The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques

mins read time
The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques
Published on
September 23, 2021
Blog Image

ATM hacking, often known as ATM jackpotting, is the illegal withdrawal of cash from automated teller machines by exploiting their physical or technical vulnerabilities. Given how ubiquitous ATMs are, exploiting them is an attractive scheme for criminals across the world. 


Even before the technological advances of the past decade, criminals have been pilfering ATMs using crafty physical methods such as forking, ATM lock picking, stealing entire ATM machines, etc. However, easy access to technology in recent years have allowed criminals to employ tools such as jackpotting, malware, exploits, etc., to achieve their goals. 


In this article, we delve into the specifics of the numerous physical and electronic attack vectors used by ATM hackers, highlighting the 2021 Rajasthan ATM hack as an example of the continued proliferation of novel ATM hacking tools and techniques. 


The Machinery

A typical ATM is composed of two primary components: a cabinet and a safe. The cabinet is the main body of the ATM which contains its main computer. This computer is connected to all the other devices of the ATM, such as network equipment, card readers, keyboards (PIN pads), and cash dispensers. With merely a plastic door secured by a flimsy lock, the cabinet is practically unprotected. 


Furthermore, most ATM manufacturers utilize the same lock for all ATMs of a particular series, and these keys are readily available on the internet, but attackers can also pick them or drill through the weak plastic. Considering that these plastic cabinets house the cash dispenser and the cash acceptor modules,  if they are instead made of steel and concrete, they would be more durable.


The Software

Majority of ATMs in the world now run on Microsoft Windows, primarily Windows XP Professional or Windows XP Embedded. Earlier in 2014, 95% of ATMs were still running on Windows XP. According to Wikipedia, a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000, even though Microsoft currently supports only Windows 8 and Windows 10.


To execute properly, the software must communicate with ATM peripherals such as the card reader, the keyboard, and the cash dispenser. XFS (extensions for financial services), a standard for simplifying and centralizing equipment control, facilitates this communication. XFS is implemented differently by every ATM vendor.


Physical Methods for ATM Jackpotting

Since most ATM thieves are not particularly tech savvy, they resort to tried-and-tested physical jackpotting methods. To make a quick heist, they primarily use conventional ATM jackpotting techniques, such as shoulder surfing card PINs, brute forcing into the ATM safe, and so on. Some of the common methods include: 


  • Skimming: In this method, the magnetic reader fitted into an ATM machine is replaced with a fake one that reads and stores all the information on the magnetic strip of any card that is inserted in the ATM. A normal consumer will have a difficult time detecting this scam because there are dozens of valid swiping devices on the market, making it nearly impossible to tell the difference between a genuine and a fake one. Criminals also install hidden cameras in the ATM booth to capture corresponding ATM PINs. The information obtained this way is later used to create illegal duplicates of ATM cards and defraud card holders. 


  • Fake Keyboards: Hackers replace ATM keyboards with fake ones that capture users’ PINs. This technique is also known as a ‘pin-pad overlay’ and is a common attack vector.


  • Hidden cameras: Another common and popular trick used by ATM attackers over the past few decades involves fitting small, hidden spy cameras onto an ATM, strategically placed near the keyboards so as to record customers’ ATM PINs. 


  • Forking: Here, the attacker inserts their card and initiates a small amount of cash withdrawal. As the cash is being withdrawn, they insert a fork-like tool into the cash dispenser, causing the ATM software to lock up and reset. They then manually pull out cash from the safe via the dispenser passage. The internal trigger of the ATM is confused by this action and loses track of how much money is dispensed, allowing repeated withdrawals.


  • Brute Force: Criminals may also simply break into an ATM safe by damaging the cabinet and taking out the desired amount of money.


Technical Methods for ATM Jackpotting

Lately, ATM thieves have also begun to employ technology to circumvent ATM security systems. Since they lack the technological training and financial resources required to evade ATM security, they turn to threat actors that sell the finished products required to accomplish this. On cybercrime forums and underground markets, there is a burgeoning ecosystem of actors selling numerous software along with detailed video tutorials on how the software can be leveraged to hack an ATM. 

The most common of these methods are:


  • ATM Malware Cards: ATM malware cards sold on the dark web come with the PIN descriptor, trigger card, and instruction guide. Once the ATM malware card is installed in the ATM, it captures card details of customers who subsequently use the ATM. The trigger card is then used to dispense cash from ATMs.

  • USB ATM Malware: Another prevalent method to fraudulently dispense cash from ATM Machines is by infecting them with a malware-hosted USB drive. This method also targets machines that run on Windows XP. The Tyupkin Trojanattack is such an instance.


  • Remote ATM Attacks: The hacker disconnects the ATM from the bank’s network and connects it to a special appliance that transfers the data to their own server. ATM networks are usually improperly segmented (separated for security), and a hacker may use such a device to infiltrate multiple ATMs at once, even though the malicious device is only attached to one of them. 


The communication between the ATM and the processing servers is either unencrypted or has a low level of encryption. The attacker installs a counterfeit processing centre on the server and delivers fake processor-server responses to the machines, resulting in a cash jackpot.


  • The Black Box Attack: The attacker sets the ATM to Maintenance mode and connects a device called a black box (a microcomputer like the Raspberry PI) to control the cash trays. While the attacker is tampering with the ATM, the screen shows a service message like “Maintenance in Progress” or “Out of Service,” although in reality the ATM can still draw cash. This technique was recently employed by a couple of women in Rajasthan to exfiltrate INR 3.2 million from several cities. Here are details of the incident.


Investigation of the Rajasthan ATM Hack 2021


Timeline of the Incident
Timeline of the Incident


On 26 July 2021, the Indian SOG (Special Operations Group) arrested two foreign nationals for illegally withdrawing INR 3.2 million from different ATMs in Rajasthan. The two women who were arrested are residents of Uganda and Zambia. The duo used a device known as Raspberry Pi to hack into the ATM server and siphon off money illicitly from six ATMs in Jaipur, across the areas of Mahesh Nagar, Gopalpura, Nehru Place, and Sanganer, from 16—18 July 2021. 


Prior to this incident, the duo had unsuccessfully attempted to tamper with a Bank of Baroda ATM at Keshavpura. This incident was brought to light by the Manager of Bank of Baroda, Mahesh Nagar, when he lodged an FIR regarding the ATM hack on 16 July.


About the Hackers

The two women involved in this crime have been identified as Laura Keith and Nan Tongo Alexander, residents of Zambia and Uganda respectively. Both of them have completed their education up to the 11th standard and were residing in an apartment in Delhi. This was their third visit to India and they stayed at the Polo Victory Palace Hotel in Jaipur during the time of the incident. They appear to have been amidst the process of setting up a cybercriminal network in India.  


Laura Keith and Nan Tongo Alexander
Laura Keith and Nan Tongo Alexander


The Attack 

The duo started their quest on 14 July, by visiting various ATMs in Jaipur. They selected their targets based on:

  • The positioning of the ATM: To ensure they were not accosted or caught while hacking the ATM.
  • The amount of money stored: To make sure the ATMs had been replenished.
  • The technology used: Since their code was only effective on ATMs using older manual settings. 

Their reconnaissance helped them figure out which ATMs could be targeted. The hackers were not only meticulous about their target selection but also about their appearance. They changed their disguises after every hack, making it difficult to identify them in CCTV footage.


After hacking 6 ATMs in Jaipur, the duo moved to Udaipur and repeated the same process. 


The Attack Vector 

This hack was an intelligent execution of a Man in the Middle (MITM) attack where the hackers used a device named Raspberry Pi to gain control over the ATM’s server. A man-in-the-middle attack occurs when an attacker positions themselves in the middle of a user and a service provider, while discreetly monitoring or even altering the interaction between them.


Raspberry Pi
Raspberry Pi



Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. It’s an affordable computer of the size of a credit card, developed primarily for educational purposes, to facilitate coding among students and in developing countries.


It can also be used with a television or a computer display and can perform all of the functions of a desktop computer. It uses a regular keyboard and mouse and is currently being utilized in a wide range of fields, including robotics.


In this incident, the felons purchased this device for INR 7,000 from Amazon and modified it into a server. They then visited various ATMs, plugged in the device and replaced the bank’s server port with their own custom server, and connected it to the ATM via Wi-Fi. As a result, the ATM was completely disconnected from the bank’s main server, allowing them to withdraw money without notifying the bank. 


However, due to a technical glitch, only ATMs working on the old manual system settings could be exploited by this device and this limited the hackers’ potential targets. 


Mitigation Measures

As mentioned, this hack was possible only on ATMs using old manual system settings thereby highlighting the importance of patching and updating the software regularly. 


We strongly recommend that banks:

  • Use up-to-date versions of Operating Systems and other software.
  • Audit and update the ATM’s security settings on a regular basis.
  • Make sure to use the most up-to-date ATM security features.
  • Install high-security locks, alarms, cameras, anti-fraud devices, etc., for increased security.



ATM hacking has progressed significantly over time. ATM thieves are no longer merely stealing cash from ATMs; they are now trading ATM details and ATM card information for money, or for various hacking tools such as malwares, databases, accesses, etc. The following are advertisements for ATM-related malware and exploits that have been posted by various threat actors across multiple forums.


A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM
A threat actor looking for collaboration in a phishing campaign targeting Europe mainly Ireland ATM


A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines
A threat actor selling an ATM malware that targets NCR and Diebold Nixdorf machines


A threat actor is looking to buy POC for ATM malware for a budget of USD 2000
A threat actor is looking to buy POC for ATM malware for a budget of USD 2000




Contributors to this Article
Author Image
Related Posts
Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Blog Image
July 11, 2023

Breaking into the Bandit Stealer Malware Infrastructure

CloudSEK's threat researchers discovered a new Bandit Stealer malware web panel on 06 July 2023, with at least 14 active instances.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.