How Taiwan Brought About the Downfall of an International Hacker
Two years ago, the theft of millions from hacked First Commercial Bank ATMs shocked Taiwan. Earlier this year, the ringleader of the cybercrime syndicate was finally arrested in Spain. It became known only after the case was solved that Taiwan played a crucial role in tracking down the international hacker ring that had infiltrated more than 100 banks around the globe, stealing about NT$36 billion.
How Taiwan Brought About the Downfall of an International HackerBy Yi-Shan Chen
Do you remember when, in the summer of 2016, 41 automatic teller machines at 22 First Commercial Bank branches automatically dispensed more than NT$80 million, in what resembled a science fiction movie-type cybercrime heist?
Two years later, the ringleader of the syndicate, Ukrainian national Denis K., whom international police described as a computer genius, was nabbed in Spain. According to investigations by European police, Denis hacked into more than 100 financial institutions in more than 40 countries, stealing more than 1 billion Euros. Of all the countries targeted by the syndicate, Taiwan was the farthest from Europe.
How did the syndicate’s viruses travel as far as Taiwan? The story begins with a careless mistake.
How did the Virus Travel so Far?
Banks are legally required to keep recorded phone conversations for half a year. Before the recordings are deleted, the conversations must be listened to once more. The error happened when a bank employee at the London branch of First Commercial Bank used his infected personal computer to log into the call recording system. This small move was enough to let the virus use the call recording system as a springboard to infiltrate the bank’s main system. Once it connected to the main system, it began to circulate within the company’s intranet.
Liu Chia-ming , section chief with the Department of Cyber Security at the Investigation Bureau of the Ministry of Justice, notes that the hackers' approach was nothing out of the ordinary.
They used what is commonly known as social engineering. Posing as a legitimate company, they sent emails with malicious attachments to bank employees. If a recipient downloaded the attachment, the crime syndicate gained access to the infected computer, allowing them to remotely control the computer and its internet connection. That is how they invaded banks’ intranets and gained control of their ATMs.
European police found out that the syndicate led by Denis had already been active for more than five years before their luck ran out with the Taiwan heist. They were able to run their scheme for such a long time because they were familiar with the unspoken rules of the financial industry to “forgive and forget” [in a bid to protect their reputation]. The criminals always stole an amount that was less than the amount that would have required the bank to report the theft to the competent authority in question. In Taiwan, the Financial Supervisory Commission also slapped First Commercial Bank with a fine of NT$10 million because the bank failed to react in a timely manner after the heist occurred.
However, what the European cybercrime ring failed to factor in was that, in densely populated Taiwan, hardly anything goes unnoticed. Before the bank reported the crime to police, attentive citizens who had observed apparent foreign nationals bagging large amounts of bills at ATMs had already reported it. Thanks to Taiwan’s dense network of street cameras, the coming and going of members of the money mules could be traced.
After hotel registration records were checked thoroughly, the group of 19 mules were left with nowhere to run； one mule was even arrested while having a meal at a local eatery. Three of the syndicate members were caught in Taiwan, whereas the others were nabbed one after the other in the United States, Belarus and Britain.
Tracking Down Head of the Cash Mules
“The fact that Taiwan found Babii, the head of the money mule group, was crucial to the key suspect being netted this time,” says Lee Yen-lin , public prosecutor in charge of the First Commercial Bank heist case at the Taipei District Prosecutor’s Office. Due to his role in the First Commercial Bank case, Lee has been nominated for the Prosecutor of the Year Award, which is awarded annually by the International Association of Prosecutors.
Lee points out that Taiwanese investigators first caught a money mule when he tried to collect money from a locker at Taipei Main Station. The suspect’s mobile phone records then led investigators to Babii. Babii's job was to dispose of 60 million of the 80 million heist. Due to Taiwan’s diplomatic isolation, investigators were forced to ask Japan for help to put Babii on the list of internationally wanted criminals.
One year later, Babii was caught in Belarus. The records of mobile phone conversations between Babii and Denis, and the two malware programs Carbanak and Cobalt discovered by Taiwanese prosecutors and investigators, established direct evidence and the connection to Denis.
Thanks to this irrefutable evidence, the hacker genius was nabbed. He admitted that he had written the programs that made the ATMs spill cash while destroying evidence for the infiltration.
Asked what constituted the greatest difficulties during the investigation, Liu points to the enormous amount of information that had to be sifted to find the malware and recreate the path that allowed the virus to enter the system. Investigators also needed to recover the files that the main suspect deleted after committing the heists.
Liu notes that around 10 million records were created per day in connection with this case. In the First Commercial Bank case, investigators were busy half a year analyzing 1.8 billion entries.
Prosecutor Lee reveals that investigators originally suspected that the heist might have been an insider job. Therefore they repeatedly checked the video surveillance of 22 branches. In the First Commercial Bank case, an old man who found part of the stolen money in a park was suspected of being linked to the heist. Investigators spent considerable time checking all bank employees with the same surname to see whether they were related to the man or whether there could be any collusion, following up even the most minor of leads. In the end, they were able to establish that indeed only inadvertent carelessness was to blame.
What does cyber security expert Liu recommend for Taiwanese companies? What lesson should they learn from the First Commercial Bank case?
Liu Chia-ming , section chief with the Department of Cyber Security at the Investigation Bureau of the Ministry of Justice (Image: Chien-Tong Wang)
Hackers Can Already Take Control of Self-Driving Cars
He warns that enterprises should first of all change their thinking, because just a single case of cybercrime could erase the accumulated profits of several years over night. Therefore, the importance of information security must not be neglected.
Second, companies must be aware that information technology and information security experts are not the same;, they must not mistakenly believe that information technology staff can work in the field of information security.
Third, even if a corporation has been certified, the international threat against information security continues to increase daily. Information security personnel must immediately update facilities with the latest knowledge. If necessary, experts should be invited to conduct training, and records should be backed up, Liu suggests.
“Many hackers still use attacks that use people (such as email phishing), so training employees is essential,” says Liu. Companies are advised to simulate cyber attacks often. It is crucial that data not be embellished, or else it will not be possible to nip attacks in the bud.
Liu also warns that, thanks to technological progress, various novel ways of cyber crime have recently emerged around the world. For instance, there have already been examples of hackers demanding ransom after gaining remote control over self-driving cars. There are also cases where information was leaked because Internet systems were hacked remotely.
“Every company could become another First Commercial Bank,” warns Liu, adding that in this case, First Commercial Bank just happened to be the victim.
And in our digital age, the dangers are lurking right next door.
Translated from the Chinese Article by Susanne Ganz
Edited by Shawn Chou