You know what's wonderful about ATMs? They stand on street corners, stuffed with cash, and are protected about as well as your mailbox. Inside them runs Windows — yes, the same Windows your grandmother uses to watch soap operas. And in 2014, a group of Eastern European geniuses looked at all this magnificence and said: "Why not?"
Prologue: The Man Who Taught ATMs to Scream "JACKPOT!"
But before we get to our heroes, we need to go back to 2010. At the Black Hat conference in Las Vegas, New Zealand researcher Barnaby Jack walked onto the stage with two ATMs. What happened next entered cybersecurity history under the name "jackpotting."
Jack connected to the first ATM remotely. The word "JACKPOT" appeared on screen, music started playing, and the machine began spitting out bills. The audience rose to their feet. The applause didn't stop for minutes.
He simply walked up to the second ATM, opened the front panel with a key purchased online for a couple of dollars (yes, one key fits thousands of machines — welcome to the world of corporate security), inserted a flash drive with malicious code — and voilà. Another waterfall of money.
Jack proved what banks preferred not to notice: ATMs are just computers with money inside. And they're protected about as well as a garden shed with a padlock.
Act One: Tyupkin Takes the Stage
Four years later, in March 2014, someone watched Jack's presentation very carefully. And decided to monetize the knowledge gained.
Kaspersky Lab specialists discovered a new type of malware they named Backdoor.MSIL.Tyupkin. The name isn't some complex acronym. "Tyupkin" is simply a Russian surname that the malware authors wrote into the code. Either out of a sense of humor or natural self-confidence.
And here's where it gets interesting.
How It Worked: A Masterclass for Villains
Step One: Physical Access
The criminals chose ATMs standing in poorly lit areas. Not in banks — that's too complicated. Supermarkets, shopping centers, gas stations. Places where security cameras are more of a formality than a real threat.
The main selection criterion is staggeringly simple: no alarm system. If the ATM screams when you try to open it — move on. If it stays silent — bingo.
Opening the top part of the case? Elementary. ATM manufacturers use standard locks with master keys. One key — thousands of machines. You can buy these keys online. Or just ask a friendly technician. Or even find them in the trash near a service center.
Step Two: A Bootable CD — Yes, in 2014
Inside an ATM is an ordinary computer. With a CD drive. In two thousand fourteen, when the whole world had already moved to flash drives and clouds, ATMs were still happily booting from compact discs.
The criminal inserted a CD with malicious code, rebooted the system, and the ATM transformed into an obedient puppet. The whole procedure took about three minutes. Roughly the same time it takes to withdraw cash with a card.
Tyupkin was written in .NET — it's like a safecracker using a lockpick made from LEGO. Not elegant, but it works.
Step Three: Genius in the Details
And here the Tyupkin authors showed they weren't just talented coders, but decent psychologists too.
Work schedule. The malware only accepted commands on Sundays and Mondays, and only at night. The rest of the week it slept, showing no activity whatsoever. Why? Because those are the hours when banks have minimal staff who might notice strange activity. And also because cash collection usually happens on other days — the cassettes are full.
Two-factor authentication. You couldn't just walk up to an infected ATM and start raking in money. The system generated a random eight-digit code. To get the session key, the operator had to call "the boss" — a person who knew the algorithm for generating the response code.
Why such complications? So that the "mules" (those who actually collected the money) couldn't work independently. The scheme organizers were protecting themselves from betrayal and greed of their foot soldiers.
Disabling antivirus. First thing, Tyupkin killed McAfee Solidcore — the standard antivirus for ATMs. How? Simply sent it a shutdown command. McAfee obediently turned off. No tricks, no hacking the protection — the antivirus allowed itself to be disabled if you asked nicely.
Cutting communications. Before dispensing money, the malware disconnected the ATM's network connection. Even if a vigilant administrator was sitting at the bank watching machines remotely, they couldn't do anything. Connection dropped, money dispensed, connection restored. By the time the bank realized something was wrong, the criminals were long gone.
Step Four: Harvesting
The operator walked up to the ATM, entered a special key sequence on the PIN pad:
- 111111 — hide the malware interface (in case of curious passersby)
- 222222 — show the interface
- 333333 — self-destruct (in case of failure)
- 555555 — extend activity time
After entering the correct session key, the ATM helpfully showed how much money was in each cassette and offered a choice of where to take from. 40 bills at a time — a hardware limitation, not programmer greed.
Scale of the Disaster
By October 2014, when Kaspersky published its report, Tyupkin had been discovered on more than 50 ATMs in Eastern Europe. But according to VirusTotal data, the geography of infections was much wider: USA, India, China, Israel, France, Malaysia.
In Malaysia, over three days in September 2014, about a million dollars was stolen from 18 ATMs.
Total damage? Nobody names exact figures. "Millions of dollars" is the most specific estimate from Kaspersky and Interpol.
Technical Section: For Those Who Want Details
Tyupkin used the MSXFS.dll library — a standard Windows interface for working with financial equipment, known as Extension for Financial Services (XFS). The problem is that Microsoft doesn't publish documentation for this library. It's proprietary and secret.
So where did the malware authors learn how to work with it?
Researchers from F-Secure discovered that the API calls in Tyupkin exactly matched the NCR APTRA XFS Programmer's Reference Manual — a technical guide from major ATM manufacturer NCR. This document had been "accidentally" leaked to a Chinese ebook file-sharing site.
That's how a PDF document leak led to multi-million dollar thefts around the world.
Finale: Romanian Dawn
In January 2016, Romanian police with Europol support arrested eight people connected to Tyupkin operations. The investigation showed that the gang coordinated with accomplices in Moldova who handled reconnaissance — looking for vulnerable ATMs in poorly protected areas.
Their method was simple to the point of genius:
- Find an NCR ATM not built into a bank wall
- Check for a CD drive (open the cover with a universal key)
- Make sure there's no alarm
- If there's a tamper sensor — cover it with duct tape (yes, seriously)
- Infect, leave, return at night for the money
From December 2014 to October 2015, the gang stole 200,000 euros from ATMs in Romania, Hungary, Czech Republic, Spain, and Russia. About $960 per operation, 40 bills at a time.
Not the biggest haul in cybercrime history. But not the smallest either for a group of eight people with a bootable CD and duct tape.
Moral of the Story
Tyupkin became a turning point in ATM security history. Before it, banks thought physical protection of an ATM was enough. After — an arms race began.
But you know what's most telling? The vulnerabilities that Tyupkin exploited existed for years. Windows XP. Standard locks. CD drives. Antivirus that could be disabled by command. All of this was known. All of this could have been fixed.
Barnaby Jack showed these problems at Black Hat in 2010. His presentation was watched by millions on YouTube. Banks nodded, agreed, promised to fix things.
Four years later, Tyupkin proved that promises remained just promises.
P.S. What Came After Tyupkin
Tyupkin was first, but far from last:
- Ploutus (2013, Mexico) — text messages made ATMs dispense cash
- GreenDispenser (2015, Mexico) — self-deleting malware
- Suceful (2015) — captured customer cards and released them on command
- Ripper (2016, Thailand) — used to steal 12 million baht
- Cutlet Maker (2017) — sold as a service for $5,000
And Barnaby Jack? He died in July 2013 — a week before his Black Hat presentation where he was supposed to show how to hack pacemakers and kill someone remotely. He was 35 years old.
ATMs still run on Windows. Locks are still standard. And somewhere right now, someone is studying NCR documentation accidentally found on a Chinese file-sharing site.
Welcome to the world of financial security.
Sources
- Kaspersky Lab, Securelist: "Tyupkin: Manipulating ATM Machines with Malware" (2014)
- INTERPOL Global Alert (2014)
- Europol, DIICOT: Press releases on arrests (2016)
- F-Secure, Symantec: Technical analyses of PadPin/Tyupkin
- Black Hat USA 2010: Barnaby Jack, "Jackpotting Automated Teller Machines"
