International Bank Robberies Leverage Adjacent Properties for Unconventional Access Routes
At a time when much of the thinking about the security of financial institutions has shifted to cyber, it is important to remember that banks worldwide still face a range of physical threats. Flashpoint analysts have observed a recent spate of bank robberies that exhibit similar tactics, techniques, and procedures (TTPs) where the criminals leveraged properties adjacent to, or in the vicinity of, the targeted bank in order to gain access.
Our analysts have observed five of these unconventional access robberies between September and December 2017. While most were conducted through the use of underground tunnels, two others conducted in April and May 2017 were carried out through ceiling access.
There were similarities among the robberies, which were staged from empty or recently unoccupied storefronts, took place primarily on weekends, and targeted safe deposit boxes. The robberies were executed with a high degree of precision, exhibited suspicious signs that were missed by authorities, were well-financed, and demonstrated expertise in pulling off such a heist.
The TTPs employed in four of the robberies are as follows:
In October 2017, 16 people were arrested and charged in connection with the attempted theft of R$1 billion reais (approximately $330 million USD) from a São Paulo branch of a major Brazilian bank. It took the group four months to dig a tunnel 500 meters from a nearby house that was rented by a woman who used a false identity, and stocked with specialized equipment to access the bank. Members of the group used a two-meter ladder to access the tunnel from inside the house. The tunnel was well constructed; it was one-and-a-half meters high, equipped with electric lighting, a ventilation system, and walls lined with plastic garbage bags to control dust.
Experts speculate the involvement of organized crime given that the actors involved reportedly contributed more than R$200,000 reais each, just under $1.27 million USD invested in the failed project.
On Nov. 19, 2017, a group of individuals broke into the strongroom of a bank in Thika, Kenya, and stole the equivalent of $500,000 USD. According to a Kenyan newspaper, the thieves dug a 30-meter long and 10-meter deep tunnel to the strongroom from a nearby commercial property. The thieves reportedly leveraged an existing sewer line to build a tunnel, incorporated a lighting system, and used steel bars and fitted planks to prevent collapse.
The thieves ostensibly ran a bookstore from the commercial property, which they had been renting since June 2017. To conceal the tunnel and the equipment used to dig it, the gang claimed it had not “fully settled,” and would be continuing construction on the property. Thus, when neighboring shopkeepers heard suspicious sounds, they concluded that repairs were being conducted. To get rid of the excavated soil without arousing suspicion, a local police commander explained that “they packaged the sand in cartons and sacks, which they loaded into a vehicle. They gave the impression that the cartons and sacks contained textbooks.”
Given the precision with which the tunnel was dug, authorities speculated that the gang could have been helped by bank insiders, or by someone else with detailed knowledge of the bank’s layout.
Over the weekend of Nov. 11, 2017, burglars entered a bank in Mumbai, India and stole cash, jewelry, and other valuables from 30 customers’ safe deposit boxes totaling between 4 million and 10 million Indian rupees (INR)—approximately $62,000 to $155,000 USD. The theft was discovered the morning of Nov. 13, 2017, when bank staff escorted a customer to visit their safe deposit box and found many were opened, as well as the entrance to a tunnel through which the burglars accessed the safe deposit boxes.
The tunnel was started 30 to 50 feet away and ran underneath the office of a security agency and another portion of the building holding the bank’s ATMs before emerging into the safe deposit room. The burglars used plywood supported by small bamboo sticks to prevent the tunnel—which was a narrow 18 inches wide—from collapsing.
Starting in May 2017, a member of the group rented a general shop near the bank. The digging started the next month once the necessary tools had been assembled, including a walkie-talkie, hammer machine, drill, cutting machine, screwdriver, and a fan. Once inside, it appears the thieves attempted to access the main vault that houses the bank’s cash reserves, but were unsuccessful in doing so.
Over the weekend of Sept. 30, 2017, thieves broke into a bank in Quezon City, Philippines, stealing millions of pesos in cash and jewelry from approximately 40 safe deposit boxes. In one night, the robbers dug the two-foot diameter tunnel to the bank from a manhole on the nearby road which opened into a drainage system.
After gaining entry to the bank, the actors pulled the alarm box from the ceiling and destroyed DVRs that recorded surveillance footage; police later recovered the waterlogged DVRs from the drainage system, in addition to the tools the group left behind. Those tools included crowbars, long screwdrivers, a miner’s helmet with a flashlight, and metal-cutting saws. Several elements of the bank’s security program seemed to fail during the robbery:
• A security guard posted outside the bank did not observe any suspicious activity, but would not have been able to respond directly if he had since he did not have the ability to access the bank.
• One of the bank’s alarm systems was shut off prior to the robbery.
• Bank officers admitted that they could not get in touch with their security personnel once the functioning alarm went off.
• Security personnel reported that the main headquarters of the bank could view real-time feeds from surveillance cameras, but did not record them.
Though it is important for financial institutions to manage their cyber risk, it continues to be important to manage physical risks as well, as shown by the examples above.
To learn more about managing physical security risks, read our use cases here.
Leroy Terrelonge III
Director of Intelligence
Leroy is a Regional Threat Intelligence Analyst at Flashpoint.
Rob is a dynamic and well-rounded All-Source Intelligence and Physical Security Analyst with 20 years of multi-discipline intelligence experience. His background includes managing and developing personnel security, physical security (certified DoD Physical Security Inspector), and operations security programs for the Department of Defense. Rob’s positions have entailed tactical-level intelligence collection and reporting, providing pattern-of-life analysis and biometric tracking of high-level personalities, as well as strategic-level positions requiring POTUS level assessments on foreign military operations and counterinsurgencies. His work in the private sector focuses on cyber threat actors, such as hacktivist and patriotic hacking collectives. Rob has held Vice President positions within two large financial institutions, where he served as a Senior Analyst on their respective cyber threat intelligence teams.