Here's How The $14 Million Cosmos Bank ATM Heist Was Carried Out

On 11 August 2018, a massive “malware attack” was carried out on Cosmos Bank, one of the oldest Urban Co-operative Banks in India. In the heist, several cloned debit cards of the bank were used for thousands of ATM transactions from India and 28 other countries in seven hours. The logistics involved in the heist were staggering and the hackers made off with nearly $14 million as per the BBC.

What is the Lazarus Heist?

In 2018, a criminal group hired several men in the Indian state of Maharashtra to carry out a heist. The men who thought they were signing up for a minor role in a movie, were used as money mules for a hacker group located thousands of miles away.

The money mules were used to raid ATMs of Cosmos Co-operative Bank, which has its headquarters in Pune, Maharashtra. In the raid, thousands of ATM cash transactions were requested by the money mules at different locations.

While the bank staff was notified of the suspicious activity, it took them some time to inform the card payment company, Visa to block all transactions. This delay cost the bank massively as about 12,000 separate withdrawals from ATMs around the world had taken place.

The grand scale heist was carried out with meticulous synchronization in 28 different countries, including the U.S., the UK, the United Arab Emirates, and Russia. Investigators eventually traced the heist’s origins to a shadowy group of hackers called Lazarus, from North Korea.

Here’s how the 'Cosmos Heist' was carried out

As per the BBC report, the hackers used a technique called "jackpotting" to get the ATMs to spill cash. It is like hitting the jackpot on a slot machine. The hackers sent a phishing mail to infect the bank’s systems. As the mail was opened by an employee, it infected the computer network with malware.

Once the hackers were inside the bank’s system, they manipulated a software called the ATM switch, which sends messages to a bank to approve a cashpoint withdrawal.

With this, the hackers could allow ATM withdrawals from their accomplices anywhere in the world. However, they couldn’t change the maximum transaction limit so they needed a large number of fake debit cards and cash mules to carry out the heist.

They allegedly hired a person called Big Boss who had posted tips on the dark web on how to carry out credit card fraud. Big Boss claimed to have the equipment to make cloned ATM cards and had access to a group of money mules.

The group created "cloned" ATM cards using genuine bank account data and hired the money mules under disguise.

In 2019, Big Boss was arrested in the U.S. and he pleaded guilty to offenses including laundering funds from alleged North Korean bank heists. Meanwhile, North Korea has strongly denied the Lazarus Group’s existence and any involvement in the Cosmos Bank Heist. 

However, in 2021, the FBI, the Secret Service, and the Department of Justice announced charges against three suspected Lazarus Group hackers. Jon Chang Hyok, Kim Il, and Park Jin Hyok were accused of working with North Korea's military intelligence agency, back in Pyongyang.

Action against North Korea

The U.S. and South Korean authorities estimate that 7,000 trained hackers are working from North Korea. In September 2017, the UN Security Council imposed strict sanctions on North Korea, limiting fuel imports and exports. It also demanded UN member nations send North Korean workers home by December 2019.

Despite strong action, the hackers appear to be still active. The BBC reported that they are now targeting crypto companies and are estimated to have stolen around $3.2 billion.