Table Of Contents

Tyupkin malware allows fraudsters to enter a Pin code and take out up to 40 notes at once!

The cybercriminals from Eastern Europe are evolving their strategies and updating their attack tactics against bank automated teller machines (ATM) to a whole new level.  They are moving beyond solely targeting consumers with card skimmers that steal debit card numbers, to direct attacks against banks using malware that allows them or their henchmen to withdraw money directly from an ATM without the need for a counterfeit or stolen card.

A research published by Kaspersky Lab said that they have discovered  a new malware named Tyupkin solely developed for this purpose.  The Tyupkin malware impacts ATMs from a particular ‘major’ ATM manufacturer and only systems running on 32-bit Windows operating system, Kaspersky said.

Kaspersky Labs has informed Interpol, which in turn is mounting a widespread investigation across the USA, India, France, Israel, Malaysia and China.

The hack, known as Tyupkin, requires criminals to enter a unique code into a machine that has already been compromised by the malware. A second Pin code – a random sequence of numbers generated at another location – is also needed to unlock the machine before it will dispense the cash. ATMs infected with malicious software can be instructed to give out 40 notes at once by entering a series of digits on the keypad. Fraudsters do not require a credit or debit card to carry out the scam.


Once installed, the Tyupkin waits for a user to enter a specific key sequence on the keypad. The sequence is freshly-generated for each session so that the ATM user needs to receive it from the gang which installed the malware and knows the algorithm. Once the initial key sequence is entered, the user at the ATM calls the gang and receives another code specific to that session. All this allows the gang to control the cash being withdrawn by their henchmen across the world.

Once the second key is entered, the malware displays the amount of money in each cash “cassette,” and releases 40 notes at a time from the specified cassette.

The malware only accepts commands to dispense cash at specific times on Sunday and Monday nights. Kaspersky says this is to make the scam harder to spot, but it also allows the ringleaders to be on duty to provide codes when the attacks are being performed.  This can make it a bit easier for the investigating agencies to get to the ring leaders of this particular cyber criminal gang.

“The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure,” said Vicente Diaz, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team. “We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions.

“The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently,” Diaz said

Kaspersky has noted that there were around 50 infections of this particular malware.  They have reported that they have received 20 reports of Backdoor.MSIL.Tyupkin from Russia, four from France, two each from Israel and China and one each from India, the U.S. and Malaysia.  This also indicates that even if the ringleaders are in Eastern Europe, they have their henchmen / couriers based all around the world.


Please enter your comment!
Please enter your name here