HARRIS COUNTY, Texas – In a first-of-its-kind case in Harris County, nearly a quarter of a million dollars vanished from ATMs in just four days and investigators have now linked this unprecedented hacking case to an organized group with ties to Russia.
This theft, known as “jackpotting,” is a new challenge for financial crime investigators in Harris County.
“There’s other types of theft from ATMs that happens, but nothing like this,” Houston Police Department Detective Roger Collins said. He’s assigned to the U.S. Secret Service Cyber Fraud Task Force and has been unraveling the complex case for months. “It was never something that could be done remotely.”
The group targeted more than 70 ATMs across Texas, including locations in Houston, Dallas, Austin, and San Antonio, according to data shared exclusively with KPRC 2.
The first reports of this type of “jackpotting” emerged in the Houston area last September, with 51 ATMs attacked in a matter of hours and over $150,000 stolen.
The owners of these machines, often located in small businesses like gas stations and hotels, are the ones suffering the losses. These businesses are left to bear the financial burden, as the stolen cash is not deducted from any bank accounts.
Surveillance images shared exclusively with KPRC 2 show suspects using rented cars in some cases and focusing intently on their cell phones while at the cash machines.
All they need is a receipt, Det. Collins said, which they can find in nearby trash or by pulling a balance. They then take a picture of the receipt and send it to someone else who investigators believe is overseas, initiating the hack.
This allows them to remotely manipulate the ATM, tricking it into dispensing cash without any record of a withdrawal, he said. The hack makes the ATM think a normal transaction was canceled, but the money is gone, and no bank account is ever affected.
“They just keep doing it over and over until it can’t spit money out no more,” Collins said.
Over four days last fall, the group is believed to have stolen more than $236,000 in Texas.
Seven individuals have been charged, with two arrested in Harris County, one arrested in Las Vegas and extradited, two wanted, and two in custody in Miami.
The alleged U.S. leader, Vitalii Moravel, a Ukrainian war refugee on a humanitarian visa according to his attorney, faces similar charges in Georgia and Florida.
Moravel is believed to receive instructions from a “big boss” located in Russia, Det. Collins said, highlighting the international scope of this criminal operation.
Suspects charged with engaging in organized criminal activity and unlawful interception or endeavor to intercept wire, oral, or electronic communication:
- Vitalii Moravel, 32: Ukrainian national in the U.S. on a humanitarian visa after being displaced by war; arrested and in jail on similar charges in Miami
- Roman Leskiv, 28: Wanted on Harris County charges; arrested and in jail on similar charges in Miami
- Andriy Ivano, 32: Non-U.S. citizen from Ukraine, truck driver from Illinois; arrested in Las Vegas before being extradited to Harris County; pled guilty to third-degree money services act violation and was given two years of community supervision
- Alexey Kharitonov, 50: Non-U.S. citizen from Russia, arrested on similar charges in Gwinnett County, Georgia; on bond in both states and “innocent,” according to his attorney
- Mirsaftar Asgarov, 34: Case dismissed on March 13 because prosecutors say it can’t be proven beyond a reasonable doubt; non-U.S. citizen from Azerbaijan who is a locksmith in the Houston-area
- Aibek Karabalayev, 38: Not currently in custody, wanted on Harris County charges filed in February, last address in Illinois
- Alexey Zubov, 38: Not currently in custody, wanted on Harris County charges filed in late February, last address in Illinois
At least five other suspects have not yet been identified, Det. Collins said. Flight records potentially connect the group to other cases in New York, Boston, and Ohio.
The individuals seen at the ATMs reportedly receive 30% of the money, while the alleged leader, Moravel, takes 70%, much of which is believed to be converted to cryptocurrency, Det. Collins said. This conversion to digital currency makes it even more challenging for authorities to trace and recover any stolen funds.
“Some have stated that it’s sent back to the ‘The Big Boss’ via courier. And we’ve even received one report that he actually has flown in the United States to pick up cash,” Det. Collins said. “They work together just like anybody in any other business.”
The technical aspects of the hacking attacks remain unclear, and there is no definitive solution to stopping them.
“Someone has taken a lot of time to learn how to compromise and overtake these systems from a long way away,” Collins said.
While this type of ATM attack hasn’t occurred west of Texas yet, Det. Collins said Dallas was hit again recently. He advised ATM owners and operators to ensure machines are under surveillance and to report any suspicious activity, such as lingering individuals or multiple transactions, to law enforcement.
“They’re getting better every day,” Det. Collins said. “This is not going to be an isolated incident. This is not in the last place is going to happen. It’s going to continue.”
Any information on the individuals involved or seen in surveillance images should be reported to the Houston Police Department.