Cybercriminals have developed and implemented malware designed to withdraw cash directly from ATMs without compromising consumers’ debit cards. The ATM malware allows criminals to identify the amount of money in each cash cassette and manipulate the machine to dispense it. Kaspersky Lab has identified infections in over 50 ATMs, mainly in Eastern Europe, but they have also been found in the United States and other countries.

ATM Threat

According to Securelist, a Kaspersky Lab forensic investigation identified a piece of ATM malware that allows criminals to attack ATMs directly. Through these direct attacks, criminals can empty the cash cassettes of ATMs produced by a specific manufacturer running Microsoft Windows 32-bit.

The ATM malware, called Tyupkin, has several features that help it avoid detection:

  • It is only active at specific times of the night on certain days of the week, typically Sunday and Monday.
  • It requires a key to be entered based on a random seed. The criminal must know the algorithm to enter the correct key based on the randomly displayed seed.
  • Tyupkin implements anti-debug and anti-emulation techniques
  • The malware can disable McAfee Solidcore from the infected system.

This is considered to be a higher-level attack because it attacks the bank directly, bypassing the need for capturing consumer debit card data using skimming devices. Unlike skimming attacks, which only require access to the public space around a machine, the malware attack requires access to the back end of the ATM. The investigation revealed that only ATMs with no active secure alarm were infected. Therefore, installing alarms and eliminating the use of master keys are two easy mitigating controls that can be implemented.

At ATMs where security alarms are installed, cybercriminals may seek a complicit insider at the bank, ATM vendor or security service vendor to install the malware. Additionally, bank personnel could be socially engineered to allow access to the machine by someone purporting to be associated with a vendor.

Suggested Actions Against ATM Malware

As has been discussed in previous intelligence bulletins, new fraud tactics are often introduced in Eastern Europe and migrate to the United States over a period of 12 to 18 months. This is precisely the theory in this particular case. It would behoove financial institutions and money service businesses to pay particular attention to this emerging threat and develop methodologies to counter the tactic before it arrives in the United States. offers detailed mitigation and prevention controls. We have highlighted a few of their recommendations:

General Advice

  • Review security around the ATM, including the general premises and the machine’s immediate surroundings.
  • Enhance security protocols with regular inspections to ensure that no devices have been attached.
  • Review access controls to guarantee inappropriate access is not granted to people posing as vendors.

Merchant Fill Sites

  • Only fill the ATM with sufficient cash for one day’s trading.
  • Only perform cash maintenance when the store is locked and no customers are present.

Cash-in-Transit Fill Sites

  • Review security around the machine, ensuring it is located in the most secure place in the shop.
  • Deter would-be robbers by installing signs that indicate the store’s staff does not have access to the ATM.
  • Only perform cash maintenance when the store is locked and no customers are present.
  • Internal machines should be sited well inside the premises, away from the shopfronts, ideally against a strongly built internal or perimeter wall that does not have vehicular access to its external face.

Read the IBM research report on Security trends in the financial industry

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today