INTERNATIONAL CRIMINAL GROUP BEHIND ATM MALWARE ATTACKS DISMANTLED

The Hague, the Netherlands
7 January 2016

The Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), assisted by Europol and Eurojust as well as a number of European Law Enforcement authorities, disrupted an international criminal group responsible for ATM malware attacks. This operation, one of the first in Europe against this kind of threat, resulted in multiple house searches in Romania and the Republic of Moldova and the final arrest of 8 individuals. The criminals used Tyupkin ATM malware which allowed the attackers to manipulate ATMs across Europe and illegally empty ATM cash cassettes.

The criminal group, composed of Romanian and Moldovan nationals, was involved in large scale ATM "Jackpotting", causing substantial losses across Europe to the ATM industry. ATM "Jackpotting" refers to the use of a Trojan horse, physically launched via an executable file in order to target an ATM, thus allowing the attackers to empty the ATM cash cassettes via direct manipulation, using the ATM PIN pad to submit commands to the Trojan.

Europol's European Cybercrime Centre (EC3) supported police forces across Europe in their efforts to identify the suspects by hosting a number of international operational meetings and analysing intelligence. This joint international effort follows on a previous successful action against the threat posed by this type of malware.

Wil van Gemert, Europol's Deputy Director Operations, commented: "Over the last few years we have seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes. To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations".

Europol's European Cybercrime Centre (EC3) recognises the severity of the threat presented by ATM logical and malware attacks and has prepared security guidelines regarding this new cyber threat to ATMs. The production of this document has been coordinated by EAST (European ATM Security Team), and is the first of its kind. The guidance and recommendations regarding logical attacks on ATMs, which also covers malware attacks, is an excellent example of a coordinated central response from both Law Enforcement and the industry to fighting ATM malware threats in an effort to respond much more quickly and effectively.