Cyber Incident Victim: Banco Santander
Date:
Aug 2020
Location:
United States of America
Summary
Criminal gangs exploited a software glitch in Santander ATMs to withdraw funds exceeding card balances using fake or preloaded debit cards. The glitch details circulated privately among fraud groups before leaking broadly on social platforms, triggering widespread unauthorized cash-outs across multiple regions. Law enforcement arrested numerous suspects linked to coordinated attacks, while one gang incident escalated into internal violence during a dispute over stolen money. The bank temporarily disabled all ATMs to contain the exploitation, later restoring limited access exclusively for customers while confirming no compromise of account data or legitimate funds. Operations gradually normalized as authorities continued investigations into the coordinated fraud campaigns.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-August 2020, Santander Bank experienced a coordinated ATM cash-out attack exploiting a software vulnerability in its automated teller machines. Criminal gangs discovered a glitch that allowed them to withdraw funds exceeding the balances stored on either counterfeit debit cards or legitimate preloaded cards. Details of this software flaw initially circulated privately among ATM fraud groups before leaking broadly onto social media platforms, including Telegram and Instagram, earlier that week. The uncontrolled dissemination triggered widespread exploitation by multiple criminal organizations, leading to a surge in fraudulent withdrawals across Santander’s ATM network. Incidents were reported in numerous locations, including Hamilton (20 suspects arrested), Morris County towns (19 arrests), Sayreville (11 arrests), and smaller groups in Bloomfield, Robbinsville, Holmdel, Woodbridge, Middlesex County, Booton, Randolph, Montville, South Windsor, Hoboken, Newark, and Brooklyn, New York. The rapid escalation prompted bank employees to investigate irregularities, revealing the scale of the exploitation.
Santander responded by temporarily shutting down all ATMs on Tuesday, August 18, to contain further losses. By August 19, ATMs were restored but restricted to Santander customers only, with plans to reopen access to non-customers later. The bank confirmed no customer accounts, data, or funds were compromised during the incident. Law enforcement agencies, including the FBI and local police across the tri-state area, arrested dozens of suspects linked to multiple criminal groups. One violent incident occurred when gang members argued over stolen money distribution, resulting in a shoot-out after cashing out an ATM, though no bank employees were harmed. Santander cooperated with ongoing law enforcement investigations while assuring customers of system integrity and operational recovery. The incident highlighted vulnerabilities in ATM software controls and the rapid proliferation of exploit techniques through social media channels.