Flashmob of ATM crooks scores $9 million in 49 cities

A global flashmob of ATM thieves netted $9 million in fraud against ATMs in 49 cities around the world. Can anyone find the message-board where this one was cooked up?
These people in the photos are believed to be "cashers," low-level players, in a scheme devised from some mastermind -- a dangerous computer hacker or hacking ring authorities fear could strike again.

Here's how it all came down, according to information Fox obtained from the FBI and law enforcement sources:

The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards.

"We've never seen one this well coordinated," the FBI said.

Then shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world.

"Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

FBI Investigates $9 Million ATM Scam (via Beyond the Beyond)


  1. I love a good heist, especially when the only victim is some sort of huge financial institution with deep pockets. Respect.

  2. $9 million divided by 100 cards is $90k per card. The wording of the article makes it sound like they cloned employees’ cards, but the numbers look like they were stealing directly from employers’ payroll accounts.

  3. It takes a good minute or so for the ATM to dispense my $500 for rent. I can just imagine each one of these guys retrieving $70,000 (that’s 3,500 $20’s) from one machine, must be like hitting it big at the slots in Vegas.

  4. There’s something odd about this story. If as Fox says only 100 cards were used, that’s an average of $90,000 per card, who has that much on a paycard?

    And even though they lifted the individual withdrawal limit per machine, that’s almost $70,000 from each, do ATMs normally hold that much per day?

    And since it’s all cash, why would the cashers take a small fee in exchange for their services when they could just keep the $70,000 themselves?

  5. Yeah, it definitely doesn’t add up. One person wouldn’t be able to carry that much cash, let alone withdraw it all at once without drawing suspicion. And I don’t think a machine would have that much.

    Presumably the cashers won’t keep the money themselves because of the threat of death or serious injury. That’s generally how organized crime works.

  6. OMG! All I can say that these criminals are definitely smarter than any scientists in the world, not even Einstein! Where did they learn that skill?

  7. With that many people involved globally, there’s gotta be one hell of a large communications trail somewhere. Shouldn’t be too hard for someone to find it.

    Also it depends on the kind of ATM, but the average type installed in stores has a maximum capacity of $20,000. And that’s capacity, not what would actually be put in it.

  8. Lots of places may have a few ATMs within close promixity. If the hackers were smart enough to crack what one would hope is some pretty tough security, they’re smart enough to send the cashers to places with a high number of ATMs. And some banks have rows of ATMs, 3 or 4 of them, if you’ve got two banks near each other in a commercial district, that’s 6-8 ATMs.

    Now if they knew when the ATMs were refilled and decided to hit them an hour or two after, they’ve just boosted their chances of getting a max payout.

  9. The quote is:

    “Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8,”

    That doesn’t necessarily imply the entire operation went down in 30 minutes or only 130 machines were hit.

    The article also states:

    For example, I’m only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again.

    From this article we have no idea how many machines were hit, how many times each machine was hit, how many cashers were involved, or how long the entire operation took. Since 100 cards were reportedly used we can guess that there were possibly between 49 and 100 cashers working and a minimum of 130 machines were hit.

    However, if we assume 1 casher per card and each casher hit at 10 machines, say 3 times each, resulting in 30 transactions per casher, for a total of 3000 transactions . This would bring the per transaction amount down to $3000, which starts looking possible. If each transaction took 5 minutes, plus some travel time the whole operation could have gone down in 4 hours.

  10. Sounds great but how many ATMs in quicky marts stock that kind of green? Most everyone in N.O. has less than $5.000 total. (I knew who stocked several in the French Quarter). Normally there is only about 8-12″ of space for the money and many of the cheap ATMs would choke or jamb if they where stuffed too full.
    Still, awesome job! Stick it to da man!

  11. Respect? Maybe if they’d gone to Greenwich and taken the money from the banker scum who got the bonuses.

    Respect? You think these guys did it to hassle “the man”, to fight against corporate injustice? Do you think they’d hesitate to hack your credit card, your bank account?

    Scum is scum.

  12. #17: Tru dat. If, as it seems, these were cloned cards which were used to pay employee’s wages, I’ll wager that those wages still haven’t been reimbursed to said employees. I’ve on more than one occasion had problems with the outsourced companies who have handled employers payroll, as have various colleagues over the years. Their stock response is that it’ll be put right the following month. God knows how long they’d keep you waiting if someone had actually fraudulently siphoned off your wages.
    Danny Ocean, this ain’t.

  13. Agree with #17. I don’t deny it’s fun to root for the elaborate heist, but don’t pretend this is a victimless crime, or that these people aren’t scum.

  14. There’s nothing odd about this at all, the amounts make perfect sense.
    Most of the ATMs were in bank lobbies, check the FBI wanted poster and report. Most of the attacks took place in cities after midnight within the EST timezone. (Assume the Moscow and Hong Kong hits were most likely proof of concept runs or demonstrations to interested parties).
    Now Veteran’s Day was the following Tuesday, these attacks took place in the early hours of Sunday. So it would make sense for the banks to fill their machines to maximum capacity on the Saturday, working on the assumption that a lot of folks would’ve booked Monday off as well to make it a long weekend. So yeah, ATMs in bank lobbies could well hold $70,000 or more at that point.

    As to them breaking the daily withdrawal limit,
    it’s most likely that the cards themselves hold the transaction details and the ATM only updates a central database every hour or so. So if you clone multiple copies of the same card and allow yourself a margin of error, you’d have at least thirty minutes to keep hammering the same account with copies of the same card, before the ATM phones home and raises the alarm. At that point the lobby doors would probably automatically lock and the police would be alerted, so you wanna make sure your cashers are safely gone, give ’em a half hour time limit in a one hour window and they’ve got some wiggle room.

    This took a lot of planning, discipline and coordination, if only their powers could be used for good :)

  15. One picture doesn’t place all transactions in quiky marts. There are many different ways to do this job, I just tried to provide an example that would accomplish the task in a relatively short period. This would have to go down quickly, before the system had a chance to put it all together.

    Pipenta, putting it in perspective. Robin Hood was a fictional character.

  16. I’d read elsewhere that there were around 100 cards used.

    FoetusNail said “Welcome the to the future of crime”. I’m surprised this hasn’t happened a lot more. Can you imagine the havoc that could be wreaked if you did the same kind of coordinated attack, but instead of people stealing money from ATMs, they’re shooting up a shopping mall. Imagine even just a dozen people in as many cities going to their local shopping mall with a couple rifles and/or pistols and going postal, coordinated to happen at the same time. The reaction would be insane.

  17. RBS is the Royal Bank of Scotland and they own my “Bank”; Charter One.

    I received a form letter on January 13 about “a situation involving your personal information. We are investigating fraudulant activity as a result of unauthorized access to our system”

    “We are taking steps to help ensure this type of event does not happen again”

    It went on to explain how to protect myself from ID theft.

    it also advised me to visit http://www.rbsworldpay.us

    .us ? wft? is this part of the scam?

    my account was not one affected.

  18. re: igpajo

    Or imagine group of people hijacking and crashing a handful of airplanes coordinated to happen at the same time.

    The reaction would be insane.

    Oh, yeah….

  19. First off, the vendor’s website is http://www.rbslynk.com/ OR the rbsworldpay.us link mentioned in the article – both point to identical websites, RBS Lynk is an old name for the company/service.

    Second, it appears that what happened was that the RBS Worldpay computer system was hacked to take money from peoples own bank accounts and pay it out at the various ATMs in the 49 cities reported on. The crime apparently involved stealing money from private/corporate bank accounts and the hack involved avoiding detection and Identity Theft from RBS Worldpay of the identities used.

    The money was stolen from individual accounts, not a single big bank somewhere, and the theft will not hurt those whose identities were stolen – they will be made whole, but the loss will impact the various banks and either their independent insurance coverage OR possibly the FDIC or similar organization, depending on the location of the victim’s bank.

    I, for one, would never call Identity Theft a victimless crime – it creates a horrible legal quagmire that can take months or years to escape, and it likely never goes away…

  20. now we hear about $9 miliion. They won’t talk about the $90 million yet, we have to get used to the idea.


    Victimless crime is another name for stealing from everyone. In the end, we’re the deep pockets.

  22. Can anyone find the message-board where this one was cooked up?

    My guess is that it was planned on an IRC channel.

  23. @#17 & #18: I think you forget that your money is insured. Part of the idea of having your money stored at a bank is that your cash is “secure”, otherwise what’s the point, outside of the p*ss poor interest payouts? Yes it sucks to lose the money, but you do eventually get it back.

    The banks pump a lot of money into the technology behind securing your dollars against theft, because if those dollars are stolen, they’re on the hook for it. (At least that’s how it works in Canada, I would assume is the norm for any rational banking system.)

    Of course that doesn’t take care of the potential ID theft behind it, but what I was inferring from the article is that they were using cloned payroll cards. Someone doesn’t need to know a single thing about you in order to successfully clone a card – all the information they need to know is on the mag stripe – fortunately for a bank, all they do is change your account numbers and the card is rendered useless.

    If someone clones your debit/ATM/Credit Card, all they end up getting are your account numbers, PIN number and name. And that information isn’t even enough to get through most telephone banking security procedures.

    What the article didn’t cover – likely on purpose – is how the cloned cards gained access to the money. When an employer pays an employee through an ATM card they swipe it through a machine and the magnetic stripe is altered to read that “X” amount of dollars has been added to the existing balance. (those annoying ‘zippy fast cash’ keyring cards work on the same principle.) No account numbers required. If some resourceful person manages to acquire one of those cards or just the information on the magnetic stripe, it can easily be duplicated and in theory any balance added.

    The fraudsters were exploiting something that’s always been flawed with the system – A flaw parties have known about for ages. The best questions would be “What took them so long to do it on a large scale?” and “If the technology is so flawed, why haven’t they fixed it yet?”


    PS: On a side note, I know a lot about the magnetic stripes because I used to work for a security department for a major Canadian bank.

  24. On a side note, I couldn’t help chuckling at the start of the article: “A Fox 5 investigation exposes a worldwide ATM scam …” Really? It sounds like an FBI investigation actually, which a Fox 5 reporter stumbled across. Apparently “investigative journalism” now means “reading police reports”.

    Forget the future of crime for a moment. Welcome to the future of investigative journalism!

  25. Just two quick remarks, since I had to get 5k Euro from a bank branch that had not cash payout, but just ATMs (and the limit on ATMs is 2k/day for my bank):

    a) Some ATMs in Germany let you select the denomination. Your regular ATM pays you in 100s or 50s, but those special ones have 500 Euro notes.

    b) The card limit is not hardcoded into the system. With my card, I had a max of 1k, with a special card a bank employee used, they got 2.5k in one go.

  26. The “card limit” (maximum withdrawal in a single day) is not stored on your account, it is set by your bank and stored centrally. The default in the USA seems to be $300/day.

    I doubt ANY standard banking/charge cards used in the USA store any sort of balance data on the magstripe.

  27. Clearly little thought was given to the security of the system in the first place, if the info necessary to forge these cards was that accessible.

  28. @ Gollux

    “Victimless crime is another name for stealing from everyone. In the end, we’re the deep pockets.”

    I don’t think that is the right use of victimless crime either. A victimless crime is one where all parties consent – prostitution, possessing and selling banned drugs, jaywalking. The employers didn’t consent to this, and the fact that they’re probably insured doesn’t make it any less victim-ful.

  29. To me this sort of thing is a clear sign that money as we now understand it will not survive very long into the information age.

    On the one hand, it is a clear distortion of the signal which paper money is supposedly carrying. There is no way to know if someone handing you money right now got it by cooperative participation in the system, or by this disruptive scheme.

    On the other hand, it’s symptomatic of a dangerous undercurrent just below the surface of the system. Seen from one side, money seems inevitable and natural. Behind the scenes, dramatic efforts must be made to make available to the public currencies with that particular character that allows people to handle it in that inevitable and natural way.

    Allowances were made for the limitations of money as a technology when few other options were available to structure societies. Extreme stresses were collectively taken on, then habituated and forgotten. It is almost time for us to begin to recognize those weights again, and unburden ourselves of them.

    I believe that within a surprisingly few years, most economic decisions will be made based on public data and transparent systems, not on a collective attempt to hallucinate value into paper or other numbers.

  30. There’s definitely something odd about this story.
    As stated above; how do you score $9 million with only 100 cards?
    And how does the mastermind make money from the scam? The “cashers” pay him later? How does he enforce that?
    Or maybe the cashers payed the mastermind up front, but then they would have to be very trusting, not to say naive.
    And how did the mastermind made sure they all stuck to the same timeslot?

  31. #45: Well, the obvious solution to the timeslot issue is to distribute programmed cards in advance, no imprint, just a sequence #, and then at the appointed time, sMS the PINs that go with each card. That way nobody can start early.

    Likely the cashers were driven around in a car by a more trusted lieutenant, and the money collected from them as soon as the walked out of the bank.

    The FBI statement says “approximately 100 of these cards were compromised”. Perhaps a more accurate explanation is that 100 of these accounts were compromised, and multiple cards were cloned for each account?

    Still not clear how they get around the withdrawal limit on each account, though if they had full access to RBS computers, they might be able to raise or reset the limit?

  32. Reading the comments I was reminded of the idea of the division of the working class through the creation of criminal and non-criminal.

    A ongoing pervasive inequality exists in the world such that ,at some level, we delight at the idea of the heist that sticks it to ‘the man’ – especially one featuring technology.

    With crashing markets and failing banks, we see some form of wealth distribution legal, others not – and divded we fall.

    However paraphrasing Heidegger “in the danger is the saving power”

  33. Genius.
    I wish I could get involved in such a massive Project Mayhem style project.
    Only time will tell if this plan was flawless though.

  34. Bang! Bang!


    Bang! Bang!


    (This is the Self Preservation Society… This is the…)

  35. To clear my point a bit,,,Yes I know the money did not come from individuals. That would imply way to much time and way more than 100-ish cards as the accounts from individual would only be $500-1000 at best. Also yes I know that the accounts where more than likely insured, insurance companies are fiends and need to burn.

    To quote,(mis quote) The Stainless Steel Rat. Everybody had a bit of fun, no one was hurt. The police had something to do, the banks were insured the money will be spent boosting the local economy, only the stock holders of the insurance companies will get a fractionally smaller dividend. Mangled I know but close enough to follow.

  36. DEMIDAN said:

    Everybody had a bit of fun, no one was hurt. The police had something to do, the banks were insured the money will be spent boosting the local economy, only the stock holders of the insurance companies will get a fractionally smaller dividend. Mangled I know but close enough to follow.


    The loss impacts the insurance company, which in the case of the US FDIC is “owned” by the US Gov’t., when the Gov’t loses, it’s citizens lose. The loss is a drain to a fund, which must be replenished from all banks. There are no shareholders in FDIC, like there are in say, GM.

    Simply put, the $9M they stole from the Gov’t insurance companies is $9M that isn’t available to repay insured deposits at failed banks, and I think we’re expecting a few banks to fail this year.

    The key element of this “heist” appears to be the hourly update from the cash machines.

    If this “heist” were against American Banks (it wasn’t, but if it were), that $9M would equate to $0.25 per citizen, most people wouldn’t miss a quarter, but that doesn’t make the thieves entitled to my quarter, your quarter and the kid down the street’s quarter. We teach our children not to shoplift because it is wrong, not because the impact of their shoplifting is to concentrated to the shop owner – we don’t tell them that if the loss could be spread out over millions of victims a little bit, then it’s OK.

  37. “we don’t tell them that if the loss could be spread out over millions of victims a little bit, then it’s OK.”

    so the criminal misapplication of taxes to illegal war is wrong?

  38. Interesting story, although I’m not sure if the sexy word “flashmob” is appropriate here.

    Are the people who vote for American Idol contestants also a flashmob? Were the people who responded to Jerry’s telethon pleas a flashmob?
    Is a Blitzkreig a flashmob of airplanes?


  39. @ Takuan- I thought the same- But then realized that they really COULD have stolen the cash to help fund an orphanage for blind kids, or something like that.:D

  40. This seems almost like a modern, global version of the outbreak of bank robberies in the US during the Great Depression. Even some people’s reactions (like #5) are nearly identical.

  41. @#60 POSTED BY NEWFAM:

    @ Takuan- I thought the same- But then realized that they really COULD have stolen the cash to help fund an orphanage for blind kids, or something like that.:D

    Never question the “Widows & Orphans” fund.

    Never question why education systems are falling apart yet state lotteries supposedly collecting money that goes towards education.

    Don’t question!

    /tangent off

  42. JACK said:

    Never question why education systems are falling apart yet state lotteries supposedly collecting money that goes towards education.

    For those who don’t know, the reason education is failing as lottery revenues increase is very simple:

    Schools have a defined budget,
    as more monies flow into the state coffers it reduces the state obligation to fund education (and senior citizen activities, in some states),
    but it does not increase the size of the defined budget,
    freeing up state resources to be wasted on other things.

    If the lottery were to suffer revenue losses (decreased ticket sales), the state should cut back on the other activities and fully-fund education, but that seems dubious.

  43. I read about this in The Herald (Scotland). It specifically said that the RBS computer system was hacked in order to raise the daily withdrawal limit on these particular cards.

    Certainly the kind of ATM you get in a bank rather than a convenience store will hold plenty of money, especially at the start of a weekend. And if you split your attentions between two or three machines then there would be no question that sufficient cash would be available. [This tactic would seem to undermine the highly organised synchronisation of this hit-and-run. I am inclined to believe it would have been one machine per card per casher.]

    I can see how the cash withdrawal limits could easily be changed (assuming you had hacked into that part of the bank’s computer system). I would hope that RBS also has an anti-fraud system in place that automatically checks ATM transactions for plausibility. That would also need to have been compromised. If, on the other hand, they didn’t have such a system, it was a costly mistake.

Comments are closed.