Feb 21

Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang

The leader of Mexico’s Green Party has been removed from office following allegations that he received money from a Romanian ATM skimmer gang that stole hundreds of millions of dollars from tourists visiting Mexico’s top tourist destinations over the past five years. The scandal is the latest fallout stemming from a three-part investigation into the organized crime group by KrebsOnSecurity in 2015.

One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. The two components on the left are legitimate parts of the machine. The fake PIN pad made to be slipped under the legit PIN pad on the machine, is the orange component, top right. The Bluetooth and data storage chips are in the middle.

Jose de la Peña Ruiz de Chávez, who leads the Green Ecologist Party of Mexico (PVEM), was dismissed this month after it was revealed that his were among 79 bank accounts seized as part of an ongoing law enforcement investigation into a Romanian organized crime group that owned and operated an ATM network throughout the country.

In 2015, KrebsOnSecurity traveled to Mexico’s Yucatan Peninsula to follow up on reports about a massive spike in ATM skimming activity that appeared centered around some of the nation’s primary tourist areas.

That three-part series concluded that Intacash, an ATM provider owned and operated by a group of Romanian citizens, had been paying technicians working for other ATM companies to install sophisticated Bluetooth-based skimming devices inside cash machines throughout the Quintana Roo region of Mexico, which includes Cancun, Cozumel, Playa del Carmen and Tulum.

Unlike most skimmers — which can be detected by looking for out-of-place components attached to the exterior of a compromised cash machine — these skimmers were hooked to the internal electronics of ATMs operated by Intacash’s competitors by authorized personnel who’d reportedly been bribed or coerced by the gang.

But because the skimmers were Bluetooth-based — allowing thieves periodically to collect stolen data just by strolling up to a compromised machine with a mobile device — KrebsOnSecurity was able to detect which ATMs had been hacked using nothing more than a cheap smart phone.

In a series of posts on Twitter, De La Peña denied any association with the Romanian organized crime gang, and said he was cooperating with authorities.

But it is likely the scandal will ensnare a number of other important figures in Mexico. According to a report in the Mexican publication Expansion Politica, the official list of bank accounts frozen by the Mexican Ministry of Finance include those tied to the notary Naín Díaz Medina; the owner of the Quequi newspaper, José Alberto Gómez Álvarez; the former Secretary of Public Security of Cancun, José Luis Jonathan Yong; his father José Luis Yong Cruz; and former governors of Quintana Roo.

In May 2020, the Mexican daily Reforma reported that the skimming gang enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office.

The following month, my reporting from 2015 emerged as the primary focus of a documentary published by the Organized Crime and Corruption Reporting Project (OCCRP) into Intacash and its erstwhile leader — 44-year-old Florian “The Shark” Tudor. The OCCRP’s series painted a vivid picture of a highly insular, often violent transnational organized crime ring (referred to as the “Riviera Maya Gang“) that controlled at least 10 percent of the $2 billion annual global market for skimmed cards.

It also details how the group laundered their ill-gotten gains, and is alleged to have built a human smuggling ring that helped members of the crime gang cross into the U.S. and ply their skimming trade against ATMs in the United States. Finally, the series highlights how the Riviera Maya gang operated with impunity for several years by exploiting relationships with powerful anti-corruption officials in Mexico.

In 2019, police in Mexico arrested Tudor for illegal weapons possession, and raided his various properties there in connection with an investigation into the 2018 murder of his former bodyguardConstantin Sorinel Marcu.

According to prosecution documents, Marcu and The Shark spotted my reporting shortly after it was published in 2015, and discussed what to do next on a messaging app:

The Shark: Krebsonsecurity.com See this. See the video and everything. There are two episodes. They made a telenovela.

Marcu: I see. It’s bad.

The Shark: They destroyed us. That’s it. Fuck his mother. Close everything.

The intercepted communications indicate The Shark also wanted revenge on whoever was responsible for leaking information about their operations.

The Shark: Tell them that I am going to kill them.

Marcu: Okay, I can kill them. Any time, any hour.

The Shark: They are checking all the machines. Even at banks. They found over 20.

Marcu: Whaaaat?!? They found? Already??

Since the OCCRP published its investigation, KrebsOnSecurity has received multiple death threats. One was sent from an email address tied to a Romanian programmer and malware author who is active on several cybercrime forums. It read:

“Don’t worry.. you will be killed you and your wife.. all is matter of time amigo :)”

Tags: , , , , , , , , , , , , ,


  1. Holy snap, I hope you are reporting those death threats to the Romanian authorities. Thanks for your great work really interesting development!

  2. This was an incredible piece of journalism by Brian Krebs, undertaken at no little personal risk. Really deserves wider recognition.

  3. Good job of reporting, but please stay safe!

    Sounds like there is enough money involved to rent a plethora of bad guys.

  4. Yes, please stay safe!

  5. Philip de Louraille

    Why was the Huawei smartphone able to detect the Bluetooth signals and not the iPhone one?
    Any clues or hint?

  6. The Sunshine State

    You wonder if the Romanian organized crime gangs, are in part the gypsy population in that country. It’s the same gypsy population that has moved into the United Kingdom over the years.

  7. Ignorance abounds!


    “The subsequent census data for 2011 showed that of the population of England and Wales, just 58,000 or 0.1% of people identified themselves as Gypsy or Irish Traveller.”

    “. The question ‘Do you consider yourself to be Gypsy, Romany or Traveller?’ was first introduced into Inspectorate surveys in 2009. In 2012–2013, 5% of prisoners responded ‘yes’ to this question;”

  8. Ignorance abounds!


    “The subsequent census data for 2011 showed that of the population of England and Wales, just 58,000 or 0.1% of people identified themselves as Gypsy or Irish Traveller.”

    “. The question ‘Do you consider yourself to be Gypsy, Romany or Traveller?’ was first introduced into Inspectorate surveys in 2009. In 2012–2013, 5% of prisoners responded ‘yes’ to this question;”

  9. Well done Brian. And scary stuff. Hit men, million$, and corruption – and thank God we can still see this stuff exposed. As far as Gypsies/Roms – only thing I have to say is when staying at the hoary old Hotel Monopol across the street from the Frankfurt Main Train Station in 2019, my wife and headed out for a walk in search of a particular restaurant and as we strolled through the lobby, the clerk told us to be careful around the Roms. And there were several (we assume) hanging out along the sidewalk full of tourists and train passengers. She said watch your wallets. We were there overnight and they were out there all the time.

  10. Five years later and Brian and his family still have to worry about this. Hopefully not the rest of their lives. Humanity can be beyond reprehensible.

    On a side note, the more Brian exposes stuff like this, and considering our inexorable march to all things digital (can’t believe I am about to write this), but I cannot wait for AI to absolutely remove all humans from the critical, sensitive things in our lives.

    With the coming growth of AI, maybe it will be possible to remove humans from writing the code that designs the systems to protect our finances, our health, our safety in transportation, etc, etc. Also to remove humans from building the structures to run this code. Remove them from having any interaction with the equipment within this structure other than the front-facing interaction setup everyone (we all) have to use. Remove them from everything.

    As long as humans are involved, the chain of security and safety will be forever weak.

    Personally, I cannot wait for the rise of machines and AI.

  11. Thank you Brian! This is a great article.

  12. Thanks Brian for all you do and stay safe. As I think someone else mentioned you need some sort of recognition for all you do. Thanks!!

  13. Things I thought I would never read about Krebs,
    “. They made a telenovela.”

    Thank you for your work against global corruption.

  14. Lers not talk about money lets talk about food.
    People starving .
    Food nedd not money

  15. This particular Romanian programmer must be extremely stupid. He gets so sloppy that everyone knows what machines are hacked, who his lackeys’ are, has so many loose ends because so many sleezy people are involved. Then goes to blame the guy that happened to write down “the obvious”. This type of fool with will get everyone around him burned as he goes down. This should be interesting to watch. The more crap comes out of him, the bigger he makes the spot light. And it’s very bright now. lol

  16. It’s not necessarily code issues, it often has to do with someone finding a vulnerability in a protocol or the way a hardware component works that’s used across multiple OSes, and finding out how to mitigate the problem often requires multiple major code changes.

  17. This guys is openinng his mouth and making us gov to start investigation this is all wath he is doing, he work for us gov

    Several friends get in trouble in mexico cause of you
    Come in mexico one time, you will not come out..

  18. I don’t know of anyone who has received as many death threats as Brian has, and yet is still alive; he must be doing something right 🙂

    Stay safe, Brian; we need your reporting!

Leave a comment