June 3, 2020

An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.

The multimedia investigation by the Organized Crime and Corruption Reporting Project (OCCRP) and several international journalism partners detailed the activities of the so-called Riviera Maya crime gang, allegedly a mafia-like group of Romanians who until very recently ran their own ATM company in Mexico called “Intacash” and installed sophisticated electronic card skimming devices inside at least 100 cash machines throughout Mexico.

According to the OCCRP, Riviera Maya’s skimming devices allowed thieves to clone the cards, which were used to withdraw funds from ATMs in other countries — often halfway around the world in places like India, Indonesia, and Taiwan.

Investigators say each skimmer captured on average 1,000 cards per month, siphoning about $200 from individual victim accounts. This allowed the crime gang to steal approximately $20 million monthly.

“The gang had little tricks,” OCCRP reporters recounted in their video documentary (above). “They would use the cards in different cities all over the globe and wait three months so banks would struggle to trace where the card had originally been cloned.”

In September 2015, I traveled to Mexico’s Yucatan Peninsula to find and document almost two dozen ATMs in the region that were compromised with Bluetooth-based skimming devices. Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based, allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device, I was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange bit, top right. The Bluetooth and data storage chips are in the middle.

Several days of wandering around Mexico’s top tourist areas uncovered these sophisticated skimmers inside ATMs in Cancun, Cozumel, Playa del Carmen and Tulum, including a compromised ATM in the lobby of my hotel in Cancun. OCCRP investigators said the gang also had installed the same skimmers in ATMs at tourist hotspots on the western coast of Mexico, in Puerto Vallarta, Sayulita and Tijuana.

Part III of my 2015 investigation concluded that Intacash was likely behind the scheme. An ATM industry source told KrebsOnSecurity at the time that his technicians had been approached by ATM installers affiliated with Intacash, offering those technicians many times their monthly salaries if they would provide periodic access to the machines they maintained.

The alleged leader of the Riviera Maya organization and principal owner of Intacash, 43-year-old Florian “The Shark” Tudor, is a Romanian with permanent residence in Mexico. Tudor claims he’s an innocent, legitimate businessman who’s been harassed and robbed by Mexican authorities.

Last year, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Throughout my investigation, I couldn’t be sure whether Intacash’s shiny new ATMs — which positively blanketed tourist areas in and around Cancun — also were used to siphon customer card data. I did write about my suspicions that Intacash’s ATMs were up to no good when I found they frequently canceled transactions just after a PIN was entered, and typically failed to provide paper receipts for withdrawals made in U.S. dollars.

But citing some of the thousands of official documents obtained in their investigation, the OCCRP says investigators now believe Intacash installed the same or similar skimming devices in its own ATMs prior to deploying them — despite advertising them as equipped with the latest security features and fraudulent device inhibitors.

Tudor’s organization “had the access that gave The Shark’s crew huge opportunities for fraud,” the OCCRP reports. “And on the Internet, the number of complaints grew. Foreign tourists in Mexico fleeced” by Intacash’s ATMs.

Many of the compromised ATMs I located in my travels throughout Mexico were at hotels, and while Intacash’s ATMs could be found on many street locations in the region, it was rare to find them installed at hotels.

The confidential source with whom I drove from place to place at the time said Intacash avoided installing their machines at hotels — despite such locations being generally far more profitable — for one simple reason: If one’s card is cloned from a hotel ATM, the customer can easily complain to the hotel staff. With a street ATM, not so much.

The investigation by the OCCRP and its partners paints a vivid picture of a highly insular, often violent transnational organized crime ring that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

Tudor and many of his associates maintain their innocence and are still living as free men in Mexico, although Tudor is facing charges in Romania for his alleged involvement with organized crime, attempted murder and blackmail. Intacash is no longer operating in Mexico. In 2019, Intacash’s sponsoring bank in Mexico suspended the company’s contract to process ATM transactions.

For much more on this investigation, check out OCCRP’s multi-part series, How a Crew of Romanian Criminals Conquered the World of ATM Skimming.


42 thoughts on “Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion

  1. Kim

    Excellent! Thank you, Brian
    Keep the fires hot.

  2. Henry

    Boy, sounds like something dangerous to report! How do you keep yourself safe? Actually, don’t tell me!
    H

  3. Counterpoint

    The $20M monthly claim is as salacious as the instagram pictures included in the money laundering article, and comparatively its inclusion is far less justified by the evidence.

    I don’t see that this guy was pulling more than $1.3M a month between himself and his little crew. While the gang perhaps could harvest 100,000 cc numbers per month, no evidence is presented that they could monetize anywhere near that amount.

    Do the math: How many man hours and ATMs does it take to reach 1oo,ooo transactions per month? At 3 minutes per transaction+cloning, it requires 167 man hours per day just standing in front of a ATMs with a stack of ready clones.
    Most generously, a non-bank ATM might yield $20,000 before exhausted. $20M/mo requires 33 ATM’s to be emptied to fraudulent withdrawals every single day of the month. There is no evidence that his gang had the geographic scope, manpower, sophistication (or work ethic) to meet that capacity.

    In practice, it would take more than 200 people to work all day, every day scouting and liquidating at ATMs. Someone would get caught — but I see only a gang of four (including a top lieutenant) forced to go as far as Bali.

    Top bosses pulling $20M a month don’t beg their mothers to dig up $20k from the winter earth. It’s not feasible to launder $20M/mo between $3k Western Unions transfers and $40k plane trips. All the properties and other construction look to be nowhere in the same league as $20M a month. It is credible that the police ripped him off for more than $2M cash kept at home, it is not credible that this amount represents only 3 days of his income — especially given his outraged public statement.

    This was a regional operation, run by a small family-oriented gang who liked to party and don’t appear a fraction as dangerous as their narco-neighbors. It was tailored to sustainability, strictly de minimus $200 cash outs, and tolerated/enjoyed by local officials — until Krebs blew the lid.

    1. Thinker

      Very interesting points… I see the logic and analytical thinking. Make sense.

      I ran the numbers too and something doesn’t add up… Something is missing and doesn’t make sense.

    2. Tudor Florian

      Krebs , porque no respondes a ese comentario ?
      Porque no publicas tambien el correo y las pruebas que te mande?
      Porque no le cuentas a tus lectores que los criminales buscados por interpol Marcu Constantin y Marcu Aurelian te pagaron el viaje a Mexico en 2015 y fueron dos de tus donatores mas importantes que te financiaron esas reportajes?

Comments are closed.