Raspberry Pi ATM Heist
A Low-Cost Device, a High-Risk Breach
The Raspberry Pi ATM heist uncovered in July 2025 reveals how basic hardware can be used in high-stakes cybercrime. The LightBasin hacking group, also known as UNC2891, planted a 4G-enabled Raspberry Pi into a bank’s network, physically connecting it to an ATM switch. This bypassed standard cybersecurity perimeters and created a covert channel for unauthorized access.
This device allowed attackers to move laterally through the bank’s internal systems. Group-IB, which investigated the incident, found that the intent was to spoof ATM authorizations and execute fraudulent cash withdrawals.
Combining Physical Access with Remote Persistence
Unlike conventional remote intrusions, this Raspberry Pi ATM heist involved direct physical access—either by LightBasin operatives or a compromised insider. The device hosted TinyShell, an open-source backdoor, and used mobile data to establish outbound command-and-control (C2) access.
From the Raspberry Pi, the attackers pivoted to the bank’s Network Monitoring Server and then the Mail Server. This chain of lateral movement leveraged existing network privileges to maintain access, even if the physical device was later removed.
Evasion Through Anti-Forensics
LightBasin used multiple anti-forensics strategies to evade detection. For example, they named their backdoors ‘lightdm’—a legitimate Linux display manager process. They also mounted alternative filesystems like tmpfs and ext4 over malicious process paths (/proc/[pid]). These methods obscured key metadata and blocked forensic tools from identifying the activity.
Group-IB found that the Network Monitoring Server was beaconing to the Raspberry Pi every 600 seconds on port 929. This confirmed the device as a long-term pivot host within the infrastructure.
A Pattern of Advanced Threats
This was not LightBasin’s first sophisticated attempt. The group is also known for developing Caketap, a rootkit that manipulates Payment Hardware Security Module (HSM) responses to authorize transactions normally blocked by banks.
In this attack, the goal appeared to be the deployment of Caketap within the network. However, the plan was interrupted before the malware could be activated.
Reassessing Risk: Hardware and Human Vectors
The Raspberry Pi ATM heist shows how cybersecurity blind spots can emerge from physical access combined with software persistence. Rogue employees, unsecured endpoints, and network blind zones all contributed to this breach. Financial institutions must now consider physical attack vectors alongside digital ones when designing threat models.
Can traditional cybersecurity frameworks adapt fast enough to detect and defend against these hybrid threats?
Explore Business Solutions from Uttkrist and our Partners’, Pipedrive CRM (2X the usual trial with no CC and no commitments) and more red-chicken-879474.hostingersite.com/explore
