The leader of Mexico’s Green Party has been removed from office following allegations that he received money from a Romanian ATM skimmer gang that stole hundreds of millions of dollars from tourists visiting Mexico’s top tourist destinations over the past five years. The scandal is the latest fallout stemming from a three-part investigation into the organized crime group by KrebsOnSecurity in 2015.
Jose de la Peña Ruiz de Chávez, who leads the Green Ecologist Party of Mexico (PVEM), was dismissed this month after it was revealed that his were among 79 bank accounts seized as part of an ongoing law enforcement investigation into a Romanian organized crime group that owned and operated an ATM network throughout the country.
In 2015, KrebsOnSecurity traveled to Mexico’s Yucatan Peninsula to follow up on reports about a massive spike in ATM skimming activity that appeared centered around some of the nation’s primary tourist areas.
That three-part series concluded that Intacash, an ATM provider owned and operated by a group of Romanian citizens, had been paying technicians working for other ATM companies to install sophisticated Bluetooth-based skimming devices inside cash machines throughout the Quintana Roo region of Mexico, which includes Cancun, Cozumel, Playa del Carmen and Tulum.
Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.
But because the skimmers were Bluetooth-based — allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device — KrebsOnSecurity was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.
In a series of posts on Twitter, De La Peña denied any association with the Romanian organized crime gang, and said he was cooperating with authorities.
But it is likely the scandal will ensnare a number of other important figures in Mexico. According to a report in the Mexican publication Expansion Politica, the official list of bank accounts frozen by the Mexican Ministry of Finance include those tied to the notary Naín Díaz Medina; the owner of the Quequi newspaper, José Alberto Gómez Álvarez; the former Secretary of Public Security of Cancun, José Luis Jonathan Yong; his father José Luis Yong Cruz; and former governors of Quintana Roo.
In May 2020, the Mexican daily Reforma reported that the skimming gang enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office.
The following month, my reporting from 2015 emerged as the primary focus of a documentary published by the Organized Crime and Corruption Reporting Project (OCCRP) into Intacash and its erstwhile leader — 44-year-old Florian “The Shark” Tudor. The OCCRP’s series painted a vivid picture of a highly insular, often violent transnational organized crime ring (referred to as the “Riviera Maya Gang“) that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.
It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.
In 2019, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguard, Constantin Sorinel Marcu.
According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:
The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.
Marcu: I see. It’s bad.
The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.
The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.
The Shark: Tell them that I am going to kill them.
Marcu: Okay, I can kill them. Any time, any hour.
The Shark: They are checking all the machines. Even at banks. They found over 20.
Marcu: Whaaaat?!? They found? Already??
Since the OCCRP published its investigation, KrebsOnSecurity has received multiple death threats. One was sent from an email address tied to a Romanian programmer and malware author who is active on several cybercrime forums. It read:
“Don’t worry.. you will be killed you and your wife.. all is matter of time amigo :)”
Holy snap, I hope you are reporting those death threats to the Romanian authorities. Thanks for your great work really interesting development!
The Romanian authorities will do nothing. Where do you think the gangs learned how to bribe oficials?
This was an incredible piece of journalism by Brian Krebs, undertaken at no little personal risk. Really deserves wider recognition.
I feel like that on about every other piece he puts out. Too true.
Good job of reporting, but please stay safe!
Sounds like there is enough money involved to rent a plethora of bad guys.
Yes, please stay safe!
Why was the Huawei smartphone able to detect the Bluetooth signals and not the iPhone one?
Any clues or hint?
Yes. I didn’t realize it at the time, but the iPhone ignores many generic Bluetooth signals that aren’t specifically designated as coming from a known commercial device. E.g., it won’t detect signals from a lot of generic Bluetooth circuit boards. There is a more technical explanation of this somewhere but I can’t seem to get my hands on it at the moment.
Brian, do you know if bluetooth can hide ID like wifi SSID broadcast can be hidden? What were the names of the bluetooth ID’s you saw broadcast? How soon will this be info be upgraded into the miscreants playbook and start hiding their broadcast ID’s? Perhaps a code keyed into the keypad turns on the bluetooth broadcast…? I should have been a criminal.
Hi Ron,
If you haven’t looked at the three original stories I did on this, they answer some of these questions. All the skimmers were beaconing out the default “free2move” SSID that the Bluetooth boards they bought and used sent out. It’s short-range wireless signal, so it has to send out some kind of identifier. They weren’t hidden from my iPhone so much as the iPhone doesn’t generally see generic BT signals.
https://krebsonsecurity.com/2015/09/tracking-a-bluetooth-skimmer-gang-in-mexico/
https://krebsonsecurity.com/2015/09/tracking-bluetooth-skimmers-in-mexico-part-ii/
https://krebsonsecurity.com/2015/09/whos-behind-bluetooth-skimming-in-mexico/
https://www.kismetwireless.net/docs/readme/datasources_bluetooth/
I did my share of war driving with the wifi Kismet. Everything is encrypted these days but occasionally you find interesting wifi devices.
I started researching Bluetooth Kismet but I figured with covid there wouldn’t be any opportunities for discovery. Well I guess I was wrong.
I have to say I wasn’t particularly impressed with the Great Scott Hack RF so I suggest looking at the Bluetooth sniffers on AliExpress first before spending real money. Look at the photos to get the right chipset.
Very nice!
Port knocking[1] has existed for decades.
But, people only spend resources on such things when necessary.
At this point, the attackers don’t seem to need to do such a thing.
Knocking could be in the form of listening for a signal. It could even be some sort of rotating thing.
[1] https://en.wikipedia.org/wiki/Port_knocking
The iOS bluetooth stack is of limited functionality. It does not support the Serial Port Profile, which most of these cheap solutions use. Android does, which is why a lot of other generic bluetooth devices like OBD2 scantool dongles support Android but not iOS.
The iPhone only supports Bluetooth 4.x (LE – Low Energy) and higher, and cannot communicate with the earlier Bluetooth protocol while Android phones support both.
You wonder if the Romanian organized crime gangs, are in part the gypsy population in that country. It’s the same gypsy population that has moved into the United Kingdom over the years.
Gypsies? Gypsies? Wait, Gypsies?
What possible connection – other than hatred of Gypsies – motivates that comment?
It sounds like you need some help identifying racial profiling. Please read these articles.
“The twisted idea of the Romani people’s inherent criminality has many similarities to misconceptions about other racial and ethnic groups in the US and the discrimination and abuse Roma face at the hands of law enforcement officers has to become part of the ongoing public conversation about police violence. ”
https://www.aljazeera.com/opinions/2020/12/20/romani-americans-struggle-with-inherent-criminality-stereotypes
*I’m a Romany Gypsy – why is racism against us still acceptable?
https://www.theguardian.com/commentisfree/2020/jun/15/romany-gypsy-racism-britain-prejudice-roma-travellers
*Roma people: 10 ways Europe’s biggest minority faces discrimination
https://www.reuters.com/article/us-global-roma-rights/roma-people-10-ways-europes-biggest-minority-faces-discrimination-idUSKCN1RK01Y
Those were white ethnic romanians not scum.
Geez
Ignorance abounds!
https://www.justiceinspectorates.gov.uk/prisons/wp-content/uploads/sites/4/2014/04/gypsies-romany-travellers-findings.pdf
“The subsequent census data for 2011 showed that of the population of England and Wales, just 58,000 or 0.1% of people identified themselves as Gypsy or Irish Traveller.”
“. The question ‘Do you consider yourself to be Gypsy, Romany or Traveller?’ was first introduced into Inspectorate surveys in 2009. In 2012–2013, 5% of prisoners responded ‘yes’ to this question;”
Ignorance abounds!
https://www[dot]justiceinspectorates[dot]gov[dot]uk/prisons/wp-content/uploads/sites/4/2014/04/gypsies-romany-travellers-findings.pdf
“The subsequent census data for 2011 showed that of the population of England and Wales, just 58,000 or 0.1% of people identified themselves as Gypsy or Irish Traveller.”
“. The question ‘Do you consider yourself to be Gypsy, Romany or Traveller?’ was first introduced into Inspectorate surveys in 2009. In 2012–2013, 5% of prisoners responded ‘yes’ to this question;”
Well done Brian. And scary stuff. Hit men, million$, and corruption – and thank God we can still see this stuff exposed. As far as Gypsies/Roms – only thing I have to say is when staying at the hoary old Hotel Monopol across the street from the Frankfurt Main Train Station in 2019, my wife and headed out for a walk in search of a particular restaurant and as we strolled through the lobby, the clerk told us to be careful around the Roms. And there were several (we assume) hanging out along the sidewalk full of tourists and train passengers. She said watch your wallets. We were there overnight and they were out there all the time.
Five years later and Brian and his family still have to worry about this. Hopefully not the rest of their lives. Humanity can be beyond reprehensible.
On a side note, the more Brian exposes stuff like this, and considering our inexorable march to all things digital (can’t believe I am about to write this), but I cannot wait for AI to absolutely remove all humans from the critical, sensitive things in our lives.
With the coming growth of AI, maybe it will be possible to remove humans from writing the code that designs the systems to protect our finances, our health, our safety in transportation, etc, etc. Also to remove humans from building the structures to run this code. Remove them from having any interaction with the equipment within this structure other than the front-facing interaction setup everyone (we all) have to use. Remove them from everything.
As long as humans are involved, the chain of security and safety will be forever weak.
Personally, I cannot wait for the rise of machines and AI.
Personally, I cannot wait for the rise of the Roma.
Meh, their tomatoes aren’t even vintage.
The reason smart people don’t want ‘real’ AI, one that develops it’s own thoughts, is that it is accepted that if humans were judged, we would not be allowed to live. I can’t say that’s wrong.
Brian has made many enemies. Including some featured in his book Spam Nation [1], various people involved in swatting [2], …
[1] https://krebsonsecurity.com/tag/spam-nation/
[2] https://krebsonsecurity.com/tag/swatting/
Thank you Brian! This is a great article.
Thanks Brian for all you do and stay safe. As I think someone else mentioned you need some sort of recognition for all you do. Thanks!!
Things I thought I would never read about Krebs,
“. They made a telenovela.”
Thank you for your work against global corruption.
Lers not talk about money lets talk about food.
People starving .
Food nedd not money
This particular Romanian programmer must be extremely stupid. He gets so sloppy that everyone knows what machines are hacked, who his lackeys’ are, has so many loose ends because so many sleezy people are involved. Then goes to blame the guy that happened to write down “the obvious”. This type of fool with will get everyone around him burned as he goes down. This should be interesting to watch. The more crap comes out of him, the bigger he makes the spot light. And it’s very bright now. lol
It’s not necessarily code issues, it often has to do with someone finding a vulnerability in a protocol or the way a hardware component works that’s used across multiple OSes, and finding out how to mitigate the problem often requires multiple major code changes.
This guys is openinng his mouth and making us gov to start investigation this is all wath he is doing, he work for us gov
Several friends get in trouble in mexico cause of you
Come in mexico one time, you will not come out..
Sigh… All mouth but no teeth.
I don’t know of anyone who has received as many death threats as Brian has, and yet is still alive; he must be doing something right 🙂
Stay safe, Brian; we need your reporting!