Today, we’re diving into the shadowy world of cybercrime with Malik Haidar, a seasoned cybersecurity expert who has spent years battling digital threats at multinational corporations. With a sharp focus on analytics, intelligence, and integrating business strategies into security frameworks, Malik offers a unique perspective on the evolving landscape of cyber fraud. In this interview, we explore the intricate details of a sophisticated ATM fraud operation known as UNC2891, which targeted Indonesian banks over several years. We’ll unpack the innovative technologies used, the malware that powered these attacks, the role of money mules, and the broader implications for financial security in an era where such threats are becoming more advanced and persistent.
Can you give us an overview of the UNC2891 ATM fraud operation and why it’s caught so much attention in the cybersecurity world?
Absolutely, Frans. UNC2891 is a highly organized cybercrime campaign that targeted two Indonesian banks over a span of a few years. What makes it stand out is the sheer scale and sophistication of the operation. It’s not just about hacking into systems; it combines advanced malware, physical devices like Raspberry Pi for ATM infiltration, and a sprawling network of money mules to extract cash. This group didn’t just breach systems—they built an entire ecosystem to sustain their fraud, which is a stark reminder of how cybercrime has evolved into a full-fledged business model.
How did UNC2891 specifically target these banks during their attacks between 2022 and 2024?
The group executed three major attacks: the first on Bank A in February 2022, then Bank B in November 2023, and a return to Bank A in July 2024. Their approach was methodical—they used consistent tools like the STEELCORGI packing tool across all incidents. Initially, they compromised dozens of systems to establish a foothold, often maintaining persistent access. By the later attacks, they refined their methods, leveraging physical access to ATMs via custom hardware and coordinating real-time cash withdrawals with mules. Each attack built on the lessons of the previous one, showing a clear learning curve.
Let’s dive into the tech side. Can you explain how they used Raspberry Pi devices in their ATM infiltration strategy?
Sure. The Raspberry Pi, a small, affordable computer, was rigged by UNC2891 as a tool to physically interface with ATMs. They likely modified these devices to connect directly to the ATM’s internal systems, bypassing external security layers. This allowed them to manipulate the machine’s operations—think dispensing cash without proper authorization. What’s chilling is that this isn’t just a software hack; it’s a blend of physical and digital intrusion, which is harder to detect and defend against. While not entirely new, using such accessible hardware in ATM fraud shows how low-cost tech can be weaponized effectively.
One of the standout elements of this operation is the CAKETAP malware. Can you break down what it does and why it’s so dangerous?
CAKETAP is a nasty piece of work—a rootkit designed to mess with the core verification processes of ATMs. It intercepts and alters legitimate PIN verification messages, essentially tricking the system into thinking everything is fine when it’s not. It also manipulates responses from Hardware Security Modules, which are critical for secure transactions, allowing attackers to use cloned cards as if they were legitimate. This level of interference at such a fundamental layer makes CAKETAP a game-changer; it undermines the very trust mechanisms banks rely on.
The operation also involved other tools like TINYSHELL, SLAPSTICK, and SUN4ME. Can you walk us through how these contributed to the attacks?
Each of these tools had a specific role in the UNC2891 playbook. TINYSHELL set up covert connections to their command-and-control servers, often using dynamic DNS to stay under the radar, ensuring they could maintain access to compromised systems. SLAPSTICK focused on stealing credentials by tampering with authentication libraries, grabbing sensitive login data. SUN4ME, on the other hand, was all about reconnaissance—it mapped out the target bank’s network, giving attackers a detailed blueprint to navigate and exploit. Together, these tools created a robust framework for persistence and exploitation.
Another fascinating aspect is the money mule network. How did UNC2891 manage to recruit and coordinate these individuals for their operation?
They were incredibly strategic about this. UNC2891 posted ads on platforms like Google and used Telegram channels to lure in potential mules—often people looking for quick cash without fully understanding the criminal nature of the job. Once recruited, they’d ship cloned card equipment via postal services to these individuals. The coordination was tight; mules were guided in real-time via tools like TeamViewer or over the phone to withdraw money from ATMs. It’s a classic example of exploiting human vulnerabilities alongside technical ones, scaling their operation through a distributed workforce.
Given how ATM-focused cybercrime seemed to fade for a while, what does the resurgence of groups like UNC2891 tell us about the current state of financial security?
It’s a wake-up call, Frans. Many organizations deprioritized ATM security in recent years, thinking these threats were on the decline. But UNC2891 shows they didn’t disappear—they evolved. With physical access vectors, deeply embedded malware, and coordinated human networks, these attacks are more dangerous than ever. It highlights a critical gap in how we allocate resources and attention to different threat surfaces. Financial institutions need to rethink their threat models and prioritize comprehensive audits of both digital and physical security layers.
Looking ahead, what is your forecast for the future of ATM fraud and similar financial cybercrimes?
I expect these threats to grow in complexity and scale. As technology becomes more accessible, we’ll see more groups adopting hybrid approaches—blending physical tampering with sophisticated malware. The use of AI could further enhance their ability to evade detection or automate parts of their operations, like phishing for mules or optimizing attack timing. On the flip side, I hope this spurs innovation in defenses—think better hardware security modules or AI-driven anomaly detection at ATMs. But it’s a cat-and-mouse game, and staying ahead will require constant vigilance and investment from both banks and cybersecurity professionals.
