New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Two Ukrainians Taken Into Custody for Cash-Out Scheme Against Russian Sberbank ATMs

Two of three Ukrainian men suspected of stealing $1.5 million USD from ATMs in Bosnia have been taken into custody by Bosnian authorities. The men are accused of stealing from ATMs belonging to the Russian State-owned bank Sberbank. Dmytro Boyko and Oleksandr Zaysev were taken into custody but a third suspect, Yaroslav Tytarenko, fled to Hungary and is still at large. According to authorities, the three men withdrew the funds in a span of approximately 53 hours and were found to be in possession of $60,000 at the time of their arrest. According to a bank spokesperson, the ATMs were functioning normally and there were no signs of any physical tampering. “Computer-hacking tools” were used to withdraw the funds, according to a statement made by a court expert on information and communication.

Analyst Notes

It is unclear whether this means that “computer-hacking tools” were used by the trio or if they were only there to collect the funds. It is common in cash-out schemes for a hacker, or group of hackers, to compromise ATMs and then hire others to stand by the ATMs while they remotely control the ATM to make it dispense large sums of money. In past incidents involving hacking ATMs, bank employees were first targeted with malware, giving attackers remote backdoor access to workstations. After gaining initial access, attackers often steal credentials for administrator accounts and abuse those accounts to move laterally to other workstations or servers to eventually compromise the ATMs. It is important to closely monitor workstations and servers for potential attacker behaviors, stopping them before attackers have a chance to reach their objective. More information on this incident can be found at