Raspberry Pi ATM Hack Foiled: Bank Network Implant Discovered

Hackers tried to break into a bank’s system using a device the size of a credit card. They planted a 4G‑enabled Raspberry Pi in the network powering the ATM system. The bank’s internal network became vulnerable, but experts blocked the attempt.

How the Attack Unfolded

The hacking group UNC2891 (also called LightBasin) physically connected the Raspberry Pi to the same network switch as the ATM.
They equipped the Pi with a 4G modem, enabling remote access via mobile networks, bypassing firewalls entirely.
The attackers loaded a backdoor called TinyShell, using a dynamic DNS domain to maintain stealthy C2 communication.

Stealth Tactics Employed

Attackers used advanced techniques to hide their tracks:

They abused Linux bind mounts, masking malicious processes from standard forensic tools.
Fake process names like “lightdm” mimicked legitimate system services but ran from hacked directories like /tmp or .snapd.
The monitoring server beaconed to the Pi every 10 minutes to stay connected as the pivot host.

Attack Goals and Prevention

Investigators believe the goal was to install the CAKETAP rootkit on the bank’s ATM switching server. That rootkit could spoof responses from hardware security modules to authorize fraudulent ATM withdrawals. Thankfully, the heist failed before the attackers could deploy it.

Broader Implications

This blend of physical hardware and cyber intrusion shows how cyber-physical attacks can threaten critical infrastructure. UNC2891 shows deep expertise in Linux/Unix systems and stealthy malware techniques.

The incident unfolded in early 2025 at a bank in the Asia‑Pacific region. Researchers confirmed that the attackers had even paid insiders or runners to implant the device physically.

Conclusion

This failed ATM hack demonstrates how small devices like Raspberry Pi can pose huge risks when attackers mix physical access with advanced malware. Bank networks must defend not just digitally but physically too. Awareness of obscure Linux tricks—and careful monitoring—can help organizations block future stealth attacks.