines. “If there's an alarm on the ATM they don't go there,” he said. “This is an evolution of card skimming where instead of getting the customers' data from the cards, you are targeting the machines itself and the cash inside. If you have the master keys for the ATMs, it is actually quite easy to do.”

Cyber security expert Peter Jopling, chief technology officer for IBM UK & Ireland, agreed that ATMs are being targeted because they are physically vulnerable and often lack the right defensive software.

Jopling told SC by email: “ATMs tend to be in physically open environments, hence why they can be potentially physically attacked. Clearly provision must be made to ensure the best possible physical security, but, as we have seen recently, this can still be subverted.

“There is software available that can be installed on the operating system that would protect against malware being executed. Additionally, by putting in place real-time analytical monitoring, a bank would be able to detect if an ATM has been compromised as its electronic signature will change.

“By detecting this change, a bank can instigate a real-time forensic examination as to the exact sequence that led up to this change, highlighting the attack path and, most importantly, whether other systems are affected or can be infected.

“As an example with Tyupkin malware, detecting the ATM rebooting would be a critical indicator that all is not well, allowing deeper analysis of what led to the reboot and subsequent activities.”

Larsen said that to defend against the attacks, ATM providers need to review their physical security – alarms and CCTV - to change the default admin password and make sure the machine has up-to- date virus protection.

Paul Nguyen, president of CSG Invotas commented to SC: "You can't tell what the underlying operating system is on these ATMs and it's very often very old - vulnerable technology. Automated response systems (should be used because they) are less prone to error and are faster to react - especially say during bank holidays."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews