Taiwan seeks Russian suspects in ATM malware heist

Taiwanese First Bank automated teller machines are seen suspended after T$70 million (S$2.9 million) was reported stolen in Taipei on July 13, 2016.
Taiwanese First Bank automated teller machines are seen suspended after T$70 million (S$2.9 million) was reported stolen in Taipei on July 13, 2016. PHOTO: REUTERS

TAIPEI (REUTERS) - Taiwan investigators suspect two Russian nationals hacked into a major domestic bank's ATMs last weekend, using malware to withdraw more than US$2 million (S$2.7 million) from dozens of machines in the island's first recorded case of its kind.

Combining cybercrime with daylight robbery after a typhoon battered greater Taipei, the suspects may have used a cellphone to trigger 41 First Bank ATMs to dispense fat wads of bills, investigators said on Wednesday (July 13).

In each case, the still-at-large suspects took the money and left quickly, filmed on close-circuit TV cameras.

As Taiwan officials continue to piece together how the crime was committed, the theft shows growing boldness in attacks on ATMs in Asia. In May, a gang stole US$13 million from Japanese ATMs in a three-hour, 14,000 withdrawal spree.

Since discovering the theft on Monday, a range of Taiwan's biggest state-run banks have frozen withdrawals from nearly 1,000 ATMs of the kind used in the heist, supplied by Germany's Wincor Nixdorf.

About 4 per cent of Taiwan's national ATM network of 27,200 machines is affected, leaving customers obliged to use other machines.

The Ministry of Justice's Investigation Bureau on Wednesday said two Russian suspects have been identified, but declined to disclose their names. It said it believed the pair left Taiwan early on Monday, and was still investigating whether a possible third one might have been involved.

"So far we think it could have been done remotely, such as via a cellphone, laptop or hacked First Bank staff PC," said Mr Lin Cheng-hsien, a spokesperson for the bureau.

First Bank reported NT$70 million (S$2.9 million) was stolen from its ATMs in hits that investigators said took place at various times during both daytime and nightfall.

Investigators have identified three different malware programs that were used to trigger withdrawals.

"After testing the malware, we confirmed hacked ATMs will dispense cash immediately according to the malware," the bureau said in a statement.

The raid on Wincor machines comes as its agreed 1.7 billion euro (S$2.53 billion) acquisition by US peer Diebold moves closer to its expected closure this summer, creating a global leader in ATMs with a market share of about 35 per cent.

Wincor said it had been informed about concerted attacks on its ATMs in Taiwan.

"Attacks follow a similar pattern, irrespective of their make or brand, and we as well as the banks are aware of them," a Wincor official in Germany told Reuters by email. "The details of the attack are being examined by the police, banks as well as experts from Wincor Nixdorf. To support the local teams we have sent security experts."

Officials of Taiwan's banking regulator, the Banking Bureau, declined to comment on the details of the incident, beyond saying First Bank will have to take the loss. It said, however, First Bank's users will not be affected and it will ask local banks to establish monitoring system of their ATMs over the next month.

At least four major state-run financial institutions, including First Bank, Chang Hwa Bank, Taiwan Cooperative Bank and Chunghwa Post Co., suspended cash withdrawals service on their ATMs as a precaution.

They didn't say when the service would be restored, nor whether the suspension might affect their financial performance.