Romanian police have acted to end a series of malware ATM attacks carried out in Germany, France, Norway, Sweden, Poland, and Romania.
Alleged members of an international criminal group responsible for a year-long campaign of ATM malware attacks across Europe have been rounded up, according to EU law-enforcement agency Europol.
Eight people have been arrested in Romania and Moldova this week on suspicion of “causing substantial losses across Europe to the ATM industry” and inflicting at least €200,000 ($218,000) of damage on ATM machines located in several European countries.
The gang behind the attacks used the Tyupkin Trojan, a piece of Russian-made malware identified in 2014 by Kaspersky Lab.
According to Europol, the gang embarked on large-scale ATM ‘jackpotting’. To use this technique, a criminal launches a Trojan via an executable file to gain control of the ATM’s PIN pad and submit commands to the malware to empty the machine’s cash cassettes.
“Over the past few years, we’ve seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes,” Europol deputy director operations Wil van Gemert said in a statement.
“To match these new technologically-savvy criminals, it’s essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations.”
Attacks were carried out on weekends on ATM machines manufactured by NCR that weren’t located inside the offices of a bank, according to the Romanian directorate for investigating organised crimes and terrorism.
Police said the attackers needed only limited computer skills. A group member opened an ATM machine containing a CD-ROM drive and inserted a bootable CD containing the malware.
The Tyupkin Trojan requires a one-time session password, allegedly obtained via phone or other communication channel, allowing the criminals to withdraw money.
On each attack, they took about €900. The malware deleted itself automatically from the ATM. The gang used adhesive tape to secure the alarm sensor of the cash dispenser.
The Tyupkin Trojan was designed to work only during weekends and even killed the ATM’s internet connection during the theft, probably to prevent the machine from triggering an alarm. The gang allegedly used the rest of the week to identify potential targets and prepare attacks.
Most of the hijacked ATMs were in Romania, where the gang started its operations. Later, they expanded their activities into Germany, France, Norway, Sweden, Poland, and Hungary, police said.
Romanian investigators have been following the case for several months. They said initially the gang was careful, paying attention to every detail. Later, they became confident and less cautious.
For example, police said gang members communicated via Facebook Messenger and Skype, even occasionally using these channels to boast to others about their travels.
The operation was led by the Romanian Police together with the directorate for investigating organised crimes and terrorism, or DIICOT. The two agencies were assisted by Europol, Eurojust, and several European law-enforcement authorities.