Cloned Boy
Professional
- Messages
- 1,067
- Reaction score
- 805
- Points
- 113
How do they hack ATMs?
Sergey Pavlovich talked to a masked man who hacks ATMs. He told us how he came to this, how it is done, how much ATM hacking software costs, which banks have the most secure ATMs, and what the prison term is for this.
Contents:
How did you get into this and how long ago?
Pavlovich:
Hello, friends. Today we will talk about how ATMs are emptied. Nowadays, this is becoming especially relevant, but as always, we are not calling for anything. Let's talk about ATMs. Why ATMs? How did you get into this, that is, the ATM topic, and how long ago?
Hacker:
Hello. Actually, it all started back in 2013, when we were young and had no ideas what to do at all. We just scoured the Internet. The first thing we came across was carding. But we had physical carding. These were fake keyboards, a separate mouth, checkers and everything else. And then a machine was purchased, that is, we made our own cards.
That's basically how we got acquainted with terminals. Well, this topic did not live long, because a couple is not particularly interesting to work with. And a lot of money is spent on material, a lot. Well, plus the legislation itself is such that it is not always convenient to implement all this.
Pavlovich:
So you installed skimmers on ATMs or what?
Hacker:
Yes, skimmers. Keyboard, mouth, video camera. What is a mouth? A mouth is an overlay on the slot where the card is inserted.
Pavlovich:
Ah, well, in our language it was always just called a skimmer, and that's it.
Hacker:
Well, we called it a mouth.
Pavlovich:
You mean mouth like a person's mouth, right? Is that an analogy?
Hacker:
Yes. It's just that's where such names came from. And then, if you know, there appeared on the Internet, there is an Exploit Forum, there was a section called "Work on ATM". And it was interesting what kind of work this was. A continuation of this topic or something new? It turned out to be something completely different and something new. Simply, if I explain it in a nutshell, this is the withdrawal of funds from the ATM itself via USB.
Each ATM has its own USB ports. They are not in very protected places on some models. This is the top part of the ATM, where the advertising is used. They always write either T-Bank or... It doesn't matter, any ATM. The top stuffing panel is held on only by simple clips. You unclip it, and you have... If we take, for example, WinCore S2000, a terminal like that, then there is a hole on the right side, and right next to this hole are USB ports.
If we take NCR, which Sberbank really likes, their false panel does not unclip well, so this method was invented. A screwdriver was taken, a wood crown was attached to it and a hole was simply drilled, and right behind the hole there are ports. You insert a USB hub into them, in the USB hub you have an adapter for a wireless keyboard and a flash drive with two programs.
You connect, go to my computer and launch your program. That's it. And he gives you all this personality.
What version of Windows do ATMs run on?
Pavlovich:
But, as I recall, from the past, ATMs were on Windows, right? What Windows are they on now?
Hacker:
In general, if you take Sberbank, it has the worst hardware possible. When I encountered this, at first I didn’t even believe that this bank uses such things. Firstly, very old computers with minimal RAM, which is why it works for a very long time. And they all have Windows 7. Pirated Windows 7. Everywhere.
Pavlovich:
Windows 7, right?
Hacker:
Yes, Windows 7, yes. The most common.
Pavlovich:
But you get access to these ports, that is, your task, essentially as a legal technician who services the ATM, is to connect to the USB port there, which
your legal technical specialists use to set up and debug this ATM, right?
Hacker:
Yes, everything is correct.
Like they work with video cameras.
Pavlovich:
Okay, but here the question immediately arises: video cameras, that is, video cameras that are built in it, somewhere on the street, on neighboring buildings, and so on, can detect all your manipulations?
Hacker:
Of course, yes. It is all visible. In general, the procedure itself happens very quickly. In about forty minutes you completely empty it. Preparation takes you more time. First, you need to make several escape routes, as well as approach routes. See what video cameras there are and at what range of the zone they, first of all, hit. Well, the range of the zone, I mean how much longer they will track your path along your escape route.
Plus you also need to understand what cameras you have inside the terminal. These are always self-service zones that work around the clock, because it is unrealistic to work during the daytime due to traffic. That's why only at night. Everything is checked very trivially and simply. You come, tape over the camera, leave and wait to see if someone comes or not. If they have online surveillance and someone is always at the control panel, they will definitely come.
But, as practice has shown, in 99% of cases all cameras work simply for recording. And nothing works in real time.
Pavlovich:
Do they work at all? Because in my time I read statistics, in my opinion, 2 thirds of cameras in Belarusian ATMs, they simply did not work, were turned off.
Hacker:
They do not work in terminals. First of all, how they work, I will explain to you how they work. There is a hard drive, a separate storage device for video memory. And it sometimes writes it, sometimes it does not. I do not know what algorithms they have written there. But, let's say, what we encountered when the terminal was later checked by employees, there was simply no video recording from the terminal itself. There was a video recording of people entering the branch, taping over the camera.
Well, that's when you've already prepared the place, done everything, they went in, taped up the camera and that's it, and then it's dark. And who's doing what, it's not clear, and the camera itself didn't even write anything on the terminal. This algorithm, it seems to me, is simply the technicians' own miscalculation, well, because they're negligent. That is, they don't monitor it at all.
How long does it take for the task force to arrive?
Pavlovich:
And how long do you wait, for example, to tape up the camera, how long do you wait for them to arrive, and they won't arrive?
Hacker:
The average time for the task force to arrive, according to their algorithm, is about five minutes. Well, as usual, you wait about half an hour to be 100% sure that no one else will arrive. So, you wait, go in, unstick it and leave. Already at the moment when you go to work, you already know that they won't arrive.
There is, of course, a risk that someone might get in, so to speak, unlucky.
What ATMs do they work on?
Pavlovich:
So, as I understand it, these are not ATMs standing on the street, but somewhere in a small nook, that is, you go into some booth in the building, into the changing room, figuratively speaking, and there is an ATM there.
Hacker:
It all depends on the model. If you have a suitable model standing outside, just built into the wall. You work on the street. If it is in the self-service zone, like in a small changing room, then there are no questions. You work there.
Are they afraid of people passing by?
Pavlovich:
But you say 40 minutes, this is a fairly long period of time and people will come up, other clients can catch your manipulations there. Do you need to change into technician clothes?
Hacker:
We personally did not do this, because when preparing, you inspect the place in advance for 2-3 days and you already understand what day of the week it is, what the traffic is. That is, yes, there is a risk that someone, so to speak, a fly-by will be passing by, but as practice has shown, at night, on weekdays, no one goes there, absolutely not even taxis drive by very rarely.
ATM sensors.
Pavlovich:
Another problem is the shock sensor.
Hacker:
I will explain how the ATM is generally equipped. Just a bare ATM, which the company itself buys, let's take Wincor C2000, it costs about a million rubles. Just a bare ATM, there are 4 dispensers inside. A dispenser is a cassette. Each cassette with a capacity of 1000 bills is a monitor, a cash register, oh, there is a cash receipt printer. That's all. That's all there is. Well, and, of course, a safe part.
All the rest are sensors, a temperature sensor, a shock sensor, a vibration sensor, and it turns out there is even a sound sensor, if there are extraneous sounds inside. This is all the attachments. And it is all purchased separately. And that is, if, for example, the same Vinkor S-2000 is fully equipped, it will cost about 4 million rubles. And not every bank is ready, let's say, to take 300 models at such a price into its line.
Therefore, they take them at the lowest price, and there are no sensors, nothing, in most cases. There is not even paint in the cassettes.
Pavlovich:
Well, now receipt tapes are running out in Russia, that is, the sanctions are doing their job and today I already read that the receipt tape has increased by 3.6 times, that is, it will soon be in ATMs too.
Hacker:
Yes-yes-yes.
Pavlovich:
And soon there won't be any ATMs, there will be old ladies, yes, cashiers, and they will figuratively hire pensioners there and they will stand there and give out cash at the branch, because why buy ATMs? Okay, there is even a reason, who will sell them with such body movements. So you want to say that sensors, in short, are nothing, they practically don't install additional ones, right?
Hacker:
In most cases, no.
Which bank protects its ATMs the best?
Pavlovich:
Yes, I get it. And which bank is the most serious about additional equipment, about all kinds of attachments to its ATMs?
Hacker:
If in Russia, I met such a bank, it's called OTP. I don't know if it's still alive at the moment.
Pavlovich:
It's Hungary, I think.
Hacker:
I think so, I won't lie. That is, OTP, first of all, even the entrance to the branch is not just a magnetic strip, this one, which you can either swipe with a Pyaterochka discount card, or a bank card will let you inside the premises. There is such an interesting system, it turns out, of entry. You insert a bank card. And after inserting only a bank card, your door opens. Because, it turns out, there is a reader there, configured for the chip that is installed on the card.
Only after that they let you in.
Pavlovich:
Do you enter there specifically with a card of only this bank or with any bank card?
Hacker:
With any bank card. But it is configured specifically for a bank card. Plus they have online surveillance at all points, everywhere. And the arrival of the task forces in a very short time, there about five minutes the group immediately arrives.
Pavlovich:
Got it. OTP, foreign bank, and what other ones?
Hacker:
Well, all the others that we encountered. Alfa, Gazprom, VTB, Bank of Moscow, Eurobank. There was no such security anywhere. This is the only bank that I encountered with such security.
"T-Bank has the best terminals."
Pavlovich:
How does T-Bank behave?
Hacker:
Do you mean T-Bank? It behaves wonderfully. It has the best terminals.
Pavlovich:
Do you mean the highest quality or what?
Hacker:
They are high-quality terminals, yes. The USB ports are on the back, you can't get to them. You'd have to unscrew half the car to get to them.
Pavlovich:
So, in short, T-Bank doesn't skimp on security, right?
Hacker:
They don't skimp, yes. Their terminals are very expensive and very high quality.
Pavlovich:
I understand. That is, you're not afraid of the motion sensor, essentially, the noise sensor, and so on.
Hacker:
Yes, because you see, firstly, you have no mechanical impact, you don’t move anything, you don’t break anything, unfastening the top panel is easy and there is no noise.
Pavlovich:
But you say with a screwdriver anyway, if Sber needs to be drilled with a screwdriver, it’s sound and vibration.
Hacker:
There is sound and vibration, yes, but Sber doesn’t have sensors. Especially in branches. I’ve noticed that. Let’s say a bank branch is large. A large branch where different clients are served. They have fully equipped ATMs there and everything is safe. But if some branch is a self-service area that simply stands separately and works 24 hours, there is no security at all. Although it should
be the other way around. But who would go to work in the city center? They’ll always go to work on the outskirts. And their outskirts are not protected at all. That was a surprise to me too. I didn’t think that a company with that kind of money could save so much on its security.
How much was taken out from one ATM?
Pavlovich:
In terms of income, you say, how much 4 dispensers for 1000 bills?
Hacker:
For 1000 bills, yes.
Pavlovich:
4 dispensers. One will be currency, for example, if a normal ATM is multi-currency, one there are dollars, one euro and the rest in rubles, two cassettes, for example.
Hacker:
Yes, that's how it happens, but full fillings can be caught on certain dates, for example, if all budget organizations have an advance of 24, for example, and a salary of 10, during this period of time the terminals will be fully loaded, this has already been checked for collection, that is, how they move, how they load. Now 100% will be shot down.
You need to catch this separately, take a point and watch it, how it is loaded and how much is withdrawn from it, in principle, the throughput of people.
Pavlovich:
The big jackpot that you and your gang managed to hit there, let's say.
Hacker:
17 million at a time.
What are the risks?
Pavlovich:
17 million rubles, okay, that's clear, and I think the guys themselves understand the risks, they are risks in principle, in any case, someone can drive by you at the PPS, a concerned citizen can hand you over, some fingerprints can remain, a hair will fall, essentially, and there is your DNA, well, there are some risks, if you get caught on camera, you will be identified. What is the optimal composition of the participants, let's say, of your group? Someone needs to observe, someone needs to cover the rear, etc., etc.
And someone needs to be able to use software and even a screwdriver.
Hacker:
Three people. One is on the street, chooses the most optimal point. Firstly, the place is chosen so that it can be viewed from all sides from one point. If you are on the street, let's say, standing in the dark where there are bushes, and so that you can see the street from all sides, so that you can...
Naturally, you use only radios, and you also need one participant inside with you to help collect cash.
Pavlovich:
Well, it's like, it's like at an intersection, that you can see there in three directions, let's say.
Hacker:
Yes.
What is the software?
Pavlovich:
Okay, for collecting cash, this is already more interesting. What is the software? That is, you connect and drive some software into the flash drive?
Hacker:
You don't even download it to your computer, you run it directly from the flash drive. There are two programs, very simple to the point of banality, but made, so to speak, ingeniously. The first program shows how much you have and in which cassette the cash is. And the second program is already directly involved in unloading. Let me explain the point. You can unload one bill at a time, or you can press the checkpoint for dispensing all the cash at once.
Well, that is, it will unload the maximum amount at a time from you, as much as it fits into the dispensing slot, it turns out, into the bill acceptor for dispensing, that is how much it will give out to you. That is, if 60 bills fit, it will give out 60. If 100 fit, it will give out 100 bills at a time.
How much can an ATM give out at a time?
Pavlovich:
And how much on average? I just don’t usually withdraw in such bundles, I have 20-40 bills there maximum. How wide is this dispensing window usually?
Hacker:
Well, about 2-3 centimeters, because, for example, 100 bills is about a centimeter. That is, 100 bills is the maximum that, for example, Wincor C2000 can give out. It physically won’t be able to just take more. 100 bills? That’s it. Yes, at once. And the essence of the software is that it controls only the mechanics. It controls the auger that moves into the dispenser, into the safe part, and back.
It doesn't get into anyone's head. Absolutely. It's invisible, and no one understands what happened. And after you completely unload it, all the counters remain in place, as they were. That is, if you had, say, 100 there, then that's how it remained.
Pavlovich:
And the money is physically no longer there.
Hacker:
Yes, and the only way to find out that it's not there is through collection. So that they come, open the safe part, take out the cassettes and see that there really is no money there.
How the task force operates.
Pavlovich:
Well, they come, take out the cassettes, make sure that there are none. And then what? How do they understand that they have essentially been robbed?
Hacker:
They start looking first in their own database, how much was issued, over what period of time. They look to see if there were any glitches. When they understand that there were no glitches, well, of course, they immediately look at the video cameras. When they understand that they had no failures, and the video cameras went out at one fine moment at a certain amount, let's say, at 7 million, and after that people started to contact them that the terminal does not give out cash, they understand that they were robbed.
Pavlovich:
Previously, the software, which is just, I just caught those times, when such software for USB access was only written there. And there was a slightly different software, the operating principle was that it, apparently, climbed specifically into the brains, specifically into the device settings, and it modified them so that it simply reconfigured quickly, you left with the equipment already, and that's it, the ATM is reconfigured, and you
Hacker:
To be honest, I have never encountered such software. And how much I communicated with technicians who supply the software, I asked them a similar question. They say that there are certain libraries there, in which the operating algorithms are recorded. And to do exactly this so that there are no problems. This is how you describe this method. It is very difficult technically without physical access to the mechanics. That is, to set up some algorithms specifically in the library, because it works according to some specific cycles.
Who makes this software?
Pavlovich:
I understand. The cost of the software and who actually produces and sells it?
Hacker:
It is produced and sold by those who have access to the factory equipment, for example, to the assembly line of a particular terminal model. Because without it, you will not know how to take the mechanics, or rather, how the mechanics work, that's one. And, well, you simply cannot take the terminal for yourself, no one will sell it to you. This is needed by the company that purchases the terminal. And all the software comes from those people who have access.
Why don't they set passwords in the ATM system?
Pavlovich:
But then why not, let's say, block... Well, I understand that you can't block it from external connections, because the technician won't be able to come and reconfigure it, I understand that, but setting some passwords, you know, figuratively, for connecting a flash drive, something like that, is technical.
Hacker:
I understand your question and I simply don't have a physical answer to it because of all the terminals I've seen, none of them even had passwords for logging into Windows.
Pavlovich:
That is, a password for logging into Windows would have created a certain obstacle for you in this case.
Hacker:
No, it wouldn't. We would have simply rebooted and turned on our virtual machine, and logged in from there, and that's it.
Pavlovich:
But it would still have taken 5 minutes more.
"You can do anything with an ATM at night."
Hacker:
Of course, it would have taken time, yes. But it wouldn't create a serious problem. I can tell you that from my experience. At night, you can do whatever you want with it, with this terminal, from 12 o'clock on weekdays until 3 o'clock. Dance there, whatever. Nobody comes. Even random users withdraw money there. Well, because you yourself select the places where there is little traffic.
The cost of the software and its availability on the market.
Pavlovich:
The cost of the software and its availability on the market and, in general, manuals on how to do it?
Hacker:
The cost. First of all, when it first comes out, the guys who released it start using it. Well, and, of course, their inner circle. While the topic has not yet been used, they work it out by gender. If you have some kind of contact or friendly communication with them, of course, you will also get it. Either you will give it for a certain percentage of the work, well, or one-time. If one-time, in my case it is a million rubles.
Pavlovich:
For one ATM model, right?
Hacker:
For one, yes. Just one model. If by percentage, then 70 to 30. 70 is yours, 30 you give.
How do software sellers know how much money you withdrew from an ATM?
Pavlovich:
But they don’t know how much money you withdrew from it. When we gave out cards with PIN codes to our dropships and made them run around ATMs, we never knew how much they would withdraw. And I think that half of them, in fact, stole our money.
Hacker:
But here’s an interesting point. When you launch the software, you have a little window in the corner. Next to this window is a certain code. You enter this code into a special program, you also have it with you, and it generates the second half for you. So, when you buy the software completely in your hands, they give you this little generator that generates these passwords, and they give you the second part of the passwords.
And when you work on a percentage, you contact a person, tell him the code, well, telegram or any other messenger, he sends you the second half, and you withdraw. And when you connect, when you enter the code, he sees through his software how much cash there was.
Pavlovich:
Well, there are cases when you did not have time to withdraw everything, someone scared you off, for example, or something else.
Hacker:
This is already about trust. That is, how much you withdrew, that much you withdrew, yes. That is, already if you work, well, that is, I had a situation here. The guys worked with a person for about five months, and there was trust, so no one even deceived each other.
Pavlovich:
Got it. Well, especially if you deceive and lose your job, in fact.
Hacker:
Yes, what's the point? If you have access to a good program, constant updates and support. Well, why? To lose these connections for the sake of some extra million? Well, personally, I don't see the point in this.
How many ATMs can you empty in 5 months?
Pavlovich:
Well, you said they work for 5 months, that's long enough. How many ATMs can a group of those who work on ATMs, using this scheme with this USB software, empty in 5 months?
Hacker:
It all depends on the group. What their goals are and how enthusiastic and resourceful they are, firstly, in choosing locations. If you, for example, enter a city, well, let's take Moscow. In Moscow, you can work a maximum of 3-4 days. How many terminals you can go through per night, that's only within your power.
That is, it takes you about 50 minutes per terminal, roughly speaking. Well, that is, you can easily do 3 per night, in my personal experience. Really easy. When you already have experience, the size of 3 terminals is easy. Just multiply in a week. 5 by 3 - 15 terminals.
Why can't you work in one city for more than 4 days?
Pavlovich:
And you said that you can work in Moscow for 3-4 days. What is this connected with?
Hacker:
This is connected with the fact that a rumor will spread very widely among the banks that there is some kind of unclear group in the city that is withdrawing money in a very unclear way. And they will start taking measures. Let's say that Sberbank did this, they simply started closing their branches after 12. With a key. That's it. They did this until they figured out what was going on.
Why aren't such arrests advertised?
Pavlovich:
But arrests of this kind are not frequent, as far as I can follow in the media. More often than not, the media reports that an ATM was cut with an oxyacetylene torch, blown up, or torn out. Why not often? Are such gangs not often caught, or do the banks prefer to remain silent, or what is the reason in general?
Hacker:
First of all, yes, the last thing you said, banks prefer to keep quiet. Very much so, because it hits their reputation. And no one wants to keep money with them later. When it was physically hidden, it is understandable, everyone understands that these crazy bandits flew in with an oxyacetylene blowtorch and cut the ATM. But when there were no signs of a break-in and there was no money there, then people begin to understand that there is no point in trusting this bank.
Because some guys came, inserted wires and took all the money. That is, their money is no longer safe. And the second point. Very few people have access to this software. Because the sellers themselves sell it very carefully. And so we had an agreement that the software would not leave our hands anywhere. That is, if we work, we took it for ourselves, then we work. If we stopped, then we forgot about it and do not give it to anyone.
Because the topic begins to die very quickly.
How long does the software work?
Pavlovich:
Well, I understand. But how long does one software work? Because ATM manufacturers are constantly releasing some updates.
Hacker:
Let me tell you this. The software we worked with still works. The guys in Europe use it. Although it was released in 2017. It was simply updated, the operating algorithm remained the same.
Where is it safer to work: in the CIS or in Europe?
Pavlovich:
Is it safer to work in the CIS, in Russia, for example, or in Europe?
Hacker:
In Europe.
Pavlovich:
What is the reason?
Hacker:
Firstly, with the amount of funds you receive at a time. That's one. And secondly, their security is not as well developed, for example, as in Russia. In Russia, all the private security companies and video surveillance are more developed than in some European countries. Well, we don't take into account the super-developed ones, such as, for example, Switzerland, it's clear there. That's it.
And, for example, if Latvia, Lithuania, then this is a very good place where you can walk around the currency terminals.
How many such groups are there in the CIS?
Pavlovich:
Well, in your opinion, you are in the crowd, in your opinion, how many people or groups are there in total, right? Well, let's count by people, it is clear that he is not alone, he has assistants there. How many groups are involved in this in general? Well, in the world, it is probably difficult to say, because there are Romanians, Bulgarians and so on, who often engage in such schemes, but in the vast expanses of the CIS, how many people now own this software and gut ATMs?
Hacker:
At the time when we were engaged, I would say there were only three teams engaged in this, together with us, i.e. there were three of them, only three, who worked according to this scheme. At the present time, I think, even fewer.
How many ATMs has his group emptied?
Pavlovich:
Well, I don’t know, is this question appropriate, how many ATMs did you empty?
Hacker:
I can tell you the total amount, the total amount came out to, it turns out, over 90 million.
Pavlovich:
Well, of course, the exchange rate was different back then, the exchange rate was 65-70.
Hacker:
Of course, of course, the exchange rate was completely different.
Why did you leave it?
Pavlovich:
And why are you just talking about everything in the past, well, there are two points, the first is either for security reasons, that to say that I am doing this now is to attract anger and attention, yes, that is the first point. And the second, I admit that, maybe, there was enough money to leave it once and for all. But these crimes, like, the statute of limitations there is long, they can hold you accountable because of the old one.
Hacker:
Yes, for security reasons, we left it, because, you know, there are two types of people. Some do it because they like it. I have met such guys, they just like doing it. Here is some kind of action in their life, when they go on some similar adventures. We were from the category of those who needed a sum for certain actions. But where to get it quickly, at that time there was no way.
Therefore, we turned to this opportunity. As soon as the necessary amount was in hand, we closed this topic for ourselves.
What knowledge and skills are needed for such work?
Pavlovich:
What other knowledge is needed for such unnoticed successful work?
Hacker:
Firstly, you need good knowledge of the PC, so that you can not slow down on the spot, if something happens, if it kicks you out or does not allow you to enter the root folders, where the flash drive will be displayed for you, so that you can calmly bypass this. Plus you need knowledge of preparation, what you need to do before you go, so as not to leave any traces of absolutely no fingers, no hair, etc.
Studying the area - you must understand this. That is, if you do not know how to understand this, then you need to read and study about it. Plus invent new escape routes and approaches. And, in principle, a person should have, so to speak, a certain amount of ingenuity, because there is such a moment, let's say, you removed the false panel, and behind you, behind these holes, there is wiring.
And so many guys wrote when they encountered this, that damn, what to do with these wires. But when we encountered this, we solved the problem simply, because when you prepare, you take with you not only the required number of tools, you also take with you some others, just in case. For example, we understood that something could happen. Here are certain ordinary medical clamps. They are not long in themselves. We needed it long, because we understood that the hole, the port, or rather, behind the hole is about 30 centimeters.
And they are only about 20 centimeters there. That is, we will not physically reach the port. So what did we do? We took two sets, sawed one, welded handles to them. And when we came across these wires, we simply lifted the wires, and the wires are held on a certain frame with nylon ties. We cut these wires with a knife. Not the wires, but the ties. We lifted them and put them in our device.
These are the kinds of difficulties they always encounter.
How does the police work to investigate such crimes?
Pavlovich:
How does an ATM work? Was it robbed? The bank found out about it after the fact, for example. How do the bank's response team and the police work to investigate such crimes?
Hacker:
First, the bank's team starts, first of all, as soon as they found out about it, they immediately write a statement about the loss. To the police? To the police, yes. Why do they do this? So that if something happens to the insurance company, they have a statement attached stating that they immediately reported it as soon as they found out about it, so that it would be an insurance case. After that, they conduct, they begin to conduct an investigation with the police.
These are cameras, this is a survey, let's say, of people noticed in this before. Well, it goes as far as, a card index is raised, they call the object, who did what. And if there are leads, these are some remnants of some material, or someone was seen somewhere on cameras. They start to run it through, to search. But most often, it is their language that ruins people.
I have had so many cases, as far as I know, it was their language that ruined the teams. And not just that they messed up somewhere. Because this action itself is very careful. Firstly, the software does not leave a trace. And sometimes the bank finds out only after 3-4 days. Well, in 3-4 days you have the opportunity to go anywhere. And the police work itself, they never work too fast, unless they are special services, and you have time.
And when someone from the team starts to communicate somewhere, to tell something, it leads to the fact that it all ends. Well, and, of course, if someone suddenly got rich, this also raises questions.
Do they track banknotes by numbers?
Pavlovich:
And do they track banknotes or not? The banknotes are numbered, it is probably known which numbers were loaded there, which banknotes.
Hacker:
No, no bank in the world tracks banknotes for one simple reason. If they track these banknotes, they will not have enough memory capacity to remember it all. That's why they do not do it.
Camouflage methods.
Pavlovich:
Elementary camouflage methods, for example, when you go on a job, that is, I don’t know, a hood, a cap, some kind of false sidelocks, to pretend to be a Jew, glasses, something else, gloves.
Hacker:
Firstly, it is a complete change of clothes every time, starting from socks and ending with underwear, sneakers, good sports shoes so that you can run away in them, you should never skimp on this because you can get hurt somewhere in cheap shoes or they will simply be inconvenient for you to work, disposable clothing, a mask is a must, so that all your facial biometrics are completely hidden.
Pavlovich:
But you mean the mask like now for coronavirus, right? Like yours, like?
Hacker:
Well, it is better to have a complete mask so that neither your ears nor anything is visible, that is, not the cuts of the eyes. Biometrics, it works on the protrusions of the eyes, well, on the sockets of the eyes and so on. That is, well, all the mechanics of the face are read. And when you are in a full mask and, let's say, you also put on ski goggles on top, but it is very problematic to combine it, even if someone will combine it.
Pavlovich:
So what kind of mask? You mean like a special forces balaclava, right? This one or what?
Hacker:
Yes, yes, yes, a regular ski balaclava, or a special forces one, if you find it, that's it.
Pavlovich:
Yes, I understand. I have a ski one, if anything.
Hacker:
Might come in handy.
What happens after the arrest?
Pavlovich:
Yes, I don't know what will come in handy here now, but I know for sure that it will come in handy: sugar, we bought it now, they will come in handy, we also bought it, and the best thing, the best thing, come by, is Coca-Cola, we also bought it now because today they are stopping all their production, and of course shampoo and washing powders, and what else is there, toothpaste, attachments for imported toothbrushes, I also bought them today because soon they will be gone, okay, and what happens after the arrest.
Have you ever been arrested on the way, during the case, after the case? Well, if they arrested you after the case, we probably wouldn't be talking, because you would still be sitting.
Hacker:
Well, look, I'll explain the pricing policy to you, so to speak, what they give for this and how it happens. If, let's say, you go to work on your first day, for the first time, no one will come to detain you, because no one knows about you. Well, unless your friend told you all the help. If you work in the same city, let's say, for a week, well, you need to think about what's wrong with your head and where you went.
And when, if you come to the place, and an operational group arrives, and an operational group consisting of SOBR, in order to, let's say, order a SOBR capture group, documents are prepared for this. No one will physically do this in one day. These documents are prepared, a special report, their leader is sent, he forms a group, and the group leaves for the capture site. How many days it will stay at the capture site, this is determined by the operatives themselves. One, two, three, four.
That is, how they conducted their operational activities, how they monitored the team, this is already in their jurisdiction. And if you are detained, you are brought to the department. Well, there, of course, all the special effects begin. First, when you are detained, they will lift you up, film you on camera to show that you are alive and well. This is necessary for ... They have dots in the reports They will ask you if there are any complaints about the detention, whether you were beaten You, of course, will answer "no", but after that the camera turns off and the special effects begin
Because SOBR are very evil people, they have very interesting stun guns And they really like to mock those who are engaged in all sorts of incomprehensible actions like this After short special effects on the street, they bring you to the department In the department, they will immediately divide you all into different rooms and begin to put pressure on each one. After that, searches will begin in the places where you live, when they are installed.
Well, and after that, the temporary detention center and the pre-trial detention center. In the pretrial detention center, there will be their own events. What about punishment? Let's say we take the territory of the Russian Federation. This is 158, part 4. From 0 to 10 years. According to the new law introduced in 2018, someone who has no previous convictions, because 158 is a classification of light articles, is a crime not against the person.
Pavlovich:
This is theft, right?
Hacker:
Yes, this is theft, this is a crime not against the person, but simply against property. And according to the new law introduced, the day spent in the pretrial detention center before the verdict is counted as one and a half days. Well, that is, let's say, if you were convicted, given 5 years, our trials in Russia are very long, you sat in a pretrial detention center, let's say, 3 years and 4 months, then you will be released on the day of conviction,
when you are convicted, some days before the sentence comes into force and you will be released peacefully, that's what they give for this in terms of the terms that I know, they asked for no more than 5 years without a criminal record...
And I participated in special effects, from the side, so to speak. On whom special effects are tested. No, I speak from the side of the one on whom they are tested.
Pavlovich:
Ah, I thought SOBR.
Hacker:
No, SOBR would be normal. It would be interesting to work as SOBR, drive around all the terminals at night...
Yes, I agree. A year in a pretrial detention center and they let me go because they screwed up with the documents.
Pavlovich:
With what documents?
Hacker:
First of all, they let me go on sanction. They did not prepare documents for the sanction that I could abscond, put pressure on witnesses, etc. And they brought me on the last day of my term expiration themselves. Well, they discharged me for 2 months, and my 2 months were coming to an end, and on the last day they took me to court. And the judge did not see the documents and could not close her eyes to this, they let me go.
Naturally, this moment was free, the trials lasted a very long, long time, they went on, and, in general, the court decided to limit myself to the time served.
Pavlovich:
In a pretrial detention center?
Hacker:
Yes.
The result.
Pavlovich:
Well, you see. A year is not a term, two is a lesson, yes, three is nothing, five is cool, as we used to say. Okay, thank you very much for the story, guys, don't get carried away with crime, you won't find any software like that, and you won't earn 90 million either, because now there is a huge queue at the ATMs and they are constantly under surveillance, and there is always someone hanging around there day and night, so just leave even these thoughts aside and do a legal business. Hugs, bye.
Sergey Pavlovich talked to a masked man who hacks ATMs. He told us how he came to this, how it is done, how much ATM hacking software costs, which banks have the most secure ATMs, and what the prison term is for this.
Contents:
- How did you get into this and how long ago?
- What version of Windows do ATMs run on?
- How to work with video cameras
- How long does it take for the task force to arrive?
- Which ATMs do they work on?
- Are they afraid of people passing by?
- ATM sensors
- Which bank best secures its ATMs?
- "The best terminals are at T-Bank"
- How much was taken out from one ATM?
- What are the risks?
- What is software?
- How much can an ATM dispense at a time?
- How the task force operates
- Who makes this software?
- Why don't they set passwords in the ATM system?
- "You can do anything with an ATM at night"
- Cost of software and its availability on the market
- How do software vendors know how much money you withdrew from an ATM?
- How many ATMs can you empty in 5 months?
- Why can you work in one city for no more than 4 days?
- Why are such arrests not publicized?
- How long does the software work?
- Where is it safer to work: in the CIS or Europe?
- How many such groups are there in the CIS?
- How many ATMs did his group empty?
- Why did you leave this?
- What knowledge and skills are needed for such work?
- How does the police work to investigate such crimes?
- Do they track banknotes by numbers?
- Camouflage methods
- What happens after arrest?
- Summary
How did you get into this and how long ago?
Pavlovich:
Hello, friends. Today we will talk about how ATMs are emptied. Nowadays, this is becoming especially relevant, but as always, we are not calling for anything. Let's talk about ATMs. Why ATMs? How did you get into this, that is, the ATM topic, and how long ago?
Hacker:
Hello. Actually, it all started back in 2013, when we were young and had no ideas what to do at all. We just scoured the Internet. The first thing we came across was carding. But we had physical carding. These were fake keyboards, a separate mouth, checkers and everything else. And then a machine was purchased, that is, we made our own cards.
That's basically how we got acquainted with terminals. Well, this topic did not live long, because a couple is not particularly interesting to work with. And a lot of money is spent on material, a lot. Well, plus the legislation itself is such that it is not always convenient to implement all this.
Pavlovich:
So you installed skimmers on ATMs or what?
Hacker:
Yes, skimmers. Keyboard, mouth, video camera. What is a mouth? A mouth is an overlay on the slot where the card is inserted.
Pavlovich:
Ah, well, in our language it was always just called a skimmer, and that's it.
Hacker:
Well, we called it a mouth.
Pavlovich:
You mean mouth like a person's mouth, right? Is that an analogy?
Hacker:
Yes. It's just that's where such names came from. And then, if you know, there appeared on the Internet, there is an Exploit Forum, there was a section called "Work on ATM". And it was interesting what kind of work this was. A continuation of this topic or something new? It turned out to be something completely different and something new. Simply, if I explain it in a nutshell, this is the withdrawal of funds from the ATM itself via USB.
Each ATM has its own USB ports. They are not in very protected places on some models. This is the top part of the ATM, where the advertising is used. They always write either T-Bank or... It doesn't matter, any ATM. The top stuffing panel is held on only by simple clips. You unclip it, and you have... If we take, for example, WinCore S2000, a terminal like that, then there is a hole on the right side, and right next to this hole are USB ports.
If we take NCR, which Sberbank really likes, their false panel does not unclip well, so this method was invented. A screwdriver was taken, a wood crown was attached to it and a hole was simply drilled, and right behind the hole there are ports. You insert a USB hub into them, in the USB hub you have an adapter for a wireless keyboard and a flash drive with two programs.
You connect, go to my computer and launch your program. That's it. And he gives you all this personality.
What version of Windows do ATMs run on?
Pavlovich:
But, as I recall, from the past, ATMs were on Windows, right? What Windows are they on now?
Hacker:
In general, if you take Sberbank, it has the worst hardware possible. When I encountered this, at first I didn’t even believe that this bank uses such things. Firstly, very old computers with minimal RAM, which is why it works for a very long time. And they all have Windows 7. Pirated Windows 7. Everywhere.
Pavlovich:
Windows 7, right?
Hacker:
Yes, Windows 7, yes. The most common.
Pavlovich:
But you get access to these ports, that is, your task, essentially as a legal technician who services the ATM, is to connect to the USB port there, which
your legal technical specialists use to set up and debug this ATM, right?
Hacker:
Yes, everything is correct.
Like they work with video cameras.
Pavlovich:
Okay, but here the question immediately arises: video cameras, that is, video cameras that are built in it, somewhere on the street, on neighboring buildings, and so on, can detect all your manipulations?
Hacker:
Of course, yes. It is all visible. In general, the procedure itself happens very quickly. In about forty minutes you completely empty it. Preparation takes you more time. First, you need to make several escape routes, as well as approach routes. See what video cameras there are and at what range of the zone they, first of all, hit. Well, the range of the zone, I mean how much longer they will track your path along your escape route.
Plus you also need to understand what cameras you have inside the terminal. These are always self-service zones that work around the clock, because it is unrealistic to work during the daytime due to traffic. That's why only at night. Everything is checked very trivially and simply. You come, tape over the camera, leave and wait to see if someone comes or not. If they have online surveillance and someone is always at the control panel, they will definitely come.
But, as practice has shown, in 99% of cases all cameras work simply for recording. And nothing works in real time.
Pavlovich:
Do they work at all? Because in my time I read statistics, in my opinion, 2 thirds of cameras in Belarusian ATMs, they simply did not work, were turned off.
Hacker:
They do not work in terminals. First of all, how they work, I will explain to you how they work. There is a hard drive, a separate storage device for video memory. And it sometimes writes it, sometimes it does not. I do not know what algorithms they have written there. But, let's say, what we encountered when the terminal was later checked by employees, there was simply no video recording from the terminal itself. There was a video recording of people entering the branch, taping over the camera.
Well, that's when you've already prepared the place, done everything, they went in, taped up the camera and that's it, and then it's dark. And who's doing what, it's not clear, and the camera itself didn't even write anything on the terminal. This algorithm, it seems to me, is simply the technicians' own miscalculation, well, because they're negligent. That is, they don't monitor it at all.
How long does it take for the task force to arrive?
Pavlovich:
And how long do you wait, for example, to tape up the camera, how long do you wait for them to arrive, and they won't arrive?
Hacker:
The average time for the task force to arrive, according to their algorithm, is about five minutes. Well, as usual, you wait about half an hour to be 100% sure that no one else will arrive. So, you wait, go in, unstick it and leave. Already at the moment when you go to work, you already know that they won't arrive.
There is, of course, a risk that someone might get in, so to speak, unlucky.
What ATMs do they work on?
Pavlovich:
So, as I understand it, these are not ATMs standing on the street, but somewhere in a small nook, that is, you go into some booth in the building, into the changing room, figuratively speaking, and there is an ATM there.
Hacker:
It all depends on the model. If you have a suitable model standing outside, just built into the wall. You work on the street. If it is in the self-service zone, like in a small changing room, then there are no questions. You work there.
Are they afraid of people passing by?
Pavlovich:
But you say 40 minutes, this is a fairly long period of time and people will come up, other clients can catch your manipulations there. Do you need to change into technician clothes?
Hacker:
We personally did not do this, because when preparing, you inspect the place in advance for 2-3 days and you already understand what day of the week it is, what the traffic is. That is, yes, there is a risk that someone, so to speak, a fly-by will be passing by, but as practice has shown, at night, on weekdays, no one goes there, absolutely not even taxis drive by very rarely.
ATM sensors.
Pavlovich:
Another problem is the shock sensor.
Hacker:
I will explain how the ATM is generally equipped. Just a bare ATM, which the company itself buys, let's take Wincor C2000, it costs about a million rubles. Just a bare ATM, there are 4 dispensers inside. A dispenser is a cassette. Each cassette with a capacity of 1000 bills is a monitor, a cash register, oh, there is a cash receipt printer. That's all. That's all there is. Well, and, of course, a safe part.
All the rest are sensors, a temperature sensor, a shock sensor, a vibration sensor, and it turns out there is even a sound sensor, if there are extraneous sounds inside. This is all the attachments. And it is all purchased separately. And that is, if, for example, the same Vinkor S-2000 is fully equipped, it will cost about 4 million rubles. And not every bank is ready, let's say, to take 300 models at such a price into its line.
Therefore, they take them at the lowest price, and there are no sensors, nothing, in most cases. There is not even paint in the cassettes.
Pavlovich:
Well, now receipt tapes are running out in Russia, that is, the sanctions are doing their job and today I already read that the receipt tape has increased by 3.6 times, that is, it will soon be in ATMs too.
Hacker:
Yes-yes-yes.
Pavlovich:
And soon there won't be any ATMs, there will be old ladies, yes, cashiers, and they will figuratively hire pensioners there and they will stand there and give out cash at the branch, because why buy ATMs? Okay, there is even a reason, who will sell them with such body movements. So you want to say that sensors, in short, are nothing, they practically don't install additional ones, right?
Hacker:
In most cases, no.
Which bank protects its ATMs the best?
Pavlovich:
Yes, I get it. And which bank is the most serious about additional equipment, about all kinds of attachments to its ATMs?
Hacker:
If in Russia, I met such a bank, it's called OTP. I don't know if it's still alive at the moment.
Pavlovich:
It's Hungary, I think.
Hacker:
I think so, I won't lie. That is, OTP, first of all, even the entrance to the branch is not just a magnetic strip, this one, which you can either swipe with a Pyaterochka discount card, or a bank card will let you inside the premises. There is such an interesting system, it turns out, of entry. You insert a bank card. And after inserting only a bank card, your door opens. Because, it turns out, there is a reader there, configured for the chip that is installed on the card.
Only after that they let you in.
Pavlovich:
Do you enter there specifically with a card of only this bank or with any bank card?
Hacker:
With any bank card. But it is configured specifically for a bank card. Plus they have online surveillance at all points, everywhere. And the arrival of the task forces in a very short time, there about five minutes the group immediately arrives.
Pavlovich:
Got it. OTP, foreign bank, and what other ones?
Hacker:
Well, all the others that we encountered. Alfa, Gazprom, VTB, Bank of Moscow, Eurobank. There was no such security anywhere. This is the only bank that I encountered with such security.
"T-Bank has the best terminals."
Pavlovich:
How does T-Bank behave?
Hacker:
Do you mean T-Bank? It behaves wonderfully. It has the best terminals.
Pavlovich:
Do you mean the highest quality or what?
Hacker:
They are high-quality terminals, yes. The USB ports are on the back, you can't get to them. You'd have to unscrew half the car to get to them.
Pavlovich:
So, in short, T-Bank doesn't skimp on security, right?
Hacker:
They don't skimp, yes. Their terminals are very expensive and very high quality.
Pavlovich:
I understand. That is, you're not afraid of the motion sensor, essentially, the noise sensor, and so on.
Hacker:
Yes, because you see, firstly, you have no mechanical impact, you don’t move anything, you don’t break anything, unfastening the top panel is easy and there is no noise.
Pavlovich:
But you say with a screwdriver anyway, if Sber needs to be drilled with a screwdriver, it’s sound and vibration.
Hacker:
There is sound and vibration, yes, but Sber doesn’t have sensors. Especially in branches. I’ve noticed that. Let’s say a bank branch is large. A large branch where different clients are served. They have fully equipped ATMs there and everything is safe. But if some branch is a self-service area that simply stands separately and works 24 hours, there is no security at all. Although it should
be the other way around. But who would go to work in the city center? They’ll always go to work on the outskirts. And their outskirts are not protected at all. That was a surprise to me too. I didn’t think that a company with that kind of money could save so much on its security.
How much was taken out from one ATM?
Pavlovich:
In terms of income, you say, how much 4 dispensers for 1000 bills?
Hacker:
For 1000 bills, yes.
Pavlovich:
4 dispensers. One will be currency, for example, if a normal ATM is multi-currency, one there are dollars, one euro and the rest in rubles, two cassettes, for example.
Hacker:
Yes, that's how it happens, but full fillings can be caught on certain dates, for example, if all budget organizations have an advance of 24, for example, and a salary of 10, during this period of time the terminals will be fully loaded, this has already been checked for collection, that is, how they move, how they load. Now 100% will be shot down.
You need to catch this separately, take a point and watch it, how it is loaded and how much is withdrawn from it, in principle, the throughput of people.
Pavlovich:
The big jackpot that you and your gang managed to hit there, let's say.
Hacker:
17 million at a time.
What are the risks?
Pavlovich:
17 million rubles, okay, that's clear, and I think the guys themselves understand the risks, they are risks in principle, in any case, someone can drive by you at the PPS, a concerned citizen can hand you over, some fingerprints can remain, a hair will fall, essentially, and there is your DNA, well, there are some risks, if you get caught on camera, you will be identified. What is the optimal composition of the participants, let's say, of your group? Someone needs to observe, someone needs to cover the rear, etc., etc.
And someone needs to be able to use software and even a screwdriver.
Hacker:
Three people. One is on the street, chooses the most optimal point. Firstly, the place is chosen so that it can be viewed from all sides from one point. If you are on the street, let's say, standing in the dark where there are bushes, and so that you can see the street from all sides, so that you can...
Naturally, you use only radios, and you also need one participant inside with you to help collect cash.
Pavlovich:
Well, it's like, it's like at an intersection, that you can see there in three directions, let's say.
Hacker:
Yes.
What is the software?
Pavlovich:
Okay, for collecting cash, this is already more interesting. What is the software? That is, you connect and drive some software into the flash drive?
Hacker:
You don't even download it to your computer, you run it directly from the flash drive. There are two programs, very simple to the point of banality, but made, so to speak, ingeniously. The first program shows how much you have and in which cassette the cash is. And the second program is already directly involved in unloading. Let me explain the point. You can unload one bill at a time, or you can press the checkpoint for dispensing all the cash at once.
Well, that is, it will unload the maximum amount at a time from you, as much as it fits into the dispensing slot, it turns out, into the bill acceptor for dispensing, that is how much it will give out to you. That is, if 60 bills fit, it will give out 60. If 100 fit, it will give out 100 bills at a time.
How much can an ATM give out at a time?
Pavlovich:
And how much on average? I just don’t usually withdraw in such bundles, I have 20-40 bills there maximum. How wide is this dispensing window usually?
Hacker:
Well, about 2-3 centimeters, because, for example, 100 bills is about a centimeter. That is, 100 bills is the maximum that, for example, Wincor C2000 can give out. It physically won’t be able to just take more. 100 bills? That’s it. Yes, at once. And the essence of the software is that it controls only the mechanics. It controls the auger that moves into the dispenser, into the safe part, and back.
It doesn't get into anyone's head. Absolutely. It's invisible, and no one understands what happened. And after you completely unload it, all the counters remain in place, as they were. That is, if you had, say, 100 there, then that's how it remained.
Pavlovich:
And the money is physically no longer there.
Hacker:
Yes, and the only way to find out that it's not there is through collection. So that they come, open the safe part, take out the cassettes and see that there really is no money there.
How the task force operates.
Pavlovich:
Well, they come, take out the cassettes, make sure that there are none. And then what? How do they understand that they have essentially been robbed?
Hacker:
They start looking first in their own database, how much was issued, over what period of time. They look to see if there were any glitches. When they understand that there were no glitches, well, of course, they immediately look at the video cameras. When they understand that they had no failures, and the video cameras went out at one fine moment at a certain amount, let's say, at 7 million, and after that people started to contact them that the terminal does not give out cash, they understand that they were robbed.
Pavlovich:
Previously, the software, which is just, I just caught those times, when such software for USB access was only written there. And there was a slightly different software, the operating principle was that it, apparently, climbed specifically into the brains, specifically into the device settings, and it modified them so that it simply reconfigured quickly, you left with the equipment already, and that's it, the ATM is reconfigured, and you
Hacker:
To be honest, I have never encountered such software. And how much I communicated with technicians who supply the software, I asked them a similar question. They say that there are certain libraries there, in which the operating algorithms are recorded. And to do exactly this so that there are no problems. This is how you describe this method. It is very difficult technically without physical access to the mechanics. That is, to set up some algorithms specifically in the library, because it works according to some specific cycles.
Who makes this software?
Pavlovich:
I understand. The cost of the software and who actually produces and sells it?
Hacker:
It is produced and sold by those who have access to the factory equipment, for example, to the assembly line of a particular terminal model. Because without it, you will not know how to take the mechanics, or rather, how the mechanics work, that's one. And, well, you simply cannot take the terminal for yourself, no one will sell it to you. This is needed by the company that purchases the terminal. And all the software comes from those people who have access.
Why don't they set passwords in the ATM system?
Pavlovich:
But then why not, let's say, block... Well, I understand that you can't block it from external connections, because the technician won't be able to come and reconfigure it, I understand that, but setting some passwords, you know, figuratively, for connecting a flash drive, something like that, is technical.
Hacker:
I understand your question and I simply don't have a physical answer to it because of all the terminals I've seen, none of them even had passwords for logging into Windows.
Pavlovich:
That is, a password for logging into Windows would have created a certain obstacle for you in this case.
Hacker:
No, it wouldn't. We would have simply rebooted and turned on our virtual machine, and logged in from there, and that's it.
Pavlovich:
But it would still have taken 5 minutes more.
"You can do anything with an ATM at night."
Hacker:
Of course, it would have taken time, yes. But it wouldn't create a serious problem. I can tell you that from my experience. At night, you can do whatever you want with it, with this terminal, from 12 o'clock on weekdays until 3 o'clock. Dance there, whatever. Nobody comes. Even random users withdraw money there. Well, because you yourself select the places where there is little traffic.
The cost of the software and its availability on the market.
Pavlovich:
The cost of the software and its availability on the market and, in general, manuals on how to do it?
Hacker:
The cost. First of all, when it first comes out, the guys who released it start using it. Well, and, of course, their inner circle. While the topic has not yet been used, they work it out by gender. If you have some kind of contact or friendly communication with them, of course, you will also get it. Either you will give it for a certain percentage of the work, well, or one-time. If one-time, in my case it is a million rubles.
Pavlovich:
For one ATM model, right?
Hacker:
For one, yes. Just one model. If by percentage, then 70 to 30. 70 is yours, 30 you give.
How do software sellers know how much money you withdrew from an ATM?
Pavlovich:
But they don’t know how much money you withdrew from it. When we gave out cards with PIN codes to our dropships and made them run around ATMs, we never knew how much they would withdraw. And I think that half of them, in fact, stole our money.
Hacker:
But here’s an interesting point. When you launch the software, you have a little window in the corner. Next to this window is a certain code. You enter this code into a special program, you also have it with you, and it generates the second half for you. So, when you buy the software completely in your hands, they give you this little generator that generates these passwords, and they give you the second part of the passwords.
And when you work on a percentage, you contact a person, tell him the code, well, telegram or any other messenger, he sends you the second half, and you withdraw. And when you connect, when you enter the code, he sees through his software how much cash there was.
Pavlovich:
Well, there are cases when you did not have time to withdraw everything, someone scared you off, for example, or something else.
Hacker:
This is already about trust. That is, how much you withdrew, that much you withdrew, yes. That is, already if you work, well, that is, I had a situation here. The guys worked with a person for about five months, and there was trust, so no one even deceived each other.
Pavlovich:
Got it. Well, especially if you deceive and lose your job, in fact.
Hacker:
Yes, what's the point? If you have access to a good program, constant updates and support. Well, why? To lose these connections for the sake of some extra million? Well, personally, I don't see the point in this.
How many ATMs can you empty in 5 months?
Pavlovich:
Well, you said they work for 5 months, that's long enough. How many ATMs can a group of those who work on ATMs, using this scheme with this USB software, empty in 5 months?
Hacker:
It all depends on the group. What their goals are and how enthusiastic and resourceful they are, firstly, in choosing locations. If you, for example, enter a city, well, let's take Moscow. In Moscow, you can work a maximum of 3-4 days. How many terminals you can go through per night, that's only within your power.
That is, it takes you about 50 minutes per terminal, roughly speaking. Well, that is, you can easily do 3 per night, in my personal experience. Really easy. When you already have experience, the size of 3 terminals is easy. Just multiply in a week. 5 by 3 - 15 terminals.
Why can't you work in one city for more than 4 days?
Pavlovich:
And you said that you can work in Moscow for 3-4 days. What is this connected with?
Hacker:
This is connected with the fact that a rumor will spread very widely among the banks that there is some kind of unclear group in the city that is withdrawing money in a very unclear way. And they will start taking measures. Let's say that Sberbank did this, they simply started closing their branches after 12. With a key. That's it. They did this until they figured out what was going on.
Why aren't such arrests advertised?
Pavlovich:
But arrests of this kind are not frequent, as far as I can follow in the media. More often than not, the media reports that an ATM was cut with an oxyacetylene torch, blown up, or torn out. Why not often? Are such gangs not often caught, or do the banks prefer to remain silent, or what is the reason in general?
Hacker:
First of all, yes, the last thing you said, banks prefer to keep quiet. Very much so, because it hits their reputation. And no one wants to keep money with them later. When it was physically hidden, it is understandable, everyone understands that these crazy bandits flew in with an oxyacetylene blowtorch and cut the ATM. But when there were no signs of a break-in and there was no money there, then people begin to understand that there is no point in trusting this bank.
Because some guys came, inserted wires and took all the money. That is, their money is no longer safe. And the second point. Very few people have access to this software. Because the sellers themselves sell it very carefully. And so we had an agreement that the software would not leave our hands anywhere. That is, if we work, we took it for ourselves, then we work. If we stopped, then we forgot about it and do not give it to anyone.
Because the topic begins to die very quickly.
How long does the software work?
Pavlovich:
Well, I understand. But how long does one software work? Because ATM manufacturers are constantly releasing some updates.
Hacker:
Let me tell you this. The software we worked with still works. The guys in Europe use it. Although it was released in 2017. It was simply updated, the operating algorithm remained the same.
Where is it safer to work: in the CIS or in Europe?
Pavlovich:
Is it safer to work in the CIS, in Russia, for example, or in Europe?
Hacker:
In Europe.
Pavlovich:
What is the reason?
Hacker:
Firstly, with the amount of funds you receive at a time. That's one. And secondly, their security is not as well developed, for example, as in Russia. In Russia, all the private security companies and video surveillance are more developed than in some European countries. Well, we don't take into account the super-developed ones, such as, for example, Switzerland, it's clear there. That's it.
And, for example, if Latvia, Lithuania, then this is a very good place where you can walk around the currency terminals.
How many such groups are there in the CIS?
Pavlovich:
Well, in your opinion, you are in the crowd, in your opinion, how many people or groups are there in total, right? Well, let's count by people, it is clear that he is not alone, he has assistants there. How many groups are involved in this in general? Well, in the world, it is probably difficult to say, because there are Romanians, Bulgarians and so on, who often engage in such schemes, but in the vast expanses of the CIS, how many people now own this software and gut ATMs?
Hacker:
At the time when we were engaged, I would say there were only three teams engaged in this, together with us, i.e. there were three of them, only three, who worked according to this scheme. At the present time, I think, even fewer.
How many ATMs has his group emptied?
Pavlovich:
Well, I don’t know, is this question appropriate, how many ATMs did you empty?
Hacker:
I can tell you the total amount, the total amount came out to, it turns out, over 90 million.
Pavlovich:
Well, of course, the exchange rate was different back then, the exchange rate was 65-70.
Hacker:
Of course, of course, the exchange rate was completely different.
Why did you leave it?
Pavlovich:
And why are you just talking about everything in the past, well, there are two points, the first is either for security reasons, that to say that I am doing this now is to attract anger and attention, yes, that is the first point. And the second, I admit that, maybe, there was enough money to leave it once and for all. But these crimes, like, the statute of limitations there is long, they can hold you accountable because of the old one.
Hacker:
Yes, for security reasons, we left it, because, you know, there are two types of people. Some do it because they like it. I have met such guys, they just like doing it. Here is some kind of action in their life, when they go on some similar adventures. We were from the category of those who needed a sum for certain actions. But where to get it quickly, at that time there was no way.
Therefore, we turned to this opportunity. As soon as the necessary amount was in hand, we closed this topic for ourselves.
What knowledge and skills are needed for such work?
Pavlovich:
What other knowledge is needed for such unnoticed successful work?
Hacker:
Firstly, you need good knowledge of the PC, so that you can not slow down on the spot, if something happens, if it kicks you out or does not allow you to enter the root folders, where the flash drive will be displayed for you, so that you can calmly bypass this. Plus you need knowledge of preparation, what you need to do before you go, so as not to leave any traces of absolutely no fingers, no hair, etc.
Studying the area - you must understand this. That is, if you do not know how to understand this, then you need to read and study about it. Plus invent new escape routes and approaches. And, in principle, a person should have, so to speak, a certain amount of ingenuity, because there is such a moment, let's say, you removed the false panel, and behind you, behind these holes, there is wiring.
And so many guys wrote when they encountered this, that damn, what to do with these wires. But when we encountered this, we solved the problem simply, because when you prepare, you take with you not only the required number of tools, you also take with you some others, just in case. For example, we understood that something could happen. Here are certain ordinary medical clamps. They are not long in themselves. We needed it long, because we understood that the hole, the port, or rather, behind the hole is about 30 centimeters.
And they are only about 20 centimeters there. That is, we will not physically reach the port. So what did we do? We took two sets, sawed one, welded handles to them. And when we came across these wires, we simply lifted the wires, and the wires are held on a certain frame with nylon ties. We cut these wires with a knife. Not the wires, but the ties. We lifted them and put them in our device.
These are the kinds of difficulties they always encounter.
How does the police work to investigate such crimes?
Pavlovich:
How does an ATM work? Was it robbed? The bank found out about it after the fact, for example. How do the bank's response team and the police work to investigate such crimes?
Hacker:
First, the bank's team starts, first of all, as soon as they found out about it, they immediately write a statement about the loss. To the police? To the police, yes. Why do they do this? So that if something happens to the insurance company, they have a statement attached stating that they immediately reported it as soon as they found out about it, so that it would be an insurance case. After that, they conduct, they begin to conduct an investigation with the police.
These are cameras, this is a survey, let's say, of people noticed in this before. Well, it goes as far as, a card index is raised, they call the object, who did what. And if there are leads, these are some remnants of some material, or someone was seen somewhere on cameras. They start to run it through, to search. But most often, it is their language that ruins people.
I have had so many cases, as far as I know, it was their language that ruined the teams. And not just that they messed up somewhere. Because this action itself is very careful. Firstly, the software does not leave a trace. And sometimes the bank finds out only after 3-4 days. Well, in 3-4 days you have the opportunity to go anywhere. And the police work itself, they never work too fast, unless they are special services, and you have time.
And when someone from the team starts to communicate somewhere, to tell something, it leads to the fact that it all ends. Well, and, of course, if someone suddenly got rich, this also raises questions.
Do they track banknotes by numbers?
Pavlovich:
And do they track banknotes or not? The banknotes are numbered, it is probably known which numbers were loaded there, which banknotes.
Hacker:
No, no bank in the world tracks banknotes for one simple reason. If they track these banknotes, they will not have enough memory capacity to remember it all. That's why they do not do it.
Camouflage methods.
Pavlovich:
Elementary camouflage methods, for example, when you go on a job, that is, I don’t know, a hood, a cap, some kind of false sidelocks, to pretend to be a Jew, glasses, something else, gloves.
Hacker:
Firstly, it is a complete change of clothes every time, starting from socks and ending with underwear, sneakers, good sports shoes so that you can run away in them, you should never skimp on this because you can get hurt somewhere in cheap shoes or they will simply be inconvenient for you to work, disposable clothing, a mask is a must, so that all your facial biometrics are completely hidden.
Pavlovich:
But you mean the mask like now for coronavirus, right? Like yours, like?
Hacker:
Well, it is better to have a complete mask so that neither your ears nor anything is visible, that is, not the cuts of the eyes. Biometrics, it works on the protrusions of the eyes, well, on the sockets of the eyes and so on. That is, well, all the mechanics of the face are read. And when you are in a full mask and, let's say, you also put on ski goggles on top, but it is very problematic to combine it, even if someone will combine it.
Pavlovich:
So what kind of mask? You mean like a special forces balaclava, right? This one or what?
Hacker:
Yes, yes, yes, a regular ski balaclava, or a special forces one, if you find it, that's it.
Pavlovich:
Yes, I understand. I have a ski one, if anything.
Hacker:
Might come in handy.
What happens after the arrest?
Pavlovich:
Yes, I don't know what will come in handy here now, but I know for sure that it will come in handy: sugar, we bought it now, they will come in handy, we also bought it, and the best thing, the best thing, come by, is Coca-Cola, we also bought it now because today they are stopping all their production, and of course shampoo and washing powders, and what else is there, toothpaste, attachments for imported toothbrushes, I also bought them today because soon they will be gone, okay, and what happens after the arrest.
Have you ever been arrested on the way, during the case, after the case? Well, if they arrested you after the case, we probably wouldn't be talking, because you would still be sitting.
Hacker:
Well, look, I'll explain the pricing policy to you, so to speak, what they give for this and how it happens. If, let's say, you go to work on your first day, for the first time, no one will come to detain you, because no one knows about you. Well, unless your friend told you all the help. If you work in the same city, let's say, for a week, well, you need to think about what's wrong with your head and where you went.
And when, if you come to the place, and an operational group arrives, and an operational group consisting of SOBR, in order to, let's say, order a SOBR capture group, documents are prepared for this. No one will physically do this in one day. These documents are prepared, a special report, their leader is sent, he forms a group, and the group leaves for the capture site. How many days it will stay at the capture site, this is determined by the operatives themselves. One, two, three, four.
That is, how they conducted their operational activities, how they monitored the team, this is already in their jurisdiction. And if you are detained, you are brought to the department. Well, there, of course, all the special effects begin. First, when you are detained, they will lift you up, film you on camera to show that you are alive and well. This is necessary for ... They have dots in the reports They will ask you if there are any complaints about the detention, whether you were beaten You, of course, will answer "no", but after that the camera turns off and the special effects begin
Because SOBR are very evil people, they have very interesting stun guns And they really like to mock those who are engaged in all sorts of incomprehensible actions like this After short special effects on the street, they bring you to the department In the department, they will immediately divide you all into different rooms and begin to put pressure on each one. After that, searches will begin in the places where you live, when they are installed.
Well, and after that, the temporary detention center and the pre-trial detention center. In the pretrial detention center, there will be their own events. What about punishment? Let's say we take the territory of the Russian Federation. This is 158, part 4. From 0 to 10 years. According to the new law introduced in 2018, someone who has no previous convictions, because 158 is a classification of light articles, is a crime not against the person.
Pavlovich:
This is theft, right?
Hacker:
Yes, this is theft, this is a crime not against the person, but simply against property. And according to the new law introduced, the day spent in the pretrial detention center before the verdict is counted as one and a half days. Well, that is, let's say, if you were convicted, given 5 years, our trials in Russia are very long, you sat in a pretrial detention center, let's say, 3 years and 4 months, then you will be released on the day of conviction,
when you are convicted, some days before the sentence comes into force and you will be released peacefully, that's what they give for this in terms of the terms that I know, they asked for no more than 5 years without a criminal record...
And I participated in special effects, from the side, so to speak. On whom special effects are tested. No, I speak from the side of the one on whom they are tested.
Pavlovich:
Ah, I thought SOBR.
Hacker:
No, SOBR would be normal. It would be interesting to work as SOBR, drive around all the terminals at night...
Yes, I agree. A year in a pretrial detention center and they let me go because they screwed up with the documents.
Pavlovich:
With what documents?
Hacker:
First of all, they let me go on sanction. They did not prepare documents for the sanction that I could abscond, put pressure on witnesses, etc. And they brought me on the last day of my term expiration themselves. Well, they discharged me for 2 months, and my 2 months were coming to an end, and on the last day they took me to court. And the judge did not see the documents and could not close her eyes to this, they let me go.
Naturally, this moment was free, the trials lasted a very long, long time, they went on, and, in general, the court decided to limit myself to the time served.
Pavlovich:
In a pretrial detention center?
Hacker:
Yes.
The result.
Pavlovich:
Well, you see. A year is not a term, two is a lesson, yes, three is nothing, five is cool, as we used to say. Okay, thank you very much for the story, guys, don't get carried away with crime, you won't find any software like that, and you won't earn 90 million either, because now there is a huge queue at the ATMs and they are constantly under surveillance, and there is always someone hanging around there day and night, so just leave even these thoughts aside and do a legal business. Hugs, bye.
