The business models behind ATM malware empires

Sophisticated criminal operations have strategic vision and perhaps even insider help.
(Gety Images)

The criminal gangs behind the world’s most successful ATM malware attacks run their million-dollar empires like cutthroat business executives, according to newly published research from the European Union law enforcement agency Europol and the cybersecurity firm Trend Micro.

In the last decade, organized crime groups originating mostly from two hotspots, Latin America and Eastern Europe, have waged an effective and evolving war against the cash-filled boxes that are the cornerstone of more than $10 billion in annual withdrawals, the researchers say.

Some syndicates hold onto their malware for exclusive use, while others resell to smaller gangs willing to do the physical legwork. A single weekend’s spree can result in thousands or millions of dollars in stolen cash.

Hackers execute physical and network-based attacks against ATMs to steal money from both banks and customers in campaigns that can take years to sniff out.


Analyzing a decade’s worth of ATM hacking, the researchers focused on business models that make ATM hacking so profitable.

Padpin’s gangs

Padpin, first discovered in 2014, is the malware behind “the theft of millions of dollars from ATMs across parts of Europe and Southeast Asia,” researchers from Trend Micro wrote.

The gang behind the malware sells the code to smaller gangs largely through dark web marketplaces accessible only through the anonymous Tor network. Resellers of Padpin, believed to originate in Eastern Europe, are exceptionally active and sell the code alongside thorough instruction manuals on how to gain access to an ATM’s innards and infect the machine.

Most ATM hacking over the last decade has required physical access. As banks try to physically secure their machines, hackers are increasingly turning to network-based attacks to gain access.


Ripper in the network

The Ripper malware group, which surfaced in 2016, represented a paradigm shift: Sophisticated attackers used the corporate network as entry into the ATM network, through which they installed the malware. Ripper, another Eastern European invention, doesn’t share or sell their code, as far as researchers can tell, and they don’t need to.

“This is the first of its kind to infect ATMs without the need to physically open the machines,” researchers wrote. “As banks and vendors start fortifying their ATMs against unauthorized physical access to the machines’ innards, we believe this is the tendency that criminals will continue with regard to ATM malware.”

The trick, of course, is to gain access to the corporate network in the first place. Ripper does this most effectively through phishing emails against bank employees who click on malicious links and open malicious executable attachments. Ripper stole at least a reported $13 million in 2016.

Ploutus brains


Ploutus, a Latin American contribution, represents perhaps one of the most advanced ATM malware families ever seen in the wild. There are two big differentiators when it comes to this particular criminal endeavor, which was discovered in 2013 when it was used to empty ATMs in Mexico.

First and foremost, this group is made up of experts.

“The knowledge shown in the code to properly implement all the different classes and methods to control the Dispenser suggests that the developers of the malware have either access to real ATMs during the development or they hired individuals with experience coding on these machines,” the cybersecurity firm FireEye assessed earlier this year.

Just as important, the developers behind Ploutus never rest. Just like a traditional software business, Ploutus is regularly updated with new versions making it a more potent weapon than before. The malware is currently on a version known as Ploutus.D, the fourth iteration, which gave the software a GUI facelift, allowed it to control Diebold ATMs, used a new code obfuscator, enhanced it to kill security monitoring processes and upgraded it to run on ATMs across a variety of Microsoft Windows operating systems versions  even though most ATMs across the world still run on Microsoft XP, which the company ceased to support in 2014.

“The new features being implemented suggest that the criminals know the situation of the ATMs and the bank’s particular configurations well and that their attacks are targeted operations,” Trend Micro’s researchers wrote.


Lke Ripper, Ploutus has been spotted being sold on dark net markets. Recent law enforcement action shut down some of the most popular and profitable markets but experts say there has been little if any impact on the ATM malware business.

“The tools related to ATM Malware are largely unaffected by such market takedowns,” Robert McArdle, director of cybercrime research for Trend Micro, told CyberScoop. “Unlike other malware toolkits, ATM malware kits are quite specific and not sold on the more open markets (such as AlphaBay) — but rather kept for use only by the original criminal groups, or traded in very limited access communities. ”

Experts say the hackers behind these malware gangs have two things in common: Strategic thoughtfulness and the promise of new attacks.

Latest Podcasts