The FBI warns financial institutions of suspected upcoming unlimited operation attack.

In cybercrime, an “unlimited operation” (also called an ATM cashout) happens when hackers gain access to a financial institution’s account information and PINs, change the balances in different customers’ accounts, and then use that balance and login information to withdraw unbelievable amounts of money from ATMs.

In one single 2016 weekend, hackers withdrew over $500,000 cash from different ATMs by using accounts from the same bank. In January last year, a three-day spree netted hackers more than $2 million.

The beauty of an unlimited operation is how simple it is to pull off.

The first step is simply the malware, which is frighteningly easy to send to a business. According to Symantec’s 2018 Internet Security Threat Report, one out of every 131 emails sent in 2016 contained malware; in addition, attacks in which hackers infected genuine software downloads with malware increased by 200 percent in 2017.

Now, the FBI has warned financial institutions that they have reason to suspect an upcoming unlimited operation attack. These attacks have noticeably occurred on weekends–especially long holiday weekends–so that there’s a lengthy time span for the thieves to withdraw large payouts without the bank realizing anything’s wrong. By the time Monday or even Tuesday morning rolls around and the employees run a report, the thieves and their cash are long gone.

ATM cashouts are especially problematic for banks

This is because the withdrawal activity doesn’t have to be in the vicinity of the physical bank. By manipulating customers’ accounts and stealing their credentials, the hackers put that information on blank magnetic stripe cards.

These cards can be used anywhere in the world to withdraw money from the victim bank; the random customer who had $2,000 in his account suddenly have $200,000 for the thieves to begin siphoning. Once they’ve accessed the bank’s network, they can also manipulate the daily withdrawal limit to skirt the few hundred dollar maximum that many banks impose on customer ATM transactions.