Security & Fraud

ATM Malware Now For Sale On Darknet

Cybercriminals Winning Cyber Arms Race

Malware designed to compromise and empty ATMs has been discovered for sale on the darknet, according to news from Securelist, the online headquarters of Kaspersky Lab security experts.

Priced at $5,000, the software was listed for sale on the FBI-closed AlphaBay Darknet marketplace, a forum where users could advertise and purchase software for use in a variety of illegal activities. Securelist outlined that the AlphaBay listing included such details as equipment required to employ the software, which ATMs should be targeted and a detailed instruction manual outlining how the programs should be operated.

Poor formatting and ungrammatical English suggest that the developer of the malware or the writer of the manual was a native Russian speaker, according to Securelist. Additionally, an earlier form of malware intended to target ATMs, Tyupkin, was referenced in the text of the manual. Tyupkin was first discovered infecting a number of ATMs throughout Eastern Europe in 2014.

Passages from the manual also suggest that the program can determine the amount of money stored in ATMs, down to the value of individual bills the ATM contains, and has the ability to dispense some or all of it.

Securelist details that the software for sale on AlphaBay came in three parts. The first and primary program is named “CUTLET MAKER,” which operates the cash dispense function of targeted ATMs. The second program, named “c0decalc,” is a tool that generates passwords necessary to unlock “CUTLET MAKER.” The final program, “Stimulator,” is used to detect the amount of bills the ATM contains.   

In order to activate the software, users have to gain access to the computer within an ATM and install the program using a USB thumb drive, a process that often requires a power drill. Defending from attacks could mean further enhancing the physical security of the computers that manage ATM functionality or disabling USB connectivity outright.

This program doesn’t attack ATM users directly, Kaspersky Lab experts explained; rather it’s intended to steal directly from the banks themselves by dispensing bills held within the machine.



The pressure on banks to modernize their payments capabilities to support initiatives such as ISO 20022 and instant/real time payments has been exacerbated by the emergence of COVID-19 and the compelling need to quickly scale operations due to the rapid growth of contactless payments, and subsequent increase in digitization. Given this new normal, the need for agility and optimization across the payments processing value chain is imperative.