14 DAY TRIAL // Following an investigation into the robbery of 51 ATMs back in May, officers in the UK arrested a man on Thursday, suspected to be part of an eastern European crime gang responsible for the incidents.
According to the police, a total of ₤1.6 million / €2 million / $2.58 million was taken from cashpoints located in public places in Blackpool, Brighton, Doncaster, Liverpool, London, Portsmouth, and Sheffield during the May Bank Holiday weekend.
Attackers compromised physical security of the machines
The method used is similar to the one discovered by security researchers at Kaspersky when analyzing Tyupkin/PadPin malware for ATMs; leveraging the low security of the machine, the attackers would gain physical access to the CD-Rom drive and install the malicious software that facilitated dispensing of the cash.
“Each machine was physically broken into and infected with malware before large amounts of cash was withdrawn,” says a communication from the City of London Police. Moreover, no trace of malware was detected on the computer system of the cash machine, which made officers believe that the malware deleted itself after the robbery.
This is a function Kaspersky discovered in their analysis of Tyupkin/PadPin, the malware being able to self-delete with a batch file.
The operation in the UK was carried out by the London Regional Fraud Team (LRFT), a division composed of detectives from British Transport Police, City of London Police, and the Metropolitan Police Service.
Also involved in the case was the National Crime Agency’s Economic Crime Command, who collected information that led to the arrest of multiple suspects, including a 37-year-old man at a house in Portsmouth.
“This operation represents a significant disruption against a sophisticated criminal enterprise who used specialist malware to target cash points and steal large quantities of cash,” said Nigel Kirby, deputy director for the NCA's Economic Crime Command.
Similar robberies occurred in Russia and Malaysia
If the investigation proves that Tyupkin/PadPin was leveraged in the robberies, it could mean that the malware was widely used across the globe shortly after being compiled.
Kaspersky found samples with compilation dates from around March, and during their investigation they learned that the malware was active on more than 50 ATMs in eastern Europe.
However, their telemetry data covers only consumer computers and no information could be retrieved about the spread of Tyupkin; as per their limited information, the threat was found mostly in Russia, followed by the US, India, China, Israel, France, and Malaysia.
Another Tyupkin incident was recorded in Malaysia, where robbers managed to steal about $1 million / €790,000.
The police in the UK searched at least one address in Edmonton as part of the operation.