Inside the Global Banking E-Heist

Cybercriminals infiltrate financial networks, putting U.S. banks at risk
July 8, 2016 Updated: July 8, 2016

UniTeller is a financial services company that specializes in making international money transfers, servicing a network of some 87 banks and 32,000 payment locations worldwide. According to an expert in cybersecurity, those banks have potentially been compromised by hackers who have breached UniTeller’s network.

Edward Alexander is a cybersecurity expert who tracks and sometimes prevents digital crime. He has a team of more than 200 digital investigators working specifically on the cases related to the UniTeller breach. Their beat is the darknet, a large segment of the internet only accessible with special software and often used by criminal groups to conspire and sell illicit goods and services.

In 2015, Alexander’s team learned that hackers employed by the Chinese regime had begun penetrating the world’s financial systems as early as 2006.

Also in 2015, after having gained high-level access they used to map and mirror the world’s financial system for their official employers, these hackers sought to monetize the information they had gained through private transactions.

They sold information on UniTeller’s system, and on Banorte, Mexico’s third-largest bank and owner of UniTeller, to a group of international cybercriminals. The world learned of this when the central bank of Bangladesh revealed hackers had stolen $81 million from it. Now, according to Alexander, this same group is changing its tactics while looking to enlarge its operations.

Alexander knows what the criminal group is doing, because his operatives befriended some of its members and gained their trust to such a degree that they chatted about and shared proof of their crimes. This is what Alexander calls “offensive counter-intelligence.”

His people learn how to penetrate criminal networks and bring back intelligence that can be used to stop those networks. Banks and other institutions often pay well for such information.

Included in the evidence Alexander obtained is a series of screenshots that show the hackers stealing money by way of the UniTeller system.

Prolonged Bank Robbery

The Fifth Third Bank building in Cincinnati in this file photo.   (AP Photo/Al Behrman)
The Fifth Third Bank building in Cincinnati in this file photo. (AP Photo/Al Behrman)

Among the screenshots are some showing the cybercriminals changing the daily spending limits on credit cards, and accessing transactions of prepaid uLink MasterCards issued for UniTeller customers through Fifth Third Bank in Cincinnati.

“In theory, rather than make it look like a large $81 million heist, it could be that they can try to nickel and dime the accounts using smaller amounts,” said Alexander.

Stolen credit cards and debit cards are commonly sold in bulk on darknet cybercrime markets in what people call “dumps” or “dumpz.” Criminals who purchase them will often use their information to make fake cards, which they then use to make purchases.

A screenshot of a cyberattack shows hackers with the ability to alter credit limits on credit cards and debit cards. (Courtesy of Ed Alexander)
A screenshot of a cyberattack shows hackers with the ability to alter credit limits on credit cards and debit cards. (Courtesy of Edward Alexander)

He noted the cybercriminals may also be testing the networks before launching a larger attack. While the criminal group has the tools it needs to access UniTeller’s system, they need time, Alexander said, to learn how to exploit the breach.

Alexander said the hackers have “traversed into the networks” of banks connected to UniTeller, and have begun launching additional attacks to gain deeper access to the connected banks.


When Alexander saw the attacks begin, he alerted U.S. federal law enforcement and made numerous attempts to alert the financial institutions the hackers had breached.

On May 27, Alexander alerted UniTeller and four days later sent a follow-up message on LinkedIn to UniTeller CEO Alberto Guerra. In response, Alexander said, Guerra blocked Alexander from sending him additional messages on LinkedIn.

“We have attempted to contact the victim banks to offer our support and intelligence. However, the response received from Fifth Third, UniTeller, and Banorte seems to be the standard response worldwide—denial and hope the alert is not valid,” he said.

The head of a leading cybersecurity intelligence firm had also contacted some of the financial institutions and warned of the breach. The firm received the same responses. The individual requested to remain anonymous due to his company’s ongoing investigation into the attacks.

UniTeller did not respond to two emails from Epoch Times to confirm; and Banorte did not respond to two emails, a phone call, and a voice message.

Alexander attempted to alert Fifth Third Bank of the attacks, only to receive an email stating the bank had not been breached and declined his help.

Larry Magnesen, spokesperson for Fifth Third Bank, told Epoch Times, “Our team has, with due diligence, evaluated the claim, and there is no reason to be concerned here with respect to Fifth Third Bank.”

Alexander notes that Fifth Third Bank’s system has likely not been directly hacked, but has been compromised due to its connection to the UniTeller network.

A Quiet Response

While UniTeller did not respond to Alexander and made no public announcement of the breach, it appears that it did take the warnings seriously.

Around June 1, UniTeller’s online services for customers to log in to their accounts and create new accounts were taken offline. As of July 7, the login page was still offline.

According to James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), the three business days UniTeller had between the initial alert from Alexander on May 27 (since it was given ahead of the Memorial Day weekend) would have likely been “enough time to freeze ongoing transactions and prepare the system for ‘offline maintenance.'”

Scott said in an email that if UniTeller was breached, its system administrators “may have had mirrors of backups of the system, that were updated hourly or daily.” He added that most financial institutions keep backups for “redundancy,” for “persistent up time during maintenance,” and in different locations “in case of natural disasters.”

“However, if the vulnerability lies within the system itself,” he said, “then the mirrors or backups will exhibit the same vulnerability because they are essentially clones of the system.”

After freezing or halting transactions, as in the case of UniTeller taking its login systems offline, Scott said incident responders “could disconnect the system from the internet to block inbound connections and make a live copy of the system to conduct forensics on.”

He noted that “proper incident responders never operate on the system itself,” and always use a mirror or live copy; and noted that taking a network offline for a month in the case of an attack “does not seem that unreasonable if the vulnerability lies in the system itself, or if the incident response team could not ascertain what was wrong. Figure, the IRS GetTranscript tool was offline around a year.”

After the UniTeller service had been down for 19 days, on June 20, Alexander called UniTeller’s toll-free customer service number to ask why the service was offline. He was told in the recorded call that “the site is undergoing maintenance.”

Meanwhile, Alexander’s darknet investigations showed that while UniTeller was likely trying to fix the breach, the hackers were still very much active.

Inside the Attacks

The gang member befriended by Alexander’s operatives provided many screenshots showing names of individuals, names of banks, and money transfers. Alexander said the screenshots show the criminals in the process of launching their attacks against UniTeller.

Scott took time to corroborate the claims, and said the content of the screenshots align with Alexander’s analysis of their contents. He noted that while it would be possible to spoof images such as these, it wouldn’t be something an individual could do on short notice. The images also demonstrate an accurate picture of databases that a financial institution would likely have.

A screenshot of a cyberattack shows transactions being made. (Courtesy of Edward Alexander)
A screenshot of a cyberattack shows transactions being made. (Courtesy of Edward Alexander; this image has been edited by Epoch Times to hide sensitive information)

The above screenshot shows transactions remitted from a senders’ third-party bank connected to UniTeller’s network, then credited to a uLink MasterCard account at Fifth Third Bank, and then finally converted to the uLink cardholders’ native currency, according to Alexander. The screenshot also identifies the names of account holders and the amount of money being transferred.

Alexander said the money is being sent through the UniTeller network to Fifth Third Bank to transfer funds to the loadable uLink MasterCard. He said the number sets in the center-left column appear to be money being sent in foreign currency from the United States, to the uLink cardholders in their respective country.

“These can very well be multiple transactions that are occurring,” he said, noting the member of the gang who took the screenshot did not specify on this particular screenshot.

He pointed out the word “remittance” at the top of the center-right column, and noted “When you see the word ‘remittance’ that is a money transfer.”

Scott said that while it’s difficult to make a definite conclusion of what the image shows, without having a full picture of the system, “the basic statements are correct, at least,” and said that the image showing multiple transactions “is definitely correct” and that remittance transfers are also taking place.

A screenshot from a cyberattack shows files relating to Uniteller, Fifth Third Bank, and uLink cards. (Edward Alexander)
A screenshot from a cyberattack shows files relating to UniTeller, Fifth Third Bank, and uLink cards. (Courtesy of Edward Alexander)

For the above screenshot, Alexander pointed out the “May 25” date without a year, and noted that the system won’t give the year if it’s the current year, and so this gives a timestamp on the file.

He pointed out the third line down “FifthThird-UTLR,” which refers to Fifth Third Bank and UniTeller. On the fourth line down, the “From53rd” in “TEST-ACKFileFrom53rd” suggests it was a transmission from Fifth Third Bank to UniTeller, which further suggests the hackers have access between UniTeller’s compromised network and Fifth Third Bank. Finally, he pointed to the name “uLink” in the lower-right corner, and noted it refers to the uLink prepaid MasterCard.

“That is showing there is clearly admin access to where those files are,” he said, adding that it’s possible the files contain wire transfer credentials but the gang member did not specify.

Scott said at the very least, the image shows the hackers have a level of access to the system that allows them to read, write, and execute files on the system.

A screenshot from a cyberattack shows payments being made. (Courtesy of Edward Alexander)
A screenshot from a cyberattack shows payments being made. (Courtesy of Edward Alexander)

The above screenshot shows ACH payments being done on a breached bank network. An ACH is an automatic clearinghouse. An example would be if you had a bank account set to automatically pay a cellphone bill.

“Each one of those are payment transactions, when you see the ACH in there,” Alexander said, noting the screenshot shows payments being made at set times.

“That shows they have access to transactions,” he said. “Those were all ACH text files. They could easily open any of those files to see the types of transactions and leverage that type of information.”

He pointed out the center-left column, which states “swadmin staff,” and noted it shows the gang member with administrator-level access to the system.

Scott said the image shows the hackers have the ability to read files shown on the page, but wouldn’t be able to alter the files. He noted, “if they’re trying to steal files, that’s all they actually need.” He also pointed out that the word “staff” next to “swadmin” shows the system is recognizing the account as legitimate.

A screenshot from a cyberattack shows login credentials. (Courtesy of Edward Alexander)
A screenshot from a cyberattack shows login credentials.(Courtesy of Edward Alexander; this image has been edited to remove sensitive information)

The above screenshot shows login credentials to UniTeller networks, and Alexander pointed out the mention of “api” in the screenshot.

An API, or “application program interface,” allows applications to communicate with each other. They could, for example, allow a computer to access a database or respond to calls from another system.

“It’s another vector, and the fact that it’s there, we know UniTeller is compromised and UniTeller’s API sends and receives calls from others that are connected to it,” Alexander said.

“How all these banks connect to UniTeller is through the API,” he said, noting this could be how hackers are gaining access to bank systems connected to UniTeller.

Scott noted that the page shows website links to IDology’s IDCenter, which is a login portal for companies, and that the hackers may have been running attacks to gain a set of user credentials for the portal.

A screenshot of a cyberattack shows files the hackers have access to. (Courtesy of Edward Alexander)
A screenshot of a cyberattack shows files the hackers have access to. (Courtesy of Edward Alexander)

Of this screenshot, Alexander said, “We’re seeing root access the second line down, but what’s really interesting is the names of the files.”

He pointed out the bottom name, which states “Internet User,” and noted it’s a “user credentials excel sheet” which could give the hackers a list of user credentials.

He also noted the line near the center, which states “CC_DC_Limits_mobetize.sql,” and said it ties to the gang member’s claims that the cybercriminals were able to change daily spending limits on credit cards, and access payments for uLink prepaid MasterCard. He noted that “CC” stands for “credit card” and “DC” stands for “debit card.”

Alexander pointed out other files listed in the screenshot, which suggest the gang member had also gained access to transactions, storage, the encryptions utility, and the FTP file root.

Scott noted the image shows the hackers have the ability to read, write, and execute files on the FTP system, which would allow them to transfer information to and from the system. He said using the FTP “is a common way to exfiltrate data”—to download data from the system.

Alexander took a step back to reflect on the implications of the UniTeller breach. “This is impacting everybody that has to do with banking, and that’s pretty much everybody.”

Follow Joshua on Twitter: @JoshJPhilipp