Spanish and Chinese criminals working together to hack banking networks & ATMs

Nepalese authorities managed to disrupt a complex hacking operation against some banking networks and ATMs in the country. According to experts in vulnerability testing, Zhu Lianang, a Chinese citizen who was caught trying to withdraw thousands of Nepalese rupees from an ATM using cloned debit cards, was arrested this weekend.

After interrogating the arrested, a representative of the Katmandu Metropolitan Police stated that Zhu revealed the names of four of his accomplices, fellow Chinese citizens Lin Jianmeng, Luo Jialei, Qiu-Yunqing and Chen Bin Bin; two of these men are still on the run. “Hackers arrived in Nepal on August 30 and were planning to return to China on September 2nd, after completing their operation,” the spokesman said. The Nepalese authorities confiscated the arrested about 12.5 million Nepali rupees (about $170k USD), $10k USD in cash, plus a hundred cloned Visa cards, 17 legitimate cards, a laptop, six smartphones and a external storage device.

Despite having managed to dismantle this operation, the investigation into this incident did not end with the arrest of the hackers. According to the experts in vulnerability testing, the defendants pointed out that they only receive orders, as the intellectual authors handled this operation from Spain. “Zhu states that the main conspirators are Chinese citizens residing in Spain; they say they are only complying with the orders of another group of people,” the Nepal police spokesman says.

The spokesman also mentioned that this hacker group’s plan was to compromise banking networks and extract thousands of dollars from ATMs over the last weekend, hide in their hotel and return to China without raising suspicions. “Meanwhile, the leaders of the operation were responsible for sending the malicious code that hackers in Nepal would use to steal money from ATMs,” the Nepalese authorities said. Hackers in Spain also booked the return flights to China for the team in Nepal; so far, no further details are known about Spain’s hacker team, the Spanish authorities are expected to begin a thorough investigation.

The hacking operation appeared to go smoothly, however, a Nepal Police vulnerability testing team was informed about a set of anomalous operations at an ATM; thanks to this information, the authorities were able to detect the intrusion and arrest those responsible. According to the Nepal Bankers Association, hackers stole a total of 17 million Nepalese rupees, although only 12 million have been recovered; it is presumed that the remaining money is held by the runaway hackers.

Unfortunately for the Nepalese authorities, this is not the first time their banking networks are undergoing hacking attacks. In April 2017, four Moldovan citizens were arrested in Nepal, accused of hacking ATMs to extract money, an attack known as “jackpotting“. Just hours after that incident, a Russian citizen was caught trying to insert a device to clone cards at an ATM. 

According to vulnerability testing specialists from the International Institute of Cyber Security (IICS), the fact that jackpotting attacks occur against Nepalese banks is a clear example of the security weaknesses that banks suffer of the country. The authorities and banks acted on time on this occasion, but banks need to strengthen their IT security, because in many similar cases, prevention can help more effectively than the reactive measures.