ATM Black Box attacks: 27 arrested all over Europe

The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across Europe.

Black Box attacks

Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017. There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).

Black Box attacks

The ATM Black Box phenomenon first appeared in Western Europe in 2015, but most arrests took place in 2016 and 2017, with the most recent in Spain this month.

Black Box is a sort of ATM logical attack through connection of an unauthorised device (usually unknown Box or laptop) which sends dispenses commands directly to the ATM cash dispenser in order to “cash-out” the ATM.

Criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect such device. The device can send relay commands that cause the ATM to dispense all cash. Therefore losses can be significant and counted in hundreds of thousands of Euros. This new Modus Operandi also demonstrates connections between illegal cash-outs due to cyber related techniques used in the background.

Law enforcement cooperation

Perpetrators involved in ATM Black Box attacks come mainly from countries such as Romania, Moldova, Russia and Ukraine. Some of the investigations are still on-going and further arrests are expected in the near future.

The EC3 Analysis Project (AP) Terminal, involved in the operational coordination of cases at the European level, cooperates also with the ATM industry in order to detect Black Box incidents properly. It is worth stressing that most attacks are unsuccessful attempts, as joint public and private cooperation in this domain is improving. The above release shall be a warning sign for those who try to commit such attacks but also encourage the ATM industry to implement proper protective measures against the threat.

A report from the European ATM Security Team (EAST) discloses that criminals carried out ATM Black Box attacks in 10 reporting countries during 2016. According to the EAST 2016 Crime Report, 58 such attacks in 2016 were reported by their National Members, compared with 15 in 2015; therefore a 287 percent increase was noted. Also, losses linked with overall ATM-related fraud rose 2 percent compared with 2015 (up from €327 million to €332 million).

Steven Wilson, Head of Europol’s European Cybercrime Centre, said: “Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place. This industry and law enforcement cooperation combined with the work with banks and prosecutors can make a major difference in stopping this growing form of crime.”

Don't miss