Home News Stories 2009 November 2,100 ATMs Hit at Once
This is archived material from the Federal Bureau of Investigation (FBI) website. It may contain outdated information and links may no longer function.

2,100 ATMs Hit at Once

High-Tech Heist
2,100 ATMs Worldwide Hit at Once

ATM “Casher” Wanted by FBI Atlanta (2009)

This individual, one the suspected “cashers” at an ATM in the Atlanta area, is still at large.
Contact our office in Atlanta at (404) 679-9000 if you have any
information on him or the case.


It was a highly sophisticated and cleverly orchestrated crime plot. And one unlike any we’ve ever seen before.

It culminated a year ago this month—on November 8, 2008—when a wave of thieves fanned out across the globe nearly simultaneously. With cloned or stolen debit cards in hand—and the PINs to go with them—they hit more than 2,100 money machines in at least 280 cities on three continents, in such countries as the U.S., Canada, Italy, Hong Kong, Japan, Estonia, Russia, and the Ukraine.

When it was all over—incredibly within 12 hours—the thieves walked off with a total of more than $9 million in cash. And that figure would’ve been more had the targeted ATMs not been drained of all their money.

The alleged masterminds of this slick scheme—prosecutors charged earlier this month following an extensive FBI investigation assisted by other federal agencies and our partners around the globe—were three 20-something Eastern Europeans and an unnamed person called simply “Hacker 3.”

Working together, the four hackers cooked up “perhaps the most sophisticated and organized computer fraud attack ever conducted,” according to Acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia.

  • It started when a 28-year-old Moldovan man learned of a vulnerability in the computer network of a major credit card processing company based in Atlanta. With an eye toward exploiting it, he passed that information to a hacker living in Estonia.
  • The Estonian conducted “reconnaissance” on the network vulnerability and shared what he learned with a hacker in Russia.
  • With the help of the three other hackers at varying times, the Russian busted into the electronic network, reverse-engineered the PIN codes from the encrypted system, and raised the limits on the amount of money that could be withdrawn from the prepaid payroll debit cards. (These cards, used by many companies, enable employees to withdrawal their salaries from an ATM.)
  • In addition to providing computer support, Hacker 3 managed the network of thieves around the world—called “cashers”—who used a total of 44 counterfeit cards to withdrawal the $9 million. The Estonian also managed his own cashing group.
  • As the cashers went to work, the Russian took the lead in monitoring the victim company’s database to track the illegal withdrawals. With the Estonian, he later deleted or tried to delete files on the computer network to cover their tracks.
  • When the ATM thefts were complete, Hacker 3—with the help of the Estonian—gathered and divvied up the proceeds. The cashers got to keep 30 to 50 percent of the money they stole; the rest went to the four hackers.

Another wanted casher hits a convenience store in the Atlanta area

Another wanted casher hits a convenience store in the Atlanta area.

Fortunately, the company reported the breach immediately, and we quickly got to work. Our ensuing case was made with a great deal of international cooperation and even led to joint investigations overseas. Suspected cashers, for example, have also been identified and arrested in Estonia and Hong Kong.

The case is a testament to both the globalized nature of crime in today’s world and the international reach of the FBI, which depends more and more on a network of 61 overseas offices worldwide to protect the U.S. from a range of national security and criminal threats.

- FBI Cyber Division