OKLAHOMA CITY – Two Hispanic men photographed breaking into automated teller machines in Chickasha and Moore and stealing $232,500, and photographed while attempting to do the same at an ATM in Norman, were indicted Tuesday by a federal grand jury here.
Arvest Bank told an FBI special agent that “organized thefts and attempted thefts” from ATMs occurred at not only their branch banks in Chickasha, Moore and Norman, but also at their branches in Lawton and Elgin.
Multiple law enforcement agencies are investigating “a series of coordinated automated teller machine ‘jackpotting’ incidents’ that occurred in the early hours of Jan. 19 and 20 and resulted in the theft of cash from four Arvest Bank ATMs in Oklahoma, FBI Special Agent Austin Saunders wrote in an affidavit.
The location of the fourth theft was not identified in the affidavit.
When asked for details about the incidents that Arvest reported at its Elgin and Lawton branches, U.S. Justice Department spokesman Adam Snider told Southwest Ledger, “I cannot expand beyond the public record, and I can neither confirm nor deny whether any investigation involving the Lawton and Elgin branch banks is underway.”
According to details provided by Arvest Bank, similar “jackpotting” incidents occurred on Jan. 19 and 20 at the bank’s branches in Arkansas and Kansas, too, Saunders wrote. Arvest Bank “reported a total loss of $505,600 from these incidents – with $423,600 of the losses occurring in Oklahoma.”
Arvest Bank, which is insured by the Federal Deposit Insurance Corporation, has more than 220 locations across four states, the company reported.
Ender Enrique Muñoz Perez, 29, and Angel Raphael Medina-Taguaripano, 27, were indicted in Oklahoma City on one charge of conspiracy to commit bank theft and two counts of bank theft. Both Venezuelan nationals remained incarcerated Friday. An interpreter has been retained in the case.
The grand jury alleges that Perez “and co-conspirators” went to the Arvest Bank in Chickasha, opened the “top hat” of the outdoor ATM, “tampered with the components inside,” and then “extracted … approximately $125,500” in cash from the machine.”
A security camera snapped photos of two suspects standing at the Chickasha ATM at 1:59 a.m. on Jan. 19; bandits tampering with the inside of the ATM at 3:13 a.m.; and a masked individual handling cash from the ATM at 3:42 a.m.
Security footage also snapped photos of two people tampering with the inside of the Arvest Bank ATM in Moore at 10:50 p.m. on Jan. 19 and extracting cash from the machine at 11:12 p.m. The indictment alleges Muñoz “and co-conspirators” stole approximately $107,000 during that heist.
Security footage from the Arvest Bank branch in Norman shows two individuals standing near the ATM at 2:51 a.m. on Jan. 20. “The suspects opened the top hood of the ATM and appeared to tamper with the components inside” at 2:53 a.m., Saunders wrote.
Norman Police were alerted and arrested three persons, the affidavit relates.
Ender Muñoz Perez was apprehended “while lying in the bushes” near the bank.
Medina-Taguaripano was arrested at 3:10 a.m. while sitting at a bus stop in front of the U.S. Post Office approximately 200 yards north of the Arvest Bank parking lot. “He told the officers he was waiting for his friend Ender Muñoz to come pick him up and take him to a house in Bethany,” Saunders reported. Medina-Taguaripano “stated he was from Colorado” and was carrying a Venezuelan ID when arrested.
Norman police “continued to patrol the area” and “spotted another male … in the area of the bank parking lot,” Saunders wrote. However, that person “ran through the Post Office,” jumped a fence and escaped.
Afterward, FBI agents interviewed an unidentified but “known” participant “in the criminal activity” described in Saunders’ affidavit. Medina-Taguaripano was identified as “being part of the group that traveled from Colorado to Oklahoma to conduct bank ATM thefts.” According to that source, Medina-Taguaripano “served as a lookout while others” committed the thefts.
‘Jackpotting’ defined The indictment describes jackpotting as “a type of cyberattack where criminals exploits vulnerabilities in automated teller machines of financial institutions by using malware to force the ATMs to dispense cash without debiting an account.”
Malware “refers to software programs designed to damage or do other unwanted actions on a computer system.”
Thieves “employ various techniques” in ATM jackpotting – such as “malware” jackpotting, “black box” jackpotting, and “direct memory access” attacks.
Regardless of the specific technique, it usually requires the criminals to gain physical access to the cash machine. “Using maintenance keys or brute force,” they “open the top portion – the ‘top hat’ – of the ATM, which gives them access to the ATM’s computer. They then connect a laptop or small computer directly to the ATM’s computer and inject malware into the computer.” The malware enables the bandits to “take control of the ATM and command it to dispense cash on demand.”
“A considerable amount of planning and preparation may go into this type of crime,” Saunders wrote, “since the threat actors must write and test the malicious software, load it onto a portable device that can be installed on the ATMs, and engage individuals to install the software to effect the theft.