Cosmos Bank — FASTCash ATM cashout

What happened

On 11 August 2018 a co-ordinated cashout operation targeted Cosmos Bank, a co-operative bank headquartered in Pune, India. Beginning at approximately 3:00 PM IST, mule networks across 28 countries — including the United States, Canada, Hong Kong, India, China, Turkey, and others across Asia, Europe, and Africa — began simultaneously withdrawing cash from ATMs using Cosmos Bank-issued debit cards. The transactions were processed and approved, but not against actual account balances: the attackers had pre-compromised Cosmos Bank’s ATM payment switch and configured it to approve withdrawals without verifying them against the core banking ledger.

Over approximately 13 hours, approximately 14,000 fraudulent transactions totalling 805 million Indian rupees (approximately $11.5 million) were completed across Visa-network Cosmos Bank cards. The Visa transaction channel was apparently compromised separately from the RuPay domestic card network, which was not affected. On 13 August — two days after the ATM cashout — the attackers submitted a single fraudulent SWIFT transfer of approximately $2 million from Cosmos Bank to ALM Trading Limited’s account at Hang Seng Bank in Hong Kong, using a payment method similar to the Bangladesh Bank and Banco de Chile operations.

Total theft: approximately 940 million rupees ($13.5 million). Cosmos Bank confirmed the amounts publicly and reported the incident to Indian authorities; criminal investigation was opened. US-CERT published a detailed technical advisory in October 2018 attributing the operation to Lazarus Group and formally naming the technique “FASTCash.”

How it worked

The FASTCash technique, as documented by US-CERT and Symantec following analysis of the Cosmos Bank and related operations, involves the compromise of a bank’s ATM payment switch — the internal system responsible for routing ATM authorisation requests between the ATM network and the bank’s core banking platform.

Lazarus operators first gained persistent access to Cosmos Bank’s internal network through undisclosed initial-access methods, likely involving phishing or vulnerability exploitation. Over an extended reconnaissance period, they identified and compromised the servers running the bank’s ATM switch — either the switch itself or a system with sufficient privilege to manipulate the switch’s authorisation responses.

The modification to the switch was specific: when an ATM authorisation request for a Cosmos Bank-issued card arrived, the compromised switch would return an approval response without consulting the core banking system or checking the actual account balance. The card itself could be any Cosmos Bank-formatted card — the switch would approve any withdrawal request during the attack window regardless of account state. The mule operators’ cards did not need to have any specific balance; they just needed to be valid Cosmos Bank cards in the correct format.

The co-ordination required for a 28-country simultaneous cashout is logistically sophisticated. The mule network — criminal operators at ATMs across dozens of countries, each ready to act at a specified time — had to be recruited, equipped with cards, and co-ordinated without compromising operational security. This scale of mule co-ordination is characteristic of nation-state operations; a criminal group operating purely for profit would have difficulty maintaining operational security across this many participants in this many jurisdictions.

The follow-on SWIFT transfer two days later, routing $2 million through the same Hong Kong correspondent-bank network used in other Lazarus operations, suggests a single operational team handling both the ATM cashout and the SWIFT fraud components.

Timeline

• Weeks to months before 11 August 2018 — Lazarus operators compromise Cosmos Bank’s internal network; identify and compromise ATM payment switch; recruit and position mule networks across 28 countries; distribute pre-loaded debit cards.
• 11 August 2018, ~15:00 IST — Co-ordinated ATM cashout begins across 28 countries; Cosmos Bank’s compromised switch approves all withdrawals regardless of account balance.
• 11 August 2018, ~04:00 IST (12 August) — ATM cashout operation concludes; approximately 14,000 transactions, 805 million rupees ($11.5 million) withdrawn.
• 13 August 2018 — Single SWIFT transfer of approximately $2 million submitted from Cosmos Bank to ALM Trading Limited, Hang Seng Bank, Hong Kong.
• August 2018 — Cosmos Bank discloses the attack publicly; criminal complaint filed with Pune cyber police.
• October 2018 — US-CERT publishes detailed FASTCash advisory attributing the technique to Lazarus Group; multiple additional FASTCash victims in Africa and Asia identified.
• 2019 onwards — FASTCash operations continue against banks in Africa, South and Southeast Asia, and Latin America; US Treasury sanctions Lazarus-linked entities.

What defenders should learn

The Cosmos Bank incident is the operational demonstration of a threat that is now documented, attributed, and repeating. The US-CERT FASTCash advisory published in October 2018 described the specific technique — ATM switch compromise to enable fraudulent authorisation responses — and named Lazarus Group as the operator. Every bank in the regions that Lazarus targets has had access to that advisory for years. The relevant question for a bank’s board and security team is not “could this happen to us” but “have we specifically assessed and addressed the FASTCash threat model against our payment switch infrastructure?”

The payment switch is the single most critical control point for ATM fraud at this scale. A compromised switch that approves authorisation requests without verification can produce unlimited fraudulent withdrawals bounded only by the physical capacity of the mule network and the cash in ATMs. The security requirements for payment switch systems should reflect this: network isolation from general corporate infrastructure, access limited to a minimal set of identified users, integrity monitoring on the switch software to detect unauthorised modifications, and anomaly detection on authorisation-response patterns that would flag a sudden shift to uniform approval responses.

Real-time monitoring of ATM transaction velocity and authorisation patterns is the operational detection control. A transition from a normal baseline of mixed approvals and declines to a near-100% approval rate — especially occurring simultaneously across multiple card accounts — is a detectable anomaly. Banks with real-time velocity monitoring on their ATM switches can identify a FASTCash operation within minutes and initiate emergency blocking. The 13-hour window at Cosmos Bank suggests that either this monitoring was absent or its alert thresholds were not calibrated to detect the pattern.

The mule network logistics are worth noting for cross-sector awareness. The co-ordination infrastructure required to execute a simultaneous 28-country cashout — recruitment, card distribution, timing, communications security — represents an investment by the threat actor that is not repeated for low-value targets. Banks in the size range of Cosmos Bank are not, intuitively, the highest-value targets. But FASTCash is specifically designed to target smaller institutions with weaker controls, precisely because they are less likely to have the monitoring and response capabilities of a tier-one bank. The attack surface for this technique is the entire banking system, not just the largest institutions.