Investigations into the fraud at Cosmos Bank in Pune, from where Rs 94 crore was fraudulently transferred in a global malware attack, have revealed that a part of the sum, Rs 13.5 crore, was transferred to Macau. A Special Administrative Region of China, Macau is known as a top gambling hub. In the past, fraudsters are reported to have withdrawn cash from ATMs in Macau that are always high on cash to enable gamblers. Fraudsters in the past have also been able to withdraw large sums of money from here without rousing any suspicion as it is a free port with no foreign exchange control regime.
“There were two types of fraudulent transactions carried out: One where cloned debit cards were used to withdraw
Rs 80.5 crore, and the other in which a SWIFT transfer of Rs 13.5 crore was made from the Pune-based bank to an account in a Hong Kong-based bank. On tracking the second transfer, it came to light that the money was then transferred to the account of an investment banking company from where it made its way to Macau,” said a senior police officer.
The officer said that as Macau is a well-known gambling destination, large withdrawals there are common. “People come there from around the world, there are no foreign exchange controls. This makes it ideal for fraudsters who want to make withdrawals of large sums without raising eyebrows. In this case, too, we suspect the withdrawals will be made there,” the officer added.
Apart from this, the police have also learnt that the fraudsters who managed to compromise the Cosmos Bank system had invited those who were on their online forums on the darknet — an internet network that has restricted access and is popular for illegal transactions — to take advantage of the ‘ATM cash out’ they would be carrying out at an Indian bank.
“The way it works is that the fraudsters have their own forums on the darknet. They informed people that they would be carrying out an ATM cash-out attack. They would inform the members about the timing of the cash-out and provide the card details in exchange for a fee,” the officer said.
Those interested would pay the fraudsters a certain amount and get the timing of the ATM cash-out and card details. In this case, the VISA cards of Cosmos Bank were used between 3 pm and 5.30 pm on August 11 while the RuPay cards (Indian banks) were used between 3 pm and 10 pm on the same day. These people would then simply have to turn up at the ATM and make withdrawals using the cloned debit cards. There was no withdrawal limit and they could withdraw as much as they wanted, the officer explained. In this particular case, there were people from 22 countries on the forum, including India, who agreed to pay the fee. In India, withdrawals were made from Mira Road, Pune, Kolhapur and Jaipur, among other places.
The officer added that the problem for them is to find out how many of these withdrawals were by people who genuinely went to withdraw money from ATMs during this period without being aware of the fraud. “People who may have come to these ATMs must have seen astronomical amounts as their balance, as the fraudsters had compromised the security system. Some of them may have also withdrawn more money seeing this. So currently, the process of finding people who made excessive withdrawals is under way,” the officer added.
In a digitally coordinated attack on the Pune-based bank, fraudsters illegally withdrew Rs 94 crore between August 11 and 13. The attack on the 112-year-old co-operative bank was coordinated in two parts: in the first part that took place on Saturday, debit card data was compromised and used on cloned cards while in the second part that took place on Monday, an international SWIFT transfer was made to a Hong Kong bank.