Security & Fraud

ATM Malware Now For Sale On Darknet

Cybercriminals Winning Cyber Arms Race

Malware designed to compromise and empty ATMs has been discovered for sale on the darknet, according to news from Securelist, the online headquarters of Kaspersky Lab security experts.

Priced at $5,000, the software was listed for sale on the FBI-closed AlphaBay Darknet marketplace, a forum where users could advertise and purchase software for use in a variety of illegal activities. Securelist outlined that the AlphaBay listing included such details as equipment required to employ the software, which ATMs should be targeted and a detailed instruction manual outlining how the programs should be operated.

Poor formatting and ungrammatical English suggest that the developer of the malware or the writer of the manual was a native Russian speaker, according to Securelist. Additionally, an earlier form of malware intended to target ATMs, Tyupkin, was referenced in the text of the manual. Tyupkin was first discovered infecting a number of ATMs throughout Eastern Europe in 2014.

Passages from the manual also suggest that the program can determine the amount of money stored in ATMs, down to the value of individual bills the ATM contains, and has the ability to dispense some or all of it.

Securelist details that the software for sale on AlphaBay came in three parts. The first and primary program is named “CUTLET MAKER,” which operates the cash dispense function of targeted ATMs. The second program, named “c0decalc,” is a tool that generates passwords necessary to unlock “CUTLET MAKER.” The final program, “Stimulator,” is used to detect the amount of bills the ATM contains.   

In order to activate the software, users have to gain access to the computer within an ATM and install the program using a USB thumb drive, a process that often requires a power drill. Defending from attacks could mean further enhancing the physical security of the computers that manage ATM functionality or disabling USB connectivity outright.

This program doesn’t attack ATM users directly, Kaspersky Lab experts explained; rather it’s intended to steal directly from the banks themselves by dispensing bills held within the machine.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.