Menu
Browse

Cyber Threat Actor: Silence Group

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
3 incidents
Profile

Silence Group, also tracked as Silence, is a financially motivated threat actor that has been active since at least 2016 and is believed to operate from Russia. The group is described by security researchers as consisting of a core of two Russian‑speaking individuals who possess legitimate white‑hat security expertise. Its aliases appear in multiple public reports linking it to a series of ATM‑focused bank heists. The actor’s primary objective is monetary gain, and it has demonstrated a willingness to move beyond its original Russian targets to other jurisdictions.

Silence has principally targeted financial institutions, with a clear focus on banks that operate ATM networks. Early activity involved attempts against the Russian Central Bank’s Automated Workstation Client, while later operations shifted to Bangladeshi banks in mid‑2019. In those incidents the group compromised three private banks—Dutch Bangla Bank Limited, NCC Bank and Prime Bank—using prolonged network access to gather information before executing fraudulent cash withdrawals. The attacks resulted in the theft of several million dollars, with Ukrainian nationals recruited as money mules to physically collect the dispensed cash.

The group’s toolkit includes families such as Silence.Downloader (also known as TrueBot), Silence.MainModule and Silence.ProxyBot, which are used to establish persistence, execute remote commands and relay traffic through compromised hosts. Access to victim environments is maintained for weeks or months, as evidenced by connections to a command‑and‑control server at 103.11.138.198 dating back to February 2019. Silence has employed two main techniques for ATM jackpotting: installing the Atmosphere toolkit on the bank’s ATM network to send cash‑dispensing commands, or manipulating transaction limits within the card‑processing system to allow unauthorized withdrawals. These methods are consistent with the actor’s prior tactics observed in Russian‑based operations.

The most publicly cited campaign attributed to Silence occurred in May 2019 against Bangladeshi banks, where the actor stole at least three million dollars through remote‑controlled ATM cashouts. Video evidence showed a Ukrainian money mule withdrawing funds after speaking with an unseen operator, indicating real‑time command of the machines. Following the cashouts, several Ukrainian nationals were arrested in connection with the theft, linking the mule crew to the broader operation. The incident marked the group’s first confirmed expansion beyond Russia and demonstrated its ability to conduct cross‑border financial theft using a combination of malware, long‑term network presence and local cash‑out teams.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source