Thai police seek Russian linked to ATM hacks

Investigators say suspect used malware to withdraw hundreds of thousands of dollars

BANGKOK • Thai police investigators yesterday said they were seeking a Russian man suspected of using malware to withdraw US$350,000 (S$477,300) from dozens of cash machines across the country.

Police earlier said a group of foreign hackers made off with around 12 million baht (S$472,600) by inserting cards installed with malware in at least 18 cash machines operated by the state-run Government Savings Bank (GSB) in July.

It follows similar attacks in Taiwan, which saw thieves withdraw more than US$2 million from First Bank ATMs, and is part of growing attacks on ATMs across Asia.

"We have a warrant for a 29-year-old man from Russia but from our investigations at least another two are involved," Thai Police General Panya Mamen said.

"He travelled from Beijing, China, and came to Thailand on July 14 and withdrew money from ATMs in Phuket and Bangkok, altogether in 18 locations, before flying out to Moscow."

The suspect, identified as Rustam Shambasov, was caught on surveillance video footage. He left Thailand on Aug 1 after the thefts.

Shambasov is one of several Eastern Europeans believed to have hacked the cash dispensing machines over a two-week period between July 15 and 30.

But police said after the July thefts that there had been an earlier spate of ATM hacks in March in the southern province of Phang Nga, possibly the work of the same group of hackers. GSB lost 4.5 million baht in the March incident.

The bank said customers' money was not affected by the thefts.

Those behind the heist stood for long periods at the ATMs, usually late at night, prompting police to ask Thais to watch out for strange behaviour by foreigners at such cash machines.

FireEye, a California-based cyber security company, said in a statement last Friday that it had detected a potentially new ATM malware sample that may be linked to the attacks in Thailand.

The malware, dubbed Ripper, interacts with the ATM by inserting a specially manufactured ATM card with a chip that serves as an authentication mechanism, the security firm said.

"We've identified a family of malware that may have been used in recent ATM robberies," said FireEye. "In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves."

Thailand has long been a hub for local and foreign cyber criminals.


A version of this article appeared in the print edition of The Straits Times on September 01, 2016, with the headline 'Thai police seek Russian linked to ATM hacks'. Subscribe