An international arrest warrant has been issued against a Russian national suspected of being part of a criminal gang that stole 12 million baht (£260,000, $350,000) earlier this month from malware-ridden cash machines owned by Thailand's Government Savings Bank (GSB).
A senior investigator with the Thai police force, Panya Mamen, named 29-year-old Rustam Shambasov as the key suspect in the ongoing probe. Law enforcement said he was caught on CCTV cameras visiting 13 ATMs in separate locations in July, including Bangkok and Phuket.
According to Mamen, as reported by the Bangkok Post, Shambasov's identity was confirmed by a photocopy of his passport that was used to rent a Toyota Fortuner before the series of hacks took place. It is believed that at least seven other "Eastern European" suspects were also involved.
The police investigator also said immigration records showed how Shambasov arrived in Thailand on 14 July and boarded an flight to Moscow on 1 August – a timescale that matches previous statements from the impacted banks.
It was on 23 August when officials at GSB made the decision to shut down roughly 3,000 of its 7,000 NCR-brand cash machines after a police probe indicated they were likely compromised by hackers the month before. At the time, as previously reported, the bank found that over 20 ATMs were infected with malware.
However, mounting evidence suggests this was only one part of a much larger scheme. Prior to the GSB incident, the top eight banks in Taiwan were forced to cease trading on "hundreds" of cash machines after an orchestrated attack on 9-10 July used malware to steal NT$70m ($2.17m, £1.64m, €1.9m) from the First Commercial Bank.
Police have said these ATM malware heists are related. "As of now the evidence we have found makes us confident that this group is linked to the gang who committed a similar robbery in Taiwan," Mamen said. "Investigators believe their identity is Eastern European, though we are investigating whether any Thais were involved."
Meanwhile, cybersecurity experts at FireEye claim to have discovered the strain of malware, dubbed Ripper, that is being used in the attacks across Southeast Asia. Daniel Regalado, a researcher at the US-based firm, said: "We've identified a family of malware that may have been used in recent ATM robberies and which bears some similarities to known families of malware.
"This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices. In addition to requiring technical sophistication, attacks such as that affecting the ATMs in Thailand require coordination of both the virtual and the physical. This speaks to the formidable nature of the thieves."