The United States Department of Justice (DOJ) has charged two men with bank fraud after they allegedly hacked ATM machines causing them to eject all their cash reserves like a Vegas slot machine. The attack, known as “jackpotting,” is usually carried out by perpetrators dressed as repair technicians to deploy malicious software and/or hardware, while others then exploit the hack to withdraw the cash on demand.
The two men, 31-year-old Spanish national Alex Alberto Fajin-Diaz and 21-year-old Argenys Rodriguez from Massachusetts were arrested on January 27th. Investigators contacted police who found Fajin-Diaz and Rodriguez near a compromised ATM that was dispensing $20 bills. When police searched the men’s vehicle, they found “tools and electronic devices consistent with items needed to compromise an ATM” as well as more than $9,000 in $20 bills. According to ArsTechnica, an early investigation showed that the ATM dispensed as much as $50,000.
A report from security journalist Brian Krebs last week outlined a Secret Service alert going into more detail about how jackpotting works. Thieves posing as technicians use a medical endoscope to locate an internal section of the ATM where they can attach a cord to sync their laptop with the ATM’s computer. The ATM then displays an out of service notice and is able to be controlled remotely. The thieves can force the machine to disperse its cash, which is then collected by “money mules.” Standalone ATMs like those located in pharmacies and big-box retailers are most at risk.
This video from the Black Hat USA conference in 2010 simulates a jackpotting attack:
According to the DOJ, law enforcement agencies had been investigating the ATM attacks in Connecticut, Hamden, Guilford, and Rhode Island. Bank fraud carries a maximum prison sentence of 30 years.
Jackpotting has mostly occurred in Europe, Mexico, and Asia. But last week, the US Secret Service said ATMs across the US have lost more than $1 million from jackpotting, looted by a group of hackers likely tied to international crime syndicates. With this arrest, it’s clear that ATM manufacturers and shop owners need to increase their vigilance now that jackpotting has arrived in the US.