The $4M ‘Reverse ATM Attack’ Heist

Russian hackers ripped off a whopping $3.8 million (252 million rubles) from five banks using a technique called a “reverse ATM attack,” according to information obtained by Group-IB, a Russian digital intelligence company.

The attack was essentially carried out by mules who would deposit an amount of 5,000, 10,000 and 30,000 rubles into bank accounts using an ATM and then withdraw the same amount right away with a printed receipt of the transaction. The receipt would provide them a transaction reference number with details of the total withdrawn amount. This information would then be transferred to Russian hackers who would use these details to tricks thousands of American and Czech point-of-sale (POS) terminals.

The process initiated a “reversal operation” on the POS terminal that would lead it into believing that the withdrawal was declined. Meanwhile, to the bank, it would appear as if the attempt to withdraw cash was cancelled. This would lead the bank to return cash to the account even though it had already been taken out, according to Forbes. The hackers would then repeat the process over again until the ATM ran out of cash.

The stolen money was then reportedly transferred using a global mule network, according to Group-IB’s investigation, which is now working with the authorities to investigate further into the matter.

The whole money laundering scheme worked as the hackers managed to circumvent checks recommended by Visa and MasterCard and succeed in exploiting weaknesses in the withdrawal, transfer and verification points of credit card transactions, Forbes reported.

While Visa was able to bring together the five Russian banks to close off the loopholes that allowed perpetrators to steal money, the fix only worked for so long. According to Group-IB, the hackers managed to find a workaround that allowed them to transfer the money from a card from one bank to another card at another bank, which could then be used to withdraw funds from an ATM.

“After the first fix, the fraudsters modified the scheme a little bit and then did the fraud again. Then, it was finally fixed, but nobody is sure that the scheme could not be modified again and be successful,” said Dmitry Volkov, cybercrimes investigation division leader at Group-IB. “This scheme could affect non-Russian banks, but we know only about Russian victims.”

For now, with the implementation of additional fixes, it’s apparently impossible for the fraudsters to steal money either way, but as Volkov points out, it might only be a matter of time before they find another way.


Latest Insights: 

Our data and analytics team has developed a number of creative methodologies and frameworks that measure and benchmark the innovation that’s reshaping the payments and commerce ecosystem. The May 2019 AML/KYC Tracker, provides an in-depth examination of current efforts to stop money laundering, fight fraud and improve customer identity authentication in the financial services space.


To Top