Ukrainian Criminal Group Breaches Armenian Bank's Server, Stealing Approximately 128 Million AMD

The investigation into a case involving a stable organized criminal group comprised of foreigners, which committed large-scale theft using computer technology, has concluded in the Cybercrime and High Technology Crimes Investigation Department of the RA Investigative Committee. This case, initiated in 2016 at the Investigative Department of the National Security Service of the Republic of Armenia and later transferred to the RA Investigative Committee, has seen extensive investigative operations. Significant circumstances of the case, including the identities of five group members, the mechanism of theft, and the amount stolen, have been established.

Specifically, on October 25, 2016, one of the Armenian banks reported to the National Security Service concerning the theft of large sums of money from its ATMs. During the criminal proceedings initiated on this basis, it was revealed that three citizens of Ukraine had formed a stable organized criminal group with the intent to steal the bank's money and launder the illegally obtained assets. They clearly distributed roles among group members and meticulously planned the crime.

Accordingly, an unidentified individual acted under a false name in the VIBER software network, responsible for coordinating and leading the criminal activities, while the other two members were tasked with executing those activities and exporting the loot from Armenia.

They unlawfully breached the protective system of the banking computer network, illegally gained access to a relevant employee’s username and password, infiltrated another employee’s work computer, and after performing certain actions, downloaded a remote access program, managing to infect the server controlling the bank's ATMs with a Trojan-type malware.

Days later, two group members arrived in Armenia from Kyiv, while their accomplice, through the downloaded program, connected to the server. Using a series of commands under a fake username, he infiltrated the malware-infected server controlling the company’s ATMs, causing disruptions in their operation.

As a result, on October 22-23, 2016, due to the disruption of ATM operations, the group illegally withdrew and stole a total of 112,521,000 AMD from the keypads of 16 ATMs installed at various locations in Yerevan by collecting specific passwords.

Subsequently, to convert the stolen money into foreign currency, thereby disguising its criminal origin, and to facilitate the transfer of the specified amount to Ukraine through electronic payment systems, the criminal contacted an individual from Yerevan engaged in converting AMD to electronic currencies. According to their agreement, the resident of Yerevan received 92,840,000 AMD in cash from the group members, much of which was converted into US dollars through acquaintances, while a smaller portion was converted into Bitcoin and AdvCash, which was then transferred to accounts provided by the unidentified individual through electronic payment systems on various days of October 2016. The aforementioned group members, after receiving the converted cash in US dollars, left Armenia.

An additional citizen of Ukraine, a 33-year-old man, and an acquaintance learned from one of the group members that they could make money in Armenia by withdrawing money from ATMs electronically. They arrived in Armenia for this purpose, received the necessary ATM addresses from the group member, and took advantage of the disruption caused by the malware to steal a significant amount of 16,070,000 AMD from three ATMs located at different addresses in Yerevan without entering any data.

As a result of necessary measures taken, the 33-year-old Ukrainian man was located and presented to the prosecuting body. He has been charged under the third part of Article 257, Point 3 of the Criminal Code of the Republic of Armenia. As a preventative measure, detention was chosen, later replaced by a prohibition on leaving the country and bail.

His case has been separated for independent investigation, the completion of which has been communicated, and the materials of the case, along with the accusatory conclusion, were forwarded to the supervising prosecutor for confirmation and submission to court. The investigation continues concerning the other members of the group, who have been placed on an international wanted list. Measures are underway to locate them and ensure the recovery of damages inflicted upon the bank.

Notice: A person accused of a crime is considered innocent until proven guilty by a legally binding court decision in accordance with the Criminal Procedure Code of the Republic of Armenia.