Skip to main content

Hackers indicted for 12-hour ATM attack that netted $9 million

This article was published in Scientific American’s former blog network and reflects the views of the author, not necessarily those of Scientific American


One year after pulling off one of the most audacious cyber crimes in history—a 12-hour spree during which more than 2,100 cash-dispensing machines in at least 280 cities on three continents were drained of a total of more than $9 million—a group of hackers is facing dozens of years in prison and millions of dollars in fines.

A federal grand jury last week indicted three eastern European men—plus a fourth individual known only as Hacker 3—on a number of charges for these crimes, including wire fraud, computer fraud and aggravated identity theft. Another three men, all from Estonia, were indicted on charges of access device fraud for their alleged related role using fraudulent PINs to steal money from the ATMs.


On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.


Three of the accused allegedly broke into the Atlanta-based RBS WorldPay payment processing division of the Royal Bank of Scotland Group PLC. Prosecutors say the hackers got through WorldPay's encryption of customer data on payroll debit cards used by various companies to pay employees (these cards are designed to be used to withdraw salaries). After breaking the encryption, the cyber thieves raised the account limits on compromised accounts and then provided a network of accomplices with 44 counterfeit payroll debit cards and PINs, which were used to drain employees' accounts, prosecutors say, adding that the accomplices were allowed to keep 30 to 50 percent of the stolen funds while sending the rest to the ring leaders. The hackers are also accused of destroying evidence within the WorldPay system to cover their tracks.

Prosecutors credit a rare occasion of international cyber law enforcement cooperation—in this case, the U.S., China, Estonia and the Netherlands collaborated—with helping bring down what they refer to as "one of the most sophisticated computer hacking rings in the world." Differing cyber crime laws in different countries and an unwillingness to extradite accused hackers often complicate cyber crime prosecutions, a factor not lost on international cyber crime syndicates that tend to set themselves up to attack from a variety of locations worldwide. In this instance, a 28-year-old Moldovan man allegedly learned of a vulnerability in WorldPay and passed that information along to a hacker living in Estonia, who in turn recruited a Russian hacker to break into the WorldPay system.

While RBS and many other banks have cyber security systems in place designed to detect fraud after it has been committed, a group of European researchers led by the Universidad Politécnica de Madrid's Distributed Systems Laboratory claims to be developing data processing technology that could be used to combat fraud as it happens. The new system, scheduled to go live next year, is being developed as part of the European STREAM (Scalable Autonomic Streaming Middleware) Project funded by the European Union Seventh Framework Program to the tune of $5 million.

Image of suspected ATM thief hitting an Atlanta bank courtesy of the Federal Bureau of Investigation

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots.

More by Larry Greenemeier