Blog dedicated to reporting on Mexican drug cartels
on the border line between the US and Mexico

Sunday, December 30, 2018

This is the secret story of a hacker that was linked with the historic robbery of Mexican banking

LeChef Borderland Beat Forum---from El Financiero/Bloomberg

El ciberataque, contado desde muy cerca.
Antonio receives a call a month to do hacker "jobs". Two when there is a lot of 'chamba' and very occasionally have come to do three commitments. In his line of work, at least in one of the two that you have and the most risky, it is not a good idea to go through the network leaving frequent traces of your operations. Anonymity is your best ally and discretion a tool almost as valuable as its ability to 'throw' portals, access to forbidden sites on the Internet and obtain personal data without people being aware of it.

For that reason, for him it was normal, the call he received on April 16 about a job that involved a large group of hackers, all willing to participate in a large project to 'give a reach' to the banks. It was very early in the morning, but the voice on the other end of the line sounded very awake, safe and with an attractive message.

"Hi, how are you?" Said a man from a number he did not have registered. "I speak on behalf of Daniel."

Among the sea of ​​his acquaintances in the hacker world, Antonio knew a couple of people with that name, so he continued the conversation without any problem.

"I am aware that you know how the cards are worked (the man used a code name used by the hackers for the banking plastics) Are you not interested in working with us?" Continued the voice on the other side of the line and then He said something that was tattooed in Antonio's memory. "After this you will not have to work more in life."

Of course, Antonio is not the real name of who provided all the information for this story and was changed for security reasons. However, both his recount and the documents he provided serve to shed light on the largest hacker attack in the history of the Mexican financial system .

According to Antonio, he accepted "out of mere curiosity" to get involved in the "project" that the man proposed. Throughout his career as a hacker he had understood that it was better to know what was happening in that world than not to do it, even if from a distance or in a minor role.

The man told him about an operation that had been active for some time. Through a failure in one of the connection providers of several banks serving the Interbank Electronic Payment System (SPEI) of the Bank of Mexico (Banxico), several of his colleagues had managed to extract resources from specific accounts that had already been marked. 'by accomplices within the banks, that is, they already knew in which accounts to focus, what approximate amounts they had and where they should redirect the money. There was nothing random in the scheme and nothing was left to chance.

Before continuing, the man asked Antonio to demonstrate what he knew to do behind the keyboard. I wanted to make sure that I worked with someone professional and not with some 'poser' or computer fraud. It was a normal test to establish the trust that is required among those who are about to cross the line of legality. Antonio had no problem. I had been doing important things for over a year and a half, serious hacking, moving money, cloning cards, extracting passwords, sending viruses from text messages and gifs on social networks.

Since he was a child he liked computer science and little by little he was accessing network hacker forums. At the beginning, he met several who only downloaded software called "LOIC" and "HOIC", which work to throw Internet pages and serve as a platform to generate a DOS attack (denial of service), which inhibits the service functions of some system . Then, in specialized chats was approaching people who had virtual casinos where they stole data and money from clueless players, as well as people who planned more serious hits.

"He made me look like a woman," Antonio said. "This attracted the attention of other people and I came to the rooms with information about real attacks, and from there I became a bastard."

In the new world he had just accessed, he came across databases of bank account holders, credit card pins, security numbers, company payrolls, manuals for the cloning of credit and debit cards and social engineering strategies to achieve that people will give their data voluntarily. One of the most common schemes he started using at that time was to send a link via email or text messages to open a Facebook video. It was an exact clone of the home screen of the social network that made people think that they had to restart the session to see the desired content. The victims entered their username and password and when they hit 'enter', the page restarted, the clone disappeared with the access information and people could enter the real Facebook site. Antonio already had everything he needed to see his profile.

Another way to cheat was through a 'gif', those microvideos so popular in social networks that circulate in millions every day. Antonio uploaded several of them to the network, which when clicked on, activated a program that recorded everything that people typed on their phones for several days. This was especially in fortnights, when people perform banking operations from their phones and thus obtained user names, card numbers, passwords, security digits and other data that people normally keep with suspicion.

Shortly after, Antonio entered one more level in the world of banking fraud and met in the network accomplices who worked in bank branches.

"In strong cases with cards you always have to have someone inside," Antonio said. "The person inside provides the data for access, all the digits of the card, the PIN, the secret key, whatever it takes to make the move." When asked what he thinks about the banks' sharp support that there is no complicity of their employees in such operations, the hacker simply thundered his mouth and continued with his story.

"Someone in the bank sells that information, I usually deal with ATMs, it sells the information to you in batches, in packages of 50 cards or 20," he explained. "The price depends on the type of cards, if Premier or Gold accounts come. There are packages of 20 thousand to 50 thousand pesos, but if more premium accounts come, the price can go to 80 thousand. " A bank teller, on average, earns about 7 thousand pesos a month, according to sector data.

Sometimes, the accomplices in the banks only demanded in exchange that they bought them a flight with the cloned card or some electronic product in a departmental store. Others, only charged 500 or thousand pesos for the data of a single bank account.

When Antonio showed that he did have the necessary skills for the job, the man who evaluated him showed him information about some accounts that had been extracted through the SPEI, the amounts they were going to steal and explained that several of those accounts were from people They had already passed away and left a lot of money in the bank.

Before finishing, the man asked Antonio to meet the following week with one of his partners, a woman who would give him even more details of what he would have to do and then he repeated: "You will never go back to work after this".

Without knowing that the operation had been ongoing for several weeks, on Wednesday, April 25, Antonio went to a home in the west of Mexico City. The man who had contacted him introduced a woman only by his nickname. I was Mexican, young and knew a lot about finances. He spoke of banking operations, transfers, balances and asked Antonio to support them to verify that the accounts did have the money that some accomplices in the banks said they would find. Then he would have to extract the resources and 'pulverize' them in several accounts, that is, distribute it in smaller amounts in several debit cards. The woman told him about exact amounts in specific accounts and explained that it should not be done otherwise to avoid firing alerts in the banks.

"After he told me about the structure they had and I saw that this was big, I understood that they were going to use companies that they had created to deposit part of the money and I understood that the whole thing was very bastard," Antonio said. "Then they showed me the amounts of some of the accounts that I had to 'sell' and they told me I had six hours to split it in other accounts and that's when I backed out, it was not possible to do it without risk".

According to Antonio, he explained that he did not feel confident to do the operation and left the house without any problem. They only asked for discretion and absolute silence.

Two days later, everything burst.

The Mexican electronic payment system, which for years claimed to be armored against cyberattacks, was put on its knees in record time.

The first warning signs began to appear on Friday, April 13, when the Kuspit brokerage house , which operates solely electronically, suffered the first attack on its systems that connect it to the SPEI. On April 17, the robbery was culminated for around 3 million pesos of this institution, which forced it to close operations, telling its clients that it was in the process of improving its systems and without reporting what had really happened.

Banjército followed , which serves the armed forces and given its size receives the support of other financial institutions, such as sharing their ATMs. Approximately on April 24, the hackers had access to their connection to the SPEI and managed to subtract an amount similar to that of the brokerage house.

Two days later they started another attack, first to a small savings bank, which according to sources close to the facts the criminals used as evidence to make sure everything went according to plan and to continue with a major attack directed at Banorte the afternoon and night of April 26.

One day later, on Friday, April 27, chaos broke out among customers of that bank who did not receive their transfers after being disconnected from the SPEI and sent to a contingency procedure called "SPEI Alternate Operation Client" (COAS). The lack of training of bank staff in that system made operations even slower, according to financial authorities.

During the attack on Banorte , which resulted in unrecognized transfers up to that point, accounted for at 145 million pesos, according to informed sources, the institution was warned by Banxico that something was happening in its connection, after a smaller bank reported that something was happening in the system and there were fraudulent operations coming from the largest Mexican financial institution in the country. Banorte's response was to ensure that they had no indication of the attack and their connection provider to the SPEI had not reported any irregularities. After several deliberations and analysis, Banxico decided to send Banorte to COAS.

According to a financial authority with knowledge of the matter, part of the problem is that several affected institutions did not notify that they had had an attack that resulted in unauthorized transfers, as stipulated in the regulations, so they believe this could have been avoided if the established protocol. The banks have just signed a collaboration agreement with the PGR and agreed to the creation of the Information Security Incident Response Group (GRI).

That same Friday, some directors of the main banks of the country acknowledged that they were alerted in the early morning about the attack and "that they had beaten Banorte". The next day, the financial authorities held an emergency meeting where they recognized the seriousness of the situation, without taking more concrete or direct measures to address the matter. In fact, it was believed that the worst was over despite the fact that none of the affected banks managed to identify the "hole" through which the hackers entered their systems. Days later, the delinquents stole around 150 million pesos from Inbursa, owned by the Slim family, and a question began to take hold: Where did the money go?

There is a store owner in the east of Mexico City who knows the answer. She calls herself Leticia and the first days of April she was contacted by one of her suppliers to see if she was interested in making money by doing her a favor. "He tells me that they are like 20 thousand pesos that they would give me just to make a withdrawal from my account, that they would deposit me money from one of their relatives but since he could not withdraw it, I had to do it", noted in interview. "Money that easy, who does not?"

A week went by without her provider mentioning the deposit and she did not insist on the matter. Finally, on Friday, April 27, she received a call from him indicating that she already had the money in her account and in two hours she would go through it to take her to the retirement. He left the store in charge of his son and on his way to the branch he asked how much he had to make the withdrawal at the cashier.

"He laughed and said: 'No, ma'am, at the cashier no, you have to go to the window to get more, they are like 70 thousand pesos," Leticia said. "At that moment the truth gave me nerve, not because I did not know where the money was from, that was their business, but you can see how the assaults are going."

Leticia had no problem getting the money, the operation took a little longer because they had to count the cash. When he got it, he put it in his bag and went out to meet his unexpected partner.

"We got on the car and we started fast, it was fast," he said. "Once we arrived at the store he counted the money, separated some bills and gave them to me."

They were not the promised 20 thousand pesos, they were only 6 thousand in 200 and 500 bills. Leticia felt disappointed but did not want to claim, it was money for which she had only had to go to the bank and make a withdrawal, it was free money, according to she. Even so, he asked his provider kindly for the rest of the money and he replied that he had not received the full transfer, but then compensated for it with something else.

Leticia heard about the hacking days later on television and became very nervous when she read on Facebook that 'the government' had already identified the accounts from which the robberies were made. He has asked friends if he should say something, but everyone has suggested silence, that if he does not 'move' him, surely nothing happens. In any case, she is uneasy about what might happen to her in the following days.

Even so, your provider recently told you that more transfers could fall and a higher percentage could be taken. Leticia told him she was going to think about it.


  1. Leticia is going down.

  2. It’s a cyber criminal. Things get too hot I would out him for my own protection. She’s stuck getting a pistol on the black market. Lesson learned.


Comments are moderated, refer to policy for more information.
Envía fotos, vídeos, notas, enlaces o información
Todo 100% Anónimo;