Chinese programmer gets jailed for withdrawing $1 million in cash using an ATM flaw
A senior Chinese bank programmer was arrested after he withdrew more than 7 million yuan (around $1,000,000) in “free” cash by exploiting an ATM flaw. He has been given a prison sentence of 10 and a half years, the South China Morning Post reported.
Qin Qisheng, 43, a former manager in Huaxia Bank’s technology development center in Beijing, discovered a flaw in the bank’s main operating system in 2016. According to the report, the loophole enabled Qisheng to make cash withdrawals from the ATM around 12 a.m. As the bank’s system was not working properly, the cash withdrawals made by Qisheng were not recorded and also no alert was raised.
Apparently, Qisheng who had discovered the flaw in 2016, had inserted a few scripts in the banking system in November that year, which suppressed cash withdrawal alerts. From November 2016 to January 2018, Qisheng withdrew between 5,000 yuan and 20,000 yuan ($740 to $2,965) from a dummy account the bank used for testing. By the start of last year, Qisheng had collected over $1,000,000, that he added it to his personal bank account. He also did not inform his superiors what he was doing.
In January last year, a subsidiary branch in Cangzhou, Hebei detected and verified the irregular activity in the dummy account during a manual check. The incident was reported by the bank to relevant authorities.
Once Qisheng was caught, the bank decided to not continue to press charges against him and accept his explanation that he had simply been trying to investigate the ATM flaw. Qisheng had kept the money in his personal account and invested some of it in the stock market. While Huaxia bank said that he should have reported these activities, they requested police to drop the case if he returned the money.
Although Qisheng returned the money, the authorities did not accept the explanation and was detained in March. The Chaoyang district court found him guilty of theft in December and awarded him a jail sentence of 10 and a half years with a fine of 11,000 yuan ($16,000).
Even though Qi had returned all the money to the bank before his arrest, it was not enough to let him go, the district court said. It also added that the request by Huaxia bank to pardon Qi was not legitimate.
“On the one hand, [the bank] said that the accused’s behaviour was in violation of the rules. On the other hand, he said that he could conduct relevant tests. This is self-contradictory,” said the judge.
After the trial, Qin filed an appeal arguing that he did not deserve such a severe punishment. The second and final ruling by the Beijing Intermediate People’s Court upheld the verdict.
“After reviewing the papers, speaking to the appellant and listening to the opinions of the defenders, we believed that the facts of the case were clear and decided not to have another trial,” the court said.
“The case is closed.”
Huaxia Bank has rectified the ATM flaw to avoid any internal theft incident in the future. Huaxia bank has yet to respond on the issue.