In a first-of-its-kind case in Harris County, nearly a quarter of a million dollars vanished from ATMs in just four days, and investigators have now tied the extraordinary hacking to an organized group with Russian ties.
This heist, known as “jackpotting,” presents a new difficulty for Harris County’s financial crime investigators.
“There’s other types of theft from ATMs that happens, but nothing like this,” Houston Police Department Detective Roger Collins said. He’s assigned to the U.S. Secret Service Cyber Fraud Task Force and has been unraveling the complex case for months. “It was never something that could be done remotely.”
According to data supplied exclusively to KPRC 2, the organization targeted over 70 ATMs in Texas, including Houston, Dallas, Austin, and San Antonio.
The first allegations of this form of “jackpotting” surfaced in the Houston area last September, when 51 ATMs were hit in a couple of hours, stealing more than $150,000.
The owners of these machines, which are commonly found in small companies such as petrol stations and hotels, are the ones who bear the losses. These firms are left to bear the financial burden because the stolen funds are not deducted from any bank accounts.
Surveillance photographs provided exclusively with KPRC 2 show suspects driving rental cars in some cases and staring closely at their cell phones when at cash machines.
Det. Collins said they only need a receipt, which they may find in nearby trash or by retrieving a balance. They then take a picture of the receipt and give it to someone else, who detectives believe is overseas, thereby commencing the hack.
This enables them to remotely manage the ATM, deceiving it into distributing cash with no record of a withdrawal, he explained. The hack causes the ATM to believe that a routine transaction has been canceled, although the money has already been deducted, and no bank account has been affected.
“They just keep doing it over and over until it can’t spit money out no more,” according to Collins.
Over four days last October, the crew is thought to have stolen more than $236,000 in Texas.
Seven people have been charged, including two in Harris County, one detained in Las Vegas and extradited, two wanted, and two in jail in Miami.
Vitalii Moravel, the suspected US commander, is a Ukrainian war refugee on a humanitarian visa, according to his counsel, and is facing identical allegations in Georgia and Florida.
According to Det. Collins, Moravel is suspected to get instructions from a “big boss” in Russia, emphasizing the criminal operation’s international breadth.
Suspects charged with organized criminal conduct and illegal interception or attempt to intercept wire, oral, or electronic communication:
- Vitalii Moravel, 32: Ukrainian national in the U.S. on a humanitarian visa after being displaced by war; arrested and in jail on similar charges in Miami
- Roman Leskiv, 28: Wanted on Harris County charges; arrested and in jail on similar charges in Miami
- Andriy Ivano, 32: Non-U.S. citizen from Ukraine, truck driver from Illinois; arrested in Las Vegas before being extradited to Harris County; pled guilty to third-degree money services act violation and was given two years of community supervision
- Alexey Kharitonov, 50: Non-U.S. citizen from Russia, arrested on similar charges in Gwinnett County, Georgia; on bond in both states and “innocent,” according to his attorney
- Mirsaftar Asgarov, 34: Case dismissed on March 13 because prosecutors say it can’t be proven beyond a reasonable doubt; non-U.S. citizen from Azerbaijan who is a locksmith in the Houston-area
- Aibek Karabalayev, 38: Not currently in custody, wanted on Harris County charges filed in February, last address in Illinois
- Alexey Zubov, 38: Not currently in custody, wanted on Harris County charges filed in late February, last address in Illinois
At least five other suspects remain unidentified, according to Det. Collins. Flight records may connect the group to other incidents in New York, Boston, and Ohio.
According to Det. Collins, the individuals spotted at the ATMs receive 30% of the money, while the suspected leader, Moravel, receives 70%, the majority of which is thought to be converted to cryptocurrency. The shift to digital currency makes it even more difficult for police to locate and reclaim stolen funds.
“Some have stated that it’s sent back to the ‘The Big Boss’ via courier. And we’ve even received one report that he actually has flown in the United States to pick up cash,” Det.Collins said. “They work together just like anybody in any other business.”
The technical parts of the cyberattacks are still unclear, and there is no final strategy to halt them.
“Someone has taken a lot of time to learn how to compromise and overtake these systems from a long way away,” Collins said.
Although there haven’t been any ATM attacks of this type west of Texas, Det. Collins reported that Dallas has recently become the target once more. He recommended ATM owners and operators keep their machines under watch and report any suspicious activity, such as lingering individuals or multiple transactions, to law enforcement.
“They’re getting better every day,” Det. Collins said. “This is not going to be an isolated incident. This is not in the last place is going to happen. It’s going to continue.”
Any information about the people involved or observed in surveillance photographs should be reported to the Houston Police Department.