{ "id": "ba222db4-5c92-41f2-979d-0f7cd333f8c0", "created_at": "2026-04-06T00:21:08.33659Z", "updated_at": "2026-04-10T03:21:16.611716Z", "deleted_at": null, "sha1_hash": "897580830a26e87e2d962294fd7bcad9c2b7def0", "title": "Latin American ATM Thieves Turning to Hacking", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35165, "plain_text": "Latin American ATM Thieves Turning to Hacking\r\nBy Michael Mimoso\r\nPublished: 2017-10-05 · Archived: 2026-04-05 20:42:09 UTC\r\nThieves in Latin American countries are turning to Eastern European hackers to build ATM malware from scratch,\r\naccording to a Virus Bulletin talk by researchers at Kaspersky Lab.\r\nMADRID—ATM jackpotting is hardly a novelty act in Latin America where criminals are more than ever\r\nconnecting with hackers to figure out how to more efficiently steal money from an automated teller than, say, by\r\nusing a stick of dynamite.\r\nNo, it’s not uncommon to hear about thefts in Brazil, Mexico, Colombia, Peru and elsewhere that involve\r\nexplosives and a mangled ATM left in their wake. In fact, Kaspersky Lab researchers Fabio Assolini and Thiago\r\nMarques on Thursday at Virus Bulletin showed a couple of surveillance videos during a talk on the subject that\r\nshow criminals vandalizing machines, destroying them with dynamite and leaving behind sometimes more than\r\njust a charred ATM.\r\nBut that is changing.\r\nA quick tour through some underground forums, and you’re bound to find posts from Latin American criminals\r\nsoliciting help. Posts written in Portuguese and Spanish on Russian and Eastern European forums are looking for\r\npurpose-built ATM malware, and even ATM manuals in order to learn more about the inner workings of these cash\r\nboxes.\r\n“Eastern European hackers are leading the way in creating malware for ATMs, with Latin American hackers right\r\nbehind,” Assolini said.\r\nThey’re investing in, or learning how to write, ATM malware from scratch, the researchers said. Sometimes\r\nthey’re penetrating bank networks to conduct remote attacks, but more often than not, these attacks require\r\nphysical access to an ATM. That means, Assolini and Marques explained, loading malware from a USB stick, CDs\r\n(on older ATMs) or plugging in a USB keyboard in order to access the backend of one of these machines.\r\nOnce they’re on, criminals can dictate how much money they want to take from the machines, and don’t expect\r\nthem to hang around for a long while.\r\n“They want to jackpot ATMs quickly after infecting the machine or the network,” Assolini said, pointing out that\r\nthe criminals want a hasty exit in order to avoid detection.\r\nIn a paper released alongside their talk, Assolini and Marques write about longstanding business relations between\r\nEastern European and Latin American cybercriminals, mostly around cloned credit cards. ATM malware,\r\nmeanwhile, surfaced starting in 2008 with Skimer, which was able to either steal money or data from cards used at\r\nmachines. Kaspersky has also published reports on the Tyupkin ATM malware in 2014 and a year later published\r\nhttps://threatpost.com/latin-american-atm-thieves-turning-to-hacking/128289/\r\nPage 1 of 2\n\nanother report demonstrating evidence of cooperation between Latin American criminals and the Eastern\r\nEuropean groups behind the Zeus and SpyEye banking Trojans.\r\n“The facts demonstrate that Latin American cybercriminals are adopting new techniques as a result of\r\ncollaboration with their Eastern European counterparts,” they wrote in the Virus Bulletin paper. “We believe this is\r\nonly the tip of the iceberg, as this kind of exchange tends to increase over the years as crime develops and\r\ncriminals look for ways to attack businesses and individuals.”\r\nThe researchers covered during today’s talk four malware families prevalent among ATM hackers: Ploutus, Prilex\r\n, Green Dispenser and Ice5.\r\nPloutus, Marques said, has been on the scene since 2013 primarily infecting machines in Mexico, and has\r\naccounted for more than $64M USD in losses. Ploutus requires physical access via a USB or CD to deploy the\r\nmalware in order to steal the ATM ID used to activate and identify an ATM before cashing out. A variant of the\r\nmalware now interacts with a popular ATM platform called Kalignite, which runs on a number of machines made\r\nby different vendors including Diebold.\r\nOnce an attacker connects to the machine via keyboard, they can use the malware to generate an activation code\r\nand access funds stored inside the machine. Marques said the attackers aren’t shy about their work, leaving\r\nmessages in the code such as “Ploutus: Made in Latin America.”\r\nIce5 and Prilex are almost exclusive to Brazil and were developed in the country. Ice5 targets ATMs manufactured\r\nby NCR, while Prilex was a bit more complex and interacted with libraries from specific vendors, indicating\r\nparticular knowledge of the ATM and related network.\r\n“Once the malware is running, it has the capability to dispense money from the sockets using a special window\r\nthis is activated using a special key combination that is provided to the money mules by the criminals,” the\r\nresearchers wrote, adding that the malware also includes a component that steals strip data from cards that would\r\nbe collected later.\r\nSource: https://threatpost.com/latin-american-atm-thieves-turning-to-hacking/128289/\r\nhttps://threatpost.com/latin-american-atm-thieves-turning-to-hacking/128289/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/latin-american-atm-thieves-turning-to-hacking/128289/" ], "report_names": [ "128289" ], "threat_actors": [], "ts_created_at": 1775434868, "ts_updated_at": 1775791276, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/897580830a26e87e2d962294fd7bcad9c2b7def0.pdf", "text": "https://archive.orkl.eu/897580830a26e87e2d962294fd7bcad9c2b7def0.txt", "img": "https://archive.orkl.eu/897580830a26e87e2d962294fd7bcad9c2b7def0.jpg" } }