May 26, 2020

A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office, according to a new complaint filed with the government’s internal affairs division.

As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.

Florian Tudor (right) and his business associates at a press conference earlier this year. Image: Reforma.

Reforma said the complaint centers on Camilo Constantino Rivera, who heads the unit in the Mexican Special Prosecutor’s office responsible for fighting corruption. It alleges Rivera has an inherent conflict of interest because his brother has served as a security escort and lawyer for Floridan Tudor, the reputed boss of a Romanian crime syndicate recently targeted by the FBI for running an ATM skimming and human trafficking network that operates throughout Mexico and the United States.

Tudor, a.k.a. “Rechinu” or “The Shark,” and his ATM company Intacash, were the subject of a three part investigation by KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang which was rumored to be bribing and otherwise coercing ATM technicians into installing Bluetooth-based skimming devices inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

In 2018, 44-year-old Romanian national Sorinel Constantin Marcu was found shot dead in his car in Mexico. Marcu’s older brother told KrebsOnSecurity shortly after the murder that his brother was Tudor’s personal bodyguard but at some point had a falling out with Tudor and his associates over money. Marcu the elder said his brother was actually killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to make it look like he was slain in his car instead.

On March 31, 2019, police in Cancun, Mexico arrested 42-year-old Tudor and 37-year-old Adrian Nicholae Cosmin for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations. Two months later, a judge authorized the search of several of Tudor’s properties.

The Reforma report says Rivera’s office subsequently initiated proceedings against and removed several agents who investigated the crime ring, alleging those agents abused their authority and conducted illegal searches. The complaint against Rivera charges that the criminal protection racket also included the former chief of police in Cancun.

In September 2019, prosecutors with the Southern District of New York unsealed indictments and announced arrests against 18 people accused of running an ATM skimming and money laundering operation that netted $20 million. The defendants in that case — nearly all of whom are Romanians living in the United States and Mexico — included Florian Claudio Martin, described by Romanian newspapers as “the brother of Rechinu,” a.k.a. Tudor.

The news comes on the heels of a public relations campaign launched by Mr. Tudor, who recently denounced harassment from the news media and law enforcement by taking out a full two-page ad in Novedades, the oldest daily newspaper in the Mexican state of Quintana Roo (where Cancun is located). In a news conference with members of the local press, Tudor also reportedly accused this author of having been hired by his enemies to slander him and ruin his legitimate business.

A two-page ad taken out earlier this year in a local newspaper by Florian Tudor, accusing the head of the state police department of spying on businessmen in order to extort and harass them.

Obviously, there is no truth to Tudor’s accusations, and this would hardly be the first time the reputed head of a transnational crime syndicate has insinuated that I was paid by his enemies to disrupt his operations.

Next week, KrebsOnSecurity will publish highlights from an upcoming lengthy investigation into Tudor and his company by the Organized Crime and Corruption Reporting Project (OCCRP), a consortium of investigative journalists operating in Eastern Europe, Central Asia and Central America.

Here’s a small teaser: Earlier this year, I was interviewed on camera by reporters with the OCCRP, who at one point in the discussion handed me a transcript of some text messages shared by law enforcement officials that allegedly occurred between Tudor and his associates directly after the publication of my 2015 investigation into Intacash.

The text messages suggested my story had blown the cover off their entire operation, and that they intended to shut it all down after the series was picked up in the Mexican newspapers. One text exchange seems to indicate the group even briefly contemplated taking out a hit on this author in retribution.

The Mexican attorney general’s office could not be immediately reached for comment. The “contact us” email link on the office’s homepage leads to a blank email address, and a message sent to the one email address listed there as the main contact for the Mexican government portal (gobmx@funcionpublica.gob.mx) bounced back as an attempt to deliver to a non-existent domain name.

Further reading:

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico, Part II

Who’s Behind Bluetooth Skimming in Mexico?


37 thoughts on “Report: ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office

  1. Candy

    Yay…the saga continues! My little community bank team ate up your original stories. And to this day, I warn my customers traveling to watch for ATM tampering. I can’t wait to read the next set of installments.

    Have you thought about a novel?

    1. Brian Krebs

      Thanks. Yes, the trouble with the skimmers from this gang is they could not be detected unless you actually opened up a hacked ATM and had an experienced technician who knew what to look for. The Bluetooth skimmers were wired directly to the circuit boards for the internal card reader and the PIN pad.

      1. Richard F. Stewart

        Brian, that is certainly a higher level of sophistication and obfuscation that what we usually see for card skimmers. Thank you for what you do in your reporting.

      2. JCitizen

        What about the blue tooth signal you demonstrated on the video? Wouldn’t that be enough to know if an ATM was compromised?

        You are scaring me with this investigation – please watch your back! I know they don’t let people carry firearms in Mexico, so I fear for your safety.

        1. BrianKrebs Post author

          If you knew what signal to look for, possibly. Also, if you had something other than an iPhone, which ignores a lot of Bluetooth signals that don’t map to specific products. The Bluetooth scanning API in iOS only shows classic Bluetooth devices that are authorized to pair with Apple devices. Most Bluetooth-to-serial devices have not been authorized to pair with iOS (although they can pair with MacOS). I had to buy a crappy $100 Huawei smart phone in Mexico to do that research, but it did the job the iPhone couldn’t do.

          1. JCitizen

            With the budget I’m on, I’d probably take the cheap crappy phone anyway. Thanks for this very interesting article – stay safe, and God bless!

          2. Dale

            If the crooks can rig up a Bluetooth device, they can rig up other wireless technologies like 802.15.4, NRF24L01+, and so on, and use protocols that don’t beacon, but instead listen for the crooks device to broadcast first.

            These couldn’t be found by passive scanning.

            Seems smart to avoid all ATMs while traveling where possible. I wouldn’t rely up on a Bluetooth scan to ensure an ATM wasn’t hacked.

  2. rich

    when these guys get arrested in Europe there is usually a couple of months jail sentence involved which is why this is such a profitable business for them.

    The Mexicans should drive them out in the desert and then machine gun them in the legs and leave them. That would bring their activities to a quick close.

  3. The Sunshine State

    I can’t wait for that upcoming lengthy investigation.

  4. acorn

    “…the main contact for the Mexican government portal (gobmx@funcionpublica.gob.mx) bounced back as an attempt to deliver to a non-existent domain name.”

    The domain name exists right now. May have bounced for another reason; or had incorrect return statement.

  5. Rolf

    There is no real rule of law south of the Rio Grande…

  6. Robert Scroggins

    It appears to me that the rule of law is in danger everywhere!

    Ditto what James Cameron Said, Brian.

    Regards,

    1. Rube Goldberg's Razor

      Rule of law is an anomaly, the exception. Jungle law/mob rule via force is the rule. A “top anti-corruption official” aided and abetted criminals. Just like U.S. “regulatory” agencies with their incestuous revolving doors to the industries supposedly being monitored. The only due process is the vig paid to play. It’s everywhere.

  7. Daniel

    Who new investigative journalism could be hazardous to your health? Much respect for what you do and your level of professionalism in a news industry where ethical journalism seems to have gone by the wayside. At one time you could for the most part trust journalism and what you read in the papers. Now it seems to be nothing more than a platform to promote political agendas where you can print anything as long as you preface it with “alleged or allegedly”. No need to verify sources or do any kind of vetting anymore…

    1. Wayne

      Um, a lot of people know investigating organized crime can be hazardous to your health. Read up on Don Bolles some time, he lived down the street from my family, I went to school with his kids and went to an Arizona Republic picnic with them once.

      His murderer joked that he was going to buy himself a Datsun after Bolles initially survived six sticks of dynamite being detonated underneath him. He died 11 days later.

      https://en.wikipedia.org/wiki/Don_Bolles

  8. Mahhn

    Your work makes me want to play Punisher and go after these leaches around of world that need it. Alas I am to old and can’t afford to travel.
    I hope that not only do these leaches get their up and comings, but that the example of excellence you bring to journalism influences more integrity in those that need it.
    Keep up the great work Brian!

    1. pro hacker

      I doubt you have ever left your room little skid

      1. Mahhn

        lol, the only person you know here is yourself. So if that’s your life, I hope you do better.

  9. Jordan Brad

    You can read the step by step guide that we bring for you and then easily do your Canon Printer Setup on your own.

  10. Scott Lewis

    Thanks again Brian for all your help as always!

  11. JimV

    Brian, I’m really looking forward to that next shoe-drop, and it will undoubtedly be another really good read.

  12. George G.

    Mexico – the corruption capital of this continent.
    Speaking from personal experience.

  13. Alex N

    It has to feel pretty strange seeing consideration of a hit being put out on you. Such threats are unbelievably common in Mexico due to the amount of corruption there.

  14. Matthew G

    Interesting they don’t make the ATM circuit boards more tamper resistant. Just hot wire in and you are good?

  15. David

    ‘Inherent conflict of interest’ must be one of the best understatements of the year so far

  16. mark

    There must be more to this story. You can’t simply write track data on a magstripe card and use it at an ATM. Most cards have the EMV chip which means it won’t work as the ATM will detect this as a chip card.

    1. Robert

      EMV is only useful if it is enforced by the financial institution. Something that isn’t going to happen for a long time due to the huge numbers of non EMV terminals. Also tampering with the track data that tells a terminal that a card has EMV enabled doesn’t invalidate the checksum or the track checksum isn’t signed. I don’t remember which.

    2. Robert

      Unfortunately until the entire world is on EMV backwards compatibility with swipe only is an economic necessity. Add to that the track data flagging a cards as EMV can be modified without consequence and you have a perfect environment for skimming in popular vacation destinations.

  17. john

    Hey, i just want to tell you that it is a very informative article that helped me to enhance my knowledge but i have only one confusion which is about Rechinu. can you please elaborate this article kindly.

  18. رجيم

    It’s going to be ending of mine day, however
    before ending I am reading this enormous article to increase
    my experience.

  19. AC

    How effective would mobile/contactless payment services (Ie Apple Pay, Chase Pay, Google Pat, etc) against this ATM skimming technology?

  20. L Jean Camp

    It seems that checking for this kind of thing could be part of the price of owning one, basically a part of risk management. Like you can not leave wet floors or open containers of hazards, should there be a minimal due care standard for operating an ARM?

    What do you think of the efficacy of skimmer scammer? It is highly targeted and I do not have a sense of how common those style of skimmers are.

    Or the skim reaper? It sounds like reaper would not have worked in this case
    https://www.skimreaper.com/reaper

    but skimmer scammer may have.
    https://github.com/sparkfunX/Skimmer_Scanner

  21. Netgear Extender Setup

    Begin setup of your Netgear Extender Router by the presentation the instructions within the included manual, and following their guidelines for plugging in and initializing the Netgear Login. the primary few steps during this guide should coincide with the knowledge found within the manual, however, we’ll follow up with important information on the way to secure your wireless access point.

  22. Webroot Download

    The Webroot Download process is amongst the easiest process that can be done on your own. Webroot security solutions are your ultimate answer to all your device security needs. With Webroot Login, you get top-notch cybersecurity solutions for all your connected devices.

Comments are closed.