UNC2891 multi-year ATM fraud campaign against Indonesian banks
Campaign
Summary
Hide ▲
Show ▼
UNC2891’s multi-year ATM fraud campaign against two Indonesian banks has been fully exposed, showing a coordinated cash-out operation that used money mules, cloned cards, and repeated attacks from February 2022 to July 2024. The operation tied together three attacks and broader financial-theft infrastructure, increasing the risk of repeat ATM abuse and long-running persistence. Shared tooling and cryptographic keys indicate this was a single organized campaign rather than isolated bank break-ins.
Related Happenings
GoldFactory Coretax impersonation fraud campaign
Campaign
First: 19.02.2026 17:30
Last: 19.02.2026 17:30
Sources 1
About this happening:
The **GoldFactory**-linked fraud campaign now threatens **Indonesian taxpayers** at scale, with estimated losses of **$1.5m to $2m**. It ran from **July 2025** and intensified in...
GoldFactory Coretax impersonation fraud campaign
CampaignAbout this happening: The **GoldFactory**-linked fraud campaign now threatens **Indonesian taxpayers** at scale, with estimated losses of **$1.5m to $2m**. It ran from **July 2025** and intensified in...
Peru loan phishing campaign impersonating financial institutions across Latin America
Campaign
First: 21.01.2026 17:00
Last: 21.01.2026 17:00
Sources 1
About this happening:
A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
Peru loan phishing campaign impersonating financial institutions across Latin America
CampaignAbout this happening: A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
Bank hit by network compromise
Incident
First: 20.11.2025 18:00
Last: 20.11.2025 18:00
Sources 1
How related:
According to the security researchers, the UNC2891 threat group was able to compromise over 30 systems at Bank A during the February 2022 incident alone, indicating that the group was able to maintain a persistent presence at a targeted organization.
About this happening:
**Bank A** suffered a **compromise** in **February 2022** that gave **UNC2891** persistent access to **more than 30 systems**, making the intrusion materially larger than a single...
Bank hit by network compromise
IncidentHow related: According to the security researchers, the UNC2891 threat group was able to compromise over 30 systems at Bank A during the February 2022 incident alone, indicating that the group was able to maintain a persistent presence at a targeted organization.
About this happening: **Bank A** suffered a **compromise** in **February 2022** that gave **UNC2891** persistent access to **more than 30 systems**, making the intrusion materially larger than a single...
Asia cross-border fake crypto and forex investment scam campaign
Campaign
First: 28.10.2025 18:45
Last: 28.10.2025 18:45
Sources 1
About this happening:
A **current wave** of **fake crypto and forex investment scams** is stealing funds from victims across **Asia**, using polished trading platforms to look legitimate. The operation...
Asia cross-border fake crypto and forex investment scam campaign
CampaignAbout this happening: A **current wave** of **fake crypto and forex investment scams** is stealing funds from victims across **Asia**, using polished trading platforms to look legitimate. The operation...
GXC Team CaaS phishing ecosystem disrupted after global banking-fraud tool sales
Threat Actor Meta
First: 13.10.2025 18:00
Last: 13.10.2025 18:00
Sources 1
About this happening:
The arrest of the alleged leader disrupted **GXC Team**'s **Crime-as-a-Service** phishing ecosystem, cutting off turnkey tooling used for banking fraud by criminal customers world...
GXC Team CaaS phishing ecosystem disrupted after global banking-fraud tool sales
Threat Actor MetaAbout this happening: The arrest of the alleged leader disrupted **GXC Team**'s **Crime-as-a-Service** phishing ecosystem, cutting off turnkey tooling used for banking fraud by criminal customers world...
Timeline
-
20.11.2025 18:00 2 articles · 6mo ago
UNC2891 full-scope ATM fraud campaign against Indonesian banks disclosed
Campaign Scope UpdateGroup-IB disclosed the full scope of UNC2891's multi-year ATM fraud campaign against Bank A and Bank B in Indonesia, tying together attacks in February 2022, November 2023, and July 2024 through shared STEELCORGI packing-tool use and similar cryptographic keys. The campaign combined money mule recruitment, cloned card equipment, TeamViewer-assisted cash withdrawals, CAKETAP manipulation of PIN verification and ARQC responses, and persistent access tooling across compromised systems, and the February 2022 incident alone was linked to more than 30 compromised systems at Bank A.
Show sources
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00
- UNC2891 Money Mule Network Reveals Full Scope of ATM Fraud Operation — www.infosecurity-magazine.com — 20.11.2025 18:00