Lazarus Heist: The intercontinental ATM theft that netted $14m in two hours

Imagine you're a low-wage worker in India who is offered a day's employment as an extra in a Bollywood film. Your role? To go to a cash point and withdraw some money.

Lazarus Heist: The intercontinental ATM theft that netted $14m in two hours

In 2018, several men in Maharashtra state thought they were accepting a bit-part in a movie - but in fact they were being tricked into being money mules, collecting cash in an ambitious bank heist.

The raid took place over a weekend in August 2018, and centred on Cosmos Co-operative bank, which has its headquarters in Pune.

On a quiet Saturday afternoon, staff in the bank's head office suddenly received a string of alarming messages.

They were from the card payment company Visa in the United States, warning it could see thousands of demands flooding in for large cash withdrawals from ATMs - by people apparently using Cosmos Bank cards.

But when the Cosmos team checked their own systems, they saw no abnormal transactions.

About half-an-hour later, just to be safe, they authorised Visa to stop all transactions from Cosmos bank cards. This delay would turn out to be extremely costly.

The next day, Visa shared the full list of suspect transactions with the Cosmos head office: about 12,000 separate withdrawals from different ATMs around the world.

The bank had lost nearly $14m (£11.5m).

It was an audacious crime characterised by its grand scale and meticulous synchronisation. Criminals had plundered ATMs in 28 different countries, including the United States, the UK, the United Arab Emirates and Russia. It all happened in the space of just two hours and 13 minutes - an extraordinary global flash mob of crime.

Eventually, investigators would trace its origins back to a shadowy group of hackers who had pulled off a succession of previous stings seemingly at the behest of the North Korean state.

But before they knew the wider picture, investigators at the Maharashtra cyber-crime unit were amazed to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and stuffing the notes into bags.

"We were not aware of a money mule network like this," says Insp Gen Brijesh Singh, who led the investigation.

One gang had a handler who was monitoring the ATM transactions in real time on a laptop, Singh says. CCTV footage showed that whenever a money mule had tried to keep some of the cash for himself, the handler would spot it and gave him a hard slap.

Using the CCTV footage as well as mobile phone data from the areas near the ATMs, the Indian investigators were able to arrest 18 suspects in the weeks after the raid. Most are now in prison, awaiting trial.

Singh says these men weren't hardened crooks. Among those arrested were a waiter, a driver and a shoe-maker. Another had a pharmacy degree.

"They were gentle people," he says.

Despite this, he thinks that by the time the raid happened, even the men recruited as "extras" knew what they were really doing.

But did they know who they were working for?

Investigators believe that the secretive and isolated state of North Korea was behind the heist.

North Korea is one of the poorest nations in the world, yet a significant portion of its limited resources goes toward the building of nuclear weapons and ballistic missiles, activity that is banned by the UN Security Council. As a result, the UN has placed the country under onerous sanctions, making trade highly restrictive.

The hackers, nicknamed the Lazarus Group, are believed to belong to a unit directed by North Korea's powerful military intelligence agency, the Reconnaissance General Bureau.

Cyber-security experts named the hackers after the biblical figure Lazarus, who comes back from the dead - because once their viruses get inside computer networks, they are almost impossible to kill off.

The group first sprang to international prominence when then-US President Barack Obama accused North Korea of hacking into Sony Pictures Entertainment's computer network in 2014. The FBI accused hackers of waging the damaging cyber-attack in retaliation for "The Interview", a comedy that depicted the assassination of Kim Jong Un.

The Lazarus Group has since been accused of trying to steal $1bn (£815m) from Bangladesh's central bank in 2016, and for launching the WannaCry cyber-attack which attempted to extract ransoms from victims around the world, including the NHS in Britain.

North Korea strongly denies the Lazarus Group's existence, and all allegations of state-sponsored hacking.

But leading law enforcement agencies say North Korea's hacks are more advanced, more brazen and more ambitious than ever.

For the Cosmos heist, the hackers used a technique known as "jackpotting" - so-called because getting the ATM to spill its cash is like hitting the jackpot on a slot machine.

The bank's systems were initially compromised in the classic way: through a phishing email opened by an employee which infected the computer network with malware. Once inside, the hackers manipulated a bit of software - called the ATM switch - which sends messages to a bank to approve a cashpoint withdrawal.

This then gave the hackers the power to allow ATM withdrawals from their accomplices anywhere in the world. The only thing they couldn't change was the maximum amount for each withdrawal, so they needed a lot of cards and a lot of people on the ground.

In preparation for the raid, they worked with accomplices to create "cloned" ATM cards - using genuine bank account data to create duplicate cards that can be used in ATMs.

British security company BAE Systems immediately suspected it was the work of the Lazarus Group. It had been monitoring them for months and knew they were plotting to attack an Indian bank. It just didn't know which one.

"It would have been too much of a coincidence for it to have been another criminal operation," says BAE security researcher Adrian Nish. The Lazarus Group are versatile and very ambitious, he says. "Most criminal groups would probably be happy enough to get away with a couple of million and stop at that."

The logistics involved in the Cosmos Bank heist are staggering. How did the hackers find accomplices on the ground in 28 countries, including many that North Korean citizens can't legally visit?

US tech security investigators believe the Lazarus Group met one key facilitator on the dark web, where there are entire forums dedicated to swapping hacking skills and where criminals often sell support services. In February 2018, a user calling himself Big Boss posted tips on how to carry out credit card fraud. He also said he had the equipment to make cloned ATM cards, and that he had access to a group of money mules in the United States and Canada.

This was precisely the service the Lazarus Group needed for their hit on Cosmos Bank, and they started working with Big Boss.

We asked Mike DeBolt, chief intelligence officer at Intel 471 - a tech security firm in the US - to find out more about this accomplice.

DeBolt's team discovered that Big Boss had been active for at least 14 years and had a string of aliases: G, Habibi, and Backwood. The security sleuths managed to link him to all these usernames, as he used the same email address in different forums.

"Basically, he's being lazy," says DeBolt. "We see this pretty commonly: actors change their alias on a forum, but keep the same email address."

In 2019, Big Boss was arrested in the United States and unmasked as Ghaleb Alaumary, a 36-year-old Canadian. He pleaded guilty to offences including laundering funds from alleged North Korean bank heists, and was sentenced to 11 years, eight months.

North Korea has never admitted any involvement in the Cosmos Bank job, or any other hacking scheme. The BBC put allegations of involvement in the Cosmos attack to North Korea's embassy in London but received no reply.

However, when we contacted him previously, ambassador Choe Il replied the allegations of North Korean state-sponsored hacking and money laundering are "a farce", and an attempt by the US to "tarnish the image of our state".

In February 2021, the FBI, the US Secret Service and Department of Justice announced charges against three suspected Lazarus Group hackers: Jon Chang Hyok, Kim Il and Park Jin Hyok, whom they said work for North Korea's military intelligence agency. They are now thought to be back in Pyongyang.

US and South Korean authorities estimate North Korea has up to 7,000 trained hackers. It is unlikely that they all work from inside the country, where few people have permission to use the internet, making users' activities difficult to conceal. Instead, they're often sent overseas.

Ryu Hyeon Woo, a former North Korean diplomat and one of the most senior people to have left the regime, provided insight into how the hackers work abroad.

In 2017, he was working at the North Korean embassy in Kuwait, helping to oversee the employment of some 10,000 North Koreans in the region. At the time, many were working on construction sites across the Gulf and, like all North Korean workers, were required to hand over most of their wages to the regime.

He said his office received a daily call from a North Korean handler who was overseeing 19 hackers living and working in cramped quarters in Dubai. "That's really all they need: a computer that's connected to the internet," he said.

North Korea denies having any hackers posted abroad, only IT workers with valid visas. But Mr Ryu's description fits with FBI allegations about how these cyber-units operate from dormitories around the world.

In September 2017, the UN Security Council imposed the strictest sanctions yet on North Korea, limiting fuel imports, further restricting exports, and demanding that UN member nations send North Korean workers home by December 2019.

Yet the hackers still appear to be active. They are now targeting crypto-currency companies, and are estimated to have stolen close to $3.2 bn.

US authorities have called them "the world's leading bank robbers", using "keyboards rather than guns".

-bbc