Lazarus Heist: The intercontinental ATM theft that netted $14m in two hours

Lazarus Heist The intercontinental ATM theft that netted $14m in two hours

Imagine you're a low-wage worker in India who is offered a day's employment as an extra in a Bollywood film. Your role? To go to a cash point and withdraw some money.

In 2018, several men in Maharashtra state thought they were accepting a bit-part in a movie - but in fact they were being tricked into being money mules, collecting cash in an ambitious bank heist.

The raid took place over a weekend in August 2018, and centred on Cosmos Co-operative bank, which has its headquarters in Pune.

On a quiet Saturday afternoon, staff in the bank's head office suddenly received a string of alarming messages.

They were from the card payment company Visa in the United States, warning it could see thousands of demands flooding in for large cash withdrawals from ATMs - by people apparently using Cosmos Bank cards.

But when the Cosmos team checked their own systems, they saw no abnormal transactions.

About half-an-hour later, just to be safe, they authorised Visa to stop all transactions from Cosmos bank cards. This delay would turn out to be extremely costly.

The next day, Visa shared the full list of suspect transactions with the Cosmos head office: about 12,000 separate withdrawals from different ATMs around the world.

The bank had lost nearly $14m (£11.5m).

Warning: This article contains spoilers for the Lazarus Heist podcast

It was an audacious crime characterised by its grand scale and meticulous synchronisation. Criminals had plundered ATMs in 28 different countries, including the United States, the UK, the United Arab Emirates and Russia. It all happened in the space of just two hours and 13 minutes - an extraordinary global flash mob of crime.

Eventually, investigators would trace its origins back to a shadowy group of hackers who had pulled off a succession of previous stings seemingly at the behest of the North Korean state.

But before they knew the wider picture, investigators at the Maharashtra cyber-crime unit were amazed to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and stuffing the notes into bags.

"We were not aware of a money mule network like this," says Insp Gen Brijesh Singh, who led the investigation.

One gang had a handler who was monitoring the ATM transactions in real time on a laptop, Singh says. CCTV footage showed that whenever a money mule had tried to keep some of the cash for himself, the handler would spot it and gave him a hard slap.

Using the CCTV footage as well as mobile phone data from the areas near the ATMs, the Indian investigators were able to arrest 18 suspects in the weeks after the raid. Most are now in prison, awaiting trial.

Singh says these men weren't hardened crooks. Among those arrested were a waiter, a driver and a shoe-maker. Another had a pharmacy degree.

"They were gentle people," he says.

Despite this, he thinks that by the time the raid happened, even the men recruited as "extras" knew what they were really doing.

But did they know who they were working for?

Investigators believe that the secretive and isolated state of North Korea was behind the heist.

Previous Post Next Post