That innocent little computer gathering dust in your maker drawer? Cybercriminals just proved it can breach bank ATM networks with surgical precision. A financially motivated group called UNC2891 physically planted a 4G-enabled Raspberry Pi inside a bank’s network infrastructure, turning the beloved hobbyist device into a persistent backdoor for ATM manipulation.
The attack reads like a tech thriller plot, but the execution was disturbingly simple. UNC2891 operatives gained physical access to the bank and connected their weaponized Raspberry Pi directly to a network switch serving ATMs. Armed with a 4G modem and custom Linux malware called TINYSHELL, the device established persistent remote access while completely sidestepping firewalls and network monitoring systems.
You know that sinking feeling when your streaming service keeps buffering during the season finale? This Pi maintained rock-solid connectivity, beaconing home every 600 seconds like clockwork. The malware deployment included CAKETAP, a sophisticated rootkit that masked network connections and spoofed authorization messages to hardware security modules—essentially creating invisible pathways for fraudulent withdrawals.
Here’s where it gets genuinely unsettling: traditional disk forensics found nothing suspicious. The malware lived entirely in memory, employing anti-forensics techniques that made detection nearly impossible without specialized analysis. Group-IB’s Nam Le Phuong noted: “This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”
This isn’t UNC2891’s first rodeo—they’ve targeted financial networks since 2016, previously hitting Oracle Solaris banking systems. Similar Raspberry Pi ATM attacks recently surfaced in Texas, suggesting this technique is spreading faster than a viral TikTok dance.
Your next ATM visit remains safe (this particular heist failed), but the implications stretch beyond banking. When consumer devices designed for weekend robotics projects can breach enterprise security infrastructure, the line between hobbyist hardware and criminal tools has officially disappeared. The democratization of hacking just got uncomfortably literal.
Physical security remains cybersecurity’s weakest link, and a $35 computer just proved that point spectacularly.
Last modified: August 2, 2025
