Imagine you are a low-income employee in India who is offered a day’s work as an extra in a Bollywood movie. Your role? Go to an ATM and withdraw some money.
In 2018, several men in the state of Maharashtra thought they were accepting a supporting role in a film, but were actually being tricked into becoming “money mules”, collecting cash in an ambitious bank heist.
The assault took place over a weekend in August 2018 and targeted the Pune-based Cosmos Cooperative Bank.
On a quiet Saturday afternoon, staff at the bank’s head office suddenly received a series of alarming messages.
They were from the Visa payment card company in the United States, warning that there could be thousands of lawsuits for large cash withdrawals at ATMs, by people who apparently used Cosmos Bank cards.
But when the Cosmos team reviewed their own systems, they saw no abnormal transactions.
About half an hour later, just to be sure, they authorized Visa to stop all Cosmos bank card transactions. This delay proved extremely costly.
The next day, Visa shared the full list of suspicious transactions with Cosmos’ head office: around 12,000 separate withdrawals from different ATMs around the world.
The bank had lost almost US$14 million (more than 64,000 million pesos).
It was a daring crime characterized by its grand scale and meticulous timing.
The criminals had looted ATMs in 28 different countries, including the United States, the United Kingdom, the United Arab Emirates and Russia.
It all happened in the space of just two hours and 13 minutes: an extraordinary criminal organized global mobilization.
Eventually, investigators would trace its origins back to a shadowy group of hackers who had carried out a succession of previous scams apparently ordered by North Korea.
But before getting a broader picture of the robbery, investigators from the Maharashtra cybercrime unit were shocked to see CCTV footage of dozens of men walking towards a series of ATMs, inserting bank cards and stuffing bills into bags.
“We were not aware of a money mule network like this,” says Inspector General Brijesh Singh, who led the investigation.
One criminal group had a manager who was monitoring ATM transactions in real time on a laptop, Singh says.
CCTV footage showed that every time a money mule tried to grab some cash, the manager would see him and slap him hard across the face.
Using security camera footage and mobile phone data from areas near ATMs, Indian investigators were able to arrest 18 suspects in the weeks after the heist.
Most are now in prison, awaiting trial.
Singh says that these men were not inveterate thieves. Among those arrested were a waiter, a driver and a shoemaker. Another had a pharmacy degree. “They were noble people,” he says.
Despite this, he believes that when the heist occurred, even the men recruited as “extras” knew what they were really doing.
But did they know who they were working for?
Investigators believe the secretive and isolated state of North Korea was behind the heist.
North Korea is one of the poorest nations in the world, but a significant part of its limited resources goes towards building nuclear weapons and ballistic missiles, an activity that is prohibited by the UN Security Council.
As a result, the UN has imposed onerous sanctions on the country, making its trade highly restrictive.
Since coming to power 11 years ago, North Korean leader Kim Jong Un has overseen an unprecedented campaign of weapons tests, including four nuclear tests and several provocative intercontinental missile test-launch attempts.
US authorities believe the North Korean government is using an elite group of hackers to break into banks and financial institutions around the world to steal the money it needs to keep its economy afloat and finance its weapons program.
The hackers, dubbed the Lazarus Group, are believed to belong to a unit run by North Korea’s powerful military intelligence agency, the General Reconnaissance Office.
Cyber security experts named the hackers after the Biblical figure of Lazarus, who returns from the dead, because once his viruses enter computer networks, they are nearly impossible to remove.
The group first rose to international prominence when then-US President Barack Obama accused North Korea of hacking into Sony Pictures Entertainment’s computer network in 2014.
The FBI accused the hackers of carrying out the damaging cyberattack in retaliation for “The Interview,” a comedy film depicting the assassination of Kim Jong Un.
The Lazarus Group has since been accused of attempting to steal $1 billion from the central bank of Bangladesh in 2016 and launching the WannaCry cyberattack that attempted to blackmail organizations and individuals around the world, including the UK’s National Health Service. .
North Korea strongly denies the existence of the Lazarus Group and all allegations of state-sponsored hacking.
But major security agencies say North Korea’s attacks are more advanced, brazen and more ambitious than ever.
To steal the Cosmos, the hackers used a technique known as “jackpotting,” so named because it causes the ATM to spill its cash like winning a slot machine.
The bank’s systems were initially compromised in the classic way: via a “phishing” email that was opened by an employee and infected the computer network with malware.
Once inside, the hackers tampered with software, the so-called ATM switch, which sends messages to a bank to approve a cash withdrawal.
With this, the hackers had the power to allow ATM withdrawals from their accomplices anywhere in the world.
The only thing they couldn’t change was the maximum amount for each withdrawal, so they needed a lot of cards and a lot of people on the ground.
In preparation for the heist, they worked with accomplices to create “cloned” ATM cards, using genuine bank account data to create duplicate cards that can be used at ATMs.
British security company BAE Systems immediately suspected it was the work of the Lazarus Group.
He had been monitoring them for months and knew that they were plotting to attack an Indian bank. She just didn’t know which one.
“It would have been too much of a coincidence for it to be another criminal operation,” says BAE security researcher Adrian Nish.
The Lazarus Group is versatile and very ambitious, he adds. “Most criminal groups would probably be happy enough to get away with a couple of million and stop there.”
The logistics involved in the Cosmos heist are staggering. How did the complicit hackers find 28 countries, including many that North Korean citizens cannot legally visit?
US tech security researchers believe the Lazarus Group met a key enabler on the dark web, where there are entire forums dedicated to trading hacking skills and where criminals often sell support services.
In February 2018, a user calling himself Big Boss posted tips on how to conduct credit card fraud.
He also said he had the equipment to make cloned ATM cards and had access to a pool of money mules in the United States and Canada.
This was precisely the service the Lazarus Group needed for their attack on Cosmos Bank, and they began working with Big Boss.
We asked Mike DeBolt, director of intelligence at Intel 471, a technology security firm in the US, for more information on this accomplice.
DeBolt’s team discovered that Big Boss had been active for at least 14 years and had a series of aliases: G, Habibi, and Backwood.
Security detectives managed to link him to all of these usernames, as he used the same email address on different forums.
“Basically, he’s being lazy,” DeBolt says. “We see this quite often: actors change their aliases on a forum, but keep the same email address.”
In 2019, Big Boss was arrested in the United States and unmasked as Ghaleb Alaumary, a 36-year-old Canadian.
He pleaded guilty to crimes including laundering funds from alleged North Korean bank heists and was sentenced to 11 years and eight months.
North Korea has never admitted any involvement in the work of the Cosmos Bank, or any other hacking scheme.
The BBC raised allegations of involvement in the Cosmos attack on the North Korean embassy in London, but received no response.
However, when we previously contacted Ambassador Choe Il, he responded that North Korea’s state-sponsored allegations of hacking and money laundering are “a farce” and an attempt by the US to “tarnish the image of our state”.
In February 2021, the FBI, the US Secret Service, and the Department of Justice announced charges against three suspected Lazarus Group hackers: Jon Chang Hyok, Kim Il, and Park Jin Hyok, who said they work for the agency. North Korean military intelligence.
They are now believed to be back in Pyongyang.
US and South Korean authorities estimate that North Korea has as many as 7,000 trained hackers.
It is unlikely that everyone will be working from the interior of the country, where few people have permission to use the internet, making it difficult to hide user activities. Rather, they are often sent abroad.
Ryu Hyeon Woo, a former North Korean diplomat and one of the most important people to leave the regime, provided insight into how hackers work abroad.
As of 2017, he was working at the North Korean embassy in Kuwait, helping to oversee the employment of some 10,000 North Koreans in the region.
At the time, many were working on construction sites across the Gulf and, like all North Korean workers, had to hand over the bulk of their wages to the regime.
He said his office received a daily call from a North Korean custodian overseeing 19 hackers living and working in cramped quarters in Dubai.
“That’s really all they need: a computer that’s connected to the internet,” he said.
North Korea denies sending hackers abroad, only computer workers with valid visas.
But Ryu’s description fits the FBI’s allegations about how these cyber units operate from bedrooms around the world.
In September 2017, the UN Security Council imposed the toughest sanctions yet on North Korea, limiting fuel imports, further restricting exports and requiring UN member countries to send North Korean workers to your country by December 2019.
However, the hackers still appear to be active. They are now targeting cryptocurrency companies and are estimated to have stolen close to $3.2 billion.
US authorities have called them “the world’s leading bank robbers”, who use “keyboards instead of weapons”.
Remember that you can receive notifications from BBC Mundo. Download the new version of our app and activate them so you don’t miss out on our best content.
