Collaboration between Law Enforcement Agencies in Combating Cybercrime: Implications of a Taiwanese Case Study about ATM Hacking

Abstract

An increasing number of cybercrimes has presented new global challenges to law enforcement agencies that traditionally operate within designated geographical jurisdictions and patrol territories. The borderless nature of cyberspace has brought substantial opportunities—both legal and illegal—to its users, and many local law enforcement agencies have encountered motivated offenders taking advantage of the globally connected Internet and causing damage locally and transnationally. This study examines a high-profile case of European criminals who hacked into a Taiwanese financial institution—First Commercial Bank (FCB)—and programmed its ATMs to “spit out” cash netting the thieves $2.6 million US dollars in 2016 summer. Before the incident of FCB, this European criminal group committed more than a hundred similar ATMs hackings, victimizing dozens of financial institutions across several European countries, and profiting over one billion Euros. FCB is the only case revealing specific details about the modus operandi of ATM hacking thus far, in addition to disclosing reactions from law enforcement. By analyzing qualitative data collected from different branches of law enforcement involved in the investigations, this unique case study underscores the importance of national-local law enforcement collaboration in fighting transnational cybercrime. Empirical implications are particularly valuable in the law enforcement context of “turf jealousies” when defending homeland security.

Keywords

law enforcement collaboration ATM hacking cybercrime Taiwan policing jackpotting organized crime qualitative method

Introduction

Fighting borderless cybercrime means not only facing the natural constraints of the Internet (e.g., invisibility, anonymity, availability of guardianship) (Jaishankar, 2008) but also organizing collaborations across jurisdictions and garnering sufficient support from the various authorities impacted (Britz, 2013; Dambazau, 2010; Taylor et al., 2011). As a consequence, the clearance rate for cybercrime is relatively low compared with traditional street crimes. In order to bring cyber criminals to justice, effective law enforcement investigation requires sophisticated digital forensic skills and a clear understanding of how cybercrimes occur. However, the capacity to investigate, or even detect specific cybercrimes like hacking, varies widely across jurisdictions, which underscores the importance of collaboration among law enforcement agencies and between national and local authorities (James & Warren, 2010).

The inevitability of partnerships between law enforcement is particularly important in solving sophisticated, high-tech crime like information system hacking. Through the Internet, cyber criminals can victimize targets in physically distant locations. Since the inception of the U.S. Department of Defence’s Defence Advanced Research Projects Agency (DARPA) project in 1970s, Internet technology developed to enable military-grade long-distance communication. What made the Internet relevant to the public is its “privatization,” in conjunction with the development of commercially available browsers and websites in the decades of 1990s. Today, the technology behind the Internet is essentially a “network of networks” (Castells, 2002), which offers a diverse “ecosystem” of services such as information distribution, communication, entertainment, education, and business transaction. The convenience and user friendly characteristics of the Internet have continued to integrate more and more personal devices as well as the essential infrastructure (e.g., power plants, dams, communications, health care and public health, emergency services, transportation systems, water, and wastewater systems) to connect to the information superhighway. The Internet of Things (IoT) characterizes this converging trend that reflects a significant growth in the number of inter-connected networks and devices (Singer & Friedman, 2014). The Internet offers global access to everyone who can afford it, and three-quarters of users report that they use the Internet daily for a wide range of purposes that transcend international borders (Poushter et al., 2018). In the U.S., Internet usage rates, on average, jumped from 52 percent in 2000 to 90 percent in 2019, and nearly every young and middle-aged Americans use the Internet (Pew Research Center, 2019). The attractiveness of almost complete dissociative anonymity in the virtual space paradoxically contributes to an increasing risk of compromised security (Jaishankar, 2008), which flourishes in the gap between the fast growth of Internet technology usage and the languid response of social/legal system (Huang & Wang, 2009). It is unsurprising to see the rise of different forms of cybercrime (e.g., phishing, identity theft, fraud) in this “Wild Web West” (Singer & Friedman, 2014; van Wilsem, 2013; Wang & Huang, 2011). Among reported economic crime against institutions worldwide, cyberattacks cost an average of over one million dollars per incident (PWC, 2016). Further, the economic harm caused by cybercrime is significant (Levi, 2017); Cybersecurity Ventures (2019) estimated that, between 2015 and 2021, the upward trending costs of cybercrime will double to reach 6 trillion dollars annually.

Nevertheless, little is known about the role national and local law enforcement might play in investigating cybercrimes like information system hacking and software cracking. To address this gap in the research, the current study examines a high profile case of an ATM hacking spree in Taiwan in 2016. We specifically address the role of law enforcement agencies and their collaborative efforts investigating the ATM hacking case in the context of democratic Taiwan. Prior to this case, the criminal group has victimized dozens of financial institutions, largely in Europe, and profited more than one billion dollars, but no suspect was arrested or convicted. By analyzing qualitative data collected from interviews of involved law enforcement agencies, this study offers insight of investigative utility for national-local authorities collaborating in the fight against transnational cybercrime. This case culminated in the arrest of a hacker in Spain in 2018 (Devereux, 2018), and the present study offers practical implications for investigation and prevention of future cybercrimes.

National-Local Law Enforcement Collaborationin the U.S

Collaboration across law enforcement agencies benefits police at many different levels, while local authorities are usually held accountable for crime control and order maintenance (Geller & Morris, 1992; James & Warren, 2010). In the United States, the federalization isolates law enforcement into fragmented segments—federal and non-federal levels (i.e., state, county, city)—to realize the political design of “checks and balances” and distributes power amongst different public entities under the Constitution (Stewart, 2011). Although no centralized authority is in charge of overall coordination, there is a long history of national-local collaboration among law enforcement agencies. As early as the 1930s, with institutional support from the International Association of Chiefs of Police (IACP), the FBI began the first national effort to develop a data bank that collects crime records from local law enforcement agencies (Zolbe, 1980). Admittedly, inconsistencies in legal definitions of crime across jurisdictions, variations in agency operational policies, political influence, and variability of available resources has collectively resulted in differing standards of data quality and inefficiencies in data reporting (Mosher et al., 2010). Despite its shortcomings, the Uniform Crime Report (UCR) has consistently been recognized as a useful product of crime data collection across agencies. Although less politically framed, the collection of cybercrime data based on citizens’ complaints to the police is also an arena where collaboration is essential. This includes, but is not limited to, data breaches, phishing, identity theft, harassment, fraud, varied malware, extortion, and advanced fee frauds (Federal Bureau of Investigation, 2018).

Under most models of law enforcement today, federal authorities shoulder the responsibility of building practical platforms of interaction between agencies, as well as international allies, and such collaboration fosters trust, professional development, and respect (Geller & Morris, 1992). Collaboration is often a two-way channel that relies on collective work between law enforcement agencies situated on task forces. Informal collaboration among law enforcement agencies also commonly takes place in an ad hoc manner, as, for example, FBI, DEA, and local investigators often realize that they target the same drug dealers (Chaiken et al., 1990). It has been pointed out that coordinated law enforcement efforts, particularly at the federal level, had steadily declined (Stuntz, 2002), and that obstacles such as intelligence sharing, communication, and a lack of centralized leadership have been to blame (Riley et al., 2006). This happened despite a substantial increase in spending on criminal justice program grants and the fact that federal agencies have strategically influenced policy-making at the local level (Stewart, 2011; Worrall, 2008). After the 9/11 terrorist attacks, homeland security quickly became an umbrella department, an institutionalized unit guiding and preparing to fight against a wide range of threats, which has brought renewed focus on collaboration among law enforcement agencies (Kean & Hamilton, 2004; Pelfrey, 2007).

Joint actions across multiple agencies, including federal and local police, have been identified as a key component for successfully defending homeland security and investigating cybercrime (Riley, et al., 2006; Stambaugh et al., 2001). In recent years, controversial immigration and human trafficking issues have required federal law enforcement agencies to actively seek input from local partners (Provine & Doty, 2011), even though disparate opinions continue to complicate police responses and operations across jurisdictions (see Decker et al., 2009; Farrell et al., 2008). This is particularly true for specially targeted offenses that require more effective national and local collaboration, such as organized crime rings, drug trafficking, cybercrime, and terrorism. Because these offenses are not typically restricted by jurisdictional boundaries and their attendant organizational responsibilities (Skogan, 2018; Stewart, 2011), high-tech, orchestrated, and transnational crimes demand more law enforcement resources to seize, search, and investigate (Geller & Morris, 1992).

National and Local Law Enforcement Agencies in Democratic Taiwan

The role of policing in Taiwan has changed significantly over the past few decades, largely because of a major change in political systems. Located off China’s southeastern coast, Taiwan (formerly known as Formosa) is a densely populated island with a current population around 23 million. Taiwan is ethnically homogeneous (Han population), and both Mandarin and English are official languages. Geopolitically, Taiwan is centrally located in the western Pacific Ocean—between Japan and the Philippines in close proximity to many of world’s most important shipping lanes in a region historically occupied by Dutch, Spain, Qing Dynasty, and Japan. Its location is so geopolitically vital that WWII US General Douglas MacArthur once commended that Taiwan was ‘an unsinkable aircraft carrier’ of strategic importance.

Today, there are two major law enforcement agencies in contemporary Taiwan—the National Police Agency (NPA) and the Investigation Bureau (MJIB)—under the Ministry of Interior and the Ministry of Justice, respectively. The NPA represents local law enforcement that interacts with the general public in everyday policing. NPA officers wear identical uniforms, conduct street patrols, issue citations, investigate crimes, and respond to citizen complaints. Members of the agency are stationed in neighborhood-based branches (called pai-chu-suo) and engage in community-oriented policing (Kuo & Shih, 2018; Sun & Chu, 2006). In the recent three decades of democratization in Taiwan, locally elected political leaders are legally authorized to appoint their police chiefs from a list of candidates recommended by the NPA, which exercises administrative jurisdiction over all police departments and evaluates the performance of police chiefs (Cao et al., 2014). Under this governmental system, police are more sensitive to local political influences. Unlike their decentralized American counterparts, under the executive branch of the central government and policing structure, both NPA and MJIB are classified at the same level in the governmental bureaucracy but answer to different centers of authority. However, in terms of a “higher priority to the protection of national security functions” (Quah, 2015, p. 302), the degree of task complexity is often greater for the MJIB (e.g., counter-terrorism, infiltration prevention, international anti-money laundry efforts, domestic security investigation, intelligence collection). MJIB staff are special agents as they are functionally equivalent to the federal agencies like FBI, and as such, agents have full national jurisdiction throughout Taiwan. The director-general of MJIB could be summoned by the president of Taiwan for consultation on high-end intelligence issues relevant to homeland security, and MJIB also maintains missions in several embassies to coordinate investigations with international allies.

Within the institutions, both MJIB agents and NPA officers are evaluated by mechanisms of performance appraisal similar to other law enforcement agents in the society. An incentive, merit-based pay structure is related to effective performance evaluation. How officers satisfy internally measured performance criteria depends upon the types of crime-fighting objectives that are the current focus of everyday policing (e.g., clearance rates, calls for service), those that are prioritized as needing urgent attention, or special case investigations. The organizational focus at any given time determines how officers will be evaluated, and in turn, affects their potential rewards, bonuses, and promotions. It has been noted that this culture of “performance first” in Taiwanese policing impacts workplace morale and drives officers toward meeting organizational goals (Cao et al., 2014).

In Western democratic societies, political and budgetary constraints can serve to minimize opportunities for local police to misuse their power. Between World War II and the termination of martial law in 1987, the police in Taiwan were basically an extended arm of the military to maintain social order. In the historical context of anti-Communist and the social context of police state (so called White Terror) (see Phillips, 2003), law enforcement agencies wielded greater discretion in encounters with citizens which often lead to warrantless searches and arrests, as well as the public’s increasingly hostile attitude towards the police. As Taiwan is moving toward a democratic political identity in the post-martial law period, authoritarian-oriented approaches were curtailed and police discretion has been regulated by legislation (Cao et al., 2016). In a newly burgeoning democratic Taiwan, citizens gained the right to campaign and participate political activities through a representative system, and people became free to organize political parties (see, e.g., the formation of the largest opposition party of the time—Democratic Progressive Party or DPP) or not to join the ruling party (Kuomington or KMT) of the time without concerning consequences (Wang et al., 2020). The paradigm change marked a shift in policing functions from preserving the distribution of existing governmental power to serving the public, promoting human rights and press freedoms, taking public opinions into consideration, and proactively preventing crime (Hsieh & Boateng, 2015; Lai, 2016; Sun et al., 2016).

In this emerged democratic society, political allegiances could still be found influencing legal authorities, particularly when political struggles broke out between the DPP and the KMT. For instance, in a highly unusual series of moves, the NPA’s leader and highest ranking official was replaced four times within an eight-year period, after the DPP’s Chen Shui-Bian, the first president from a non-KMT party, won the election and took control of the central government for two terms (from 2000 until 2008). In another example, the Director General of the MJIB, Mr. Yeh was found to be leaking information about certain ongoing investigations to then-President Chen. Mr. Yeh was later convicted for the leaks and information about investigations in progress, including money laundry that involved ex-president Chen, who ended his second presidential term amid allegations of corruption and was eventually sentenced to prison. Unusual personnel changes in law enforcement and the perception of political patronage led many law enforcement officers to believe that personal connections with politicians were more important than field performance and professional qualifications in deciding promotions. Through legislative efforts and the passing of the Civil Service Administrative Neutrality Law in 2009, the agencies were formally able to institutionalize the separation of political influence from policing (Cao et al., 2014).

In addition to instability in leadership, police in Taiwan continue to face challenges in everyday policing that coincided with rapid changes in the social, economic, and political environment. For instance, urbanization has had a conditioning effect on a wide range of policing strategies, as well as on the public’s attitude toward the police in Taiwan (Wang & Sun, 2020). Research also indicates that rural officers are more likely to favor citizen cooperation and consistently demonstrate higher levels of group cohesion and solidarity in comparison to their urban counterparts (Sun & Chu, 2009). Moreover, although it is true that the crime rate is lower in Taiwan than in most Western countries (e.g., U.S.) (Chu, 2013), Taiwan’s agencies require increased cross-agency collaboration. This is due in part to a long history of barriers between local and national law enforcement on transparency in intelligence sharing and challenges to building horizontal lines-of-communication within bureaucratic organizations (Jiang, 2018). There also exists a need to better address crimes that garner the most public attention and cause the most harm to society such as crimes related to drugs (Chu, 2013), youth (Steffensmeier et al., 2017), high-tech transitional crime (Hsieh & Wang, 2018) and money laundering (MJIB, 2018).

A Case Study of First Commercial Bank (FCB)ATM Hacking

The current study examines the high-profile case of FCB ATM hacking, with the aid of extensive data collected from both NPA officers and MJIB agents. Given the fact that Taiwan is the first state to arrest and convict members of the criminal group responsible for a series of ATM hacking incidents around the world, analyzing this unique case using documents and interview data collected from law enforcement hopefully provides valuable insight into the nature of these investigations. In the following section, we portray the analytic plan and detail the case, followed by discussions of pragmatic implications.

Analytic Plan

This study employs qualitative methods to obtain meaningful information about the FCB cybercrime investigation that took place across multiple law enforcement agencies. Researchers examine FCB case-related legal documents, investigative and analytic reports, in conjunction with insightful interviews of NPA police officers and MJIB special agents. In total, eight different law enforcement officers’ interview data—two from MJIB and six from NPA—are analyzed in the present study. To understand different aspects of the complicated FCB case, researchers used a purposive sampling strategy to approach potential eligible law enforcement officers who involved in investigation. Two researchers independently conducted semi-structural interviews by using the official local language—Mandarin—from 2017 to 2018. Each researcher interviewed sampled officers individually or jointly with another, depending upon their work setting and schedule. Contents of the interviews were later manually analyzed to retrieve the themes relevant to law enforcement collaborations and cross-agency competitions. Although case study methodology does not offer statistical generalizations, it contributes to our collective understanding of a little known phenomenon—ATM hacking—because none of the prior studies examine ATM hacking as an emerging form of cybercrime using qualitative data.

Given confidentiality concerns, this study used code names to refer to the interviewees’ statements throughout the manuscript. Participants also referred researchers to other prospective interviewees who might contribute to the construction of a case profile from the various roles involved such as digital forensics, computer forensics, criminal apprehension, and pubic information.

First Commercial Bank ATM Hacking: Case Profile and Modus Operandi in Brief

With a sophisticated plan, a group of European cybercriminals—Carbanak/Cobalt—used a publicly available security program named Cobalt Strike to penetrate the FCB’s networks and then hacked into 41 ATMs at 22 branches across three cities (Taipei, New Taipei, Taichung) in Taiwan on July 11, 2016 (Sancho et al., 2017). Cobalt group targeted one particular model of ATMs (PC 1500XE), which is manufactured by the German company Wincor Nixdorf International and used by financial institutions globally (Taipei District Prosecutors Office [TDPO], 2016). This model of ATMs also has well-known vulnerabilities within the industry. The organized criminal group sent 22 conspirators representing eight different nationalities to pick up cash that was poured out from malware-infected ATMs much like “jackpotted” slot machines. The criminals then attempted to launder the collected cash which amounted to NT $83.3 million dollars (approximately $2.6 million US dollars). The high profile case captured the public’s attention, and authorities felt pressured to quickly solve the incident and prevent financial panic. Because the vulnerabilities of this specific ATM were well known and remote control proves to result in financial gains increased the opportunity to be targeted in this Taiwanese case. As special agent “S” relates,

“This is a totally rational and well calculated operation. . .if they have done it before and have not been caught [by the police], it is easy for them to replicate the modus operandi here [in Taiwan]. . .once you know you can easily remote control ATMs to spit out cash in a few seconds, this is definitely easy money, a very lucrative gain.” (special agent “S”)

According to the MJIB’s cybercrime section chief and documents, the modus operandi utilized by the Cobalt group to penetrate the FCB network can be briefly broken down into three steps (see Figure 1). First, the hackers prepared an attack operation and developed the malware to infect targeted ATMs. Digital forensics show that hackers began a system invasion from an IP address in Switzerland on May 31, 2016 and penetrated the FCB London branch’s voice recording system that connects to the company’s internal network. As an investigator in the FCB case, agent “S” adds:

“Investigation showed that one alleged explanation [for the FCB case] is the hackers infiltrated a voice recording system in London through ‘spear phishing’ against an administrator who holds specific credential in the first place. . . this is a very common ‘social engineering’ that hackers would use to trick individuals into clicking on something they should not click like a hyperlink, an image, an ad.” (special agent “S”)

Second, hackers infiltrate FCB internal servers by deploying the malware through the FCB’s Intranet. With credentials obtained from the London branch, hackers dispatched five executable files related to cash-dispensing and trace-wiping on the NCR server. Hackers then breached an administrator’s account at the FCB’s headquarters in Taiwan and delivered fake package files (with the filename extension “.DMS”) on the access point (AP) servers that are only recognized by ATMs for updating programs. Once the targeted ATMs finished updating with the disguised malware, the thieves were halfway through setting up the jackpotting scheme.

Figure 1.

FCB ATMs hacking.

Once the targeted ATMs finished updating with the malware, both telnet service and file transfer protocol (FTP) were enabled to allow remote connection among ATMs to execute pre-installed malware on the NCR server. The entire process of Intranet infiltration and infection took about 6 weeks. The third step was to access the ATM’s cash for which money mules were assigned to designated ATMs from July 9 to July 11, 2016, when an intense typhoon just passed Taiwan. On the day of the cyberattacks, mules contacted hackers who remotely controlled the ATMs to dispense cash and to execute a trace-wiping file removing their digital footprints. The final step involved money mules transporting, transferring and hiding the stolen cash, and facilitating the process of money laundry upon receiving further instructions from the Cobalt group.

Conventionally, financial institutions and companies might tend to cover up cyber incidents out of concern for damaging the reputation of their business, losing customer confidence, and possibly compromising the status of working relations with regulating authorities (Taylor et al., 2011). In this case, however, the FCB decided to work with law enforcement agencies from the inception, and one strategy was to distribute the news of the ATM hacking and the suspects’ photos through all types of media coverage right after the cash was withdrew. Before the Cobalt group could relax and enjoy their illegal gains, three mules were apprehended by the police in Taiwan on July 17, 2016, and the district prosecutor’s office (TDPO) issued an arrest warrant for the remaining 19 suspects who had fled. Later in September, the TDPO charged the mules with multiple criminal offenses against computer security and recommended that the judge impose a 12-year-sentence for each offender. Taiwan is one of many countries that have suffered from ATM hacking arranged by Cobalt, yet, is the first state to solve their hacking-related crime. Subsequently in 2018, one of the alleged ringleaders of the current case was arrested in Spain (Devereux, 2018). It has been argued that the positive outcome was elevated by the cooperation between the MJIB and the NPA along with other members of Taiwanese law enforcement and international collaborators.

Pragmatic Implications: Collaboration between Law Enforcement Agencies

National-local law enforcement collaboration has been a controversial part of operations for decades in many democratic societies, as competition for budget resources and “turf jealousies” between agencies are well-known disincentives of cooperation (Geller & Morris, 1992). For example in the U.S., compared with the FBI, some federal law enforcement agencies like the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) appears to have a better working relationship with local police. This probably because the ATF has more specific areas of expertise that are less likely to overlap with but supplement to local police agencies. On the other hand, the organized FBI predated many formal police departments where local law enforcement agencies were developing, and local police often had to share jurisdiction with the federal bureau that had few specific federal crimes to focus on (FBI, 2018). Traditional bureaucratic boundaries and competition in policing assignments, resources (Stewart, 2011), and organizational culture (Cohen, 2017) are barriers of collaborative relationship among national-local law enforcement agencies. In addition, the FBI’s prioritization of fighting local corruption often included investigating illegal activities within police agencies (Geller & Morris, 1992).

In Taiwan, the NPA tends to have better collaborative relationships with other law enforcement agencies (e.g., Immigration Agency) than with the MJIB. Three interviewed NPA officers (Commander “L1”, Chief “C2”, Supervisor “C1”) mentioned their collaborations with the Immigration Agency and/or the Airport Police during the investigation, while no MJIB agent addressed this point. Although both NPA and MJIB are organized at the same hierarchical level within the central government’s bureaucracy, the MJIB—like its equivalent the FBI—is missioned to prioritize a number of national major crime investigations such as counter-terrorism, public corruption, white collar crime (e.g., economic crime, money laundering) and cybercrime. Given the complexity of foreign affairs and diplomatic relations, the Taiwanese official liaison and member of the Egmont Group Financial Intelligence Units (FIU) is MJIB. As officers in the Taipei City Police Department [TCPD] pointed out:

“for dealing with financial related affairs [crime], MJIB enjoys priority. . .therefore, FCB would approach MJIB to file the financial loss and complaints in the first place.” (Supervisor “C1”, Criminal Investigation Division [CID])

“Let me put it in this way, MJIB investigates two [significant] cases per year, while we police have to handle a case every other day, but people believe MJIB agents are of higher quality than us. If I could just work on two cases per year, I could do better investigations. So, this is an apple-and-orange comparison which cannot be practical. I worked with MJIB before, and I think NPA’s investigation capacity is no less than MJIB. . . Financial industry is reluctant and unwilling to file incident reports with us [the police], and they tend to report to MJIB. . .because they believe that MIJB would handle cases well, while the police would leak information for media coverage.” (Commander “L1”, CID)

These statements underscored that the goals of crime fighting missions are blurred across levels of policing commonly, in which would produce incremental competition and even interagency tension between local and national agencies. It has been noted that there are pressures in interagency collaboration in crisis and significant crime on roles of network and leadership (Waugh & Streib, 2006). Such situation is especially true when both local and national policing are involved with a high-profile case like the FCB incident. As TCPD officers commented:

“MJIB takes the lead in computer forensics [in FCB case]. . .but MJIB does not have a good working relationship with NPA. . . They [MJIB] would like to grow their capacity for digital forensics, but I think NPA has compatible abilities in this area. . .in the current case, we [NPA] worked on investigating malware intrusion that MJIB would like to take over. . .”(Commander “L1”, CID)

“. . .our roles [in FCB case] are liaison of international law enforcement agencies and data analysis, including digital forensics, and this is our strength. . . but we are competing with MJIB in the area of digital forensic” (Supervisor “C4”, CID)

Before the collaborative relationship between the NPA and the MJIB was developed in the FCB case, there were issues raised within the police regarding jurisdiction. The analysis of interviews also revealed that interagency collaboration operates at local policing level “seem to experience the high level of estrangement from their counterparts” (Cohen, 2017, p. 893). This may result from turf jealousies derived from “performance-first” organizational culture in Taiwanese policing. Intelligence and resource sharing between local police agencies were somewhat blocked. As NPA officers recalled:

“At the beginning of investigation, it was a bottom-up, not top-down approach that it is supposed to be, which is time consuming. . .we surveyed each banks for potential victimization of ATM hacking and then narrowed down to First Commercial Bank only. . .because ATM hacking happened all over the different jurisdictions. . .many police precincts set a special task force for this [FCB case] initially. . .we [the police] lost direction on the investigation and were unsure what happened. . .should we use the NPA to lead the case and ask all precincts to share resources and cooperate with the investigation?” (Chief “C2”, Third Precinct, Keelung City Police Bureau)

“At the beginning, the FCB case was thought [by the NPA police] to be a regular fraud ring where a member was sent to pick up the cash [from an ATM]. . .It feels like that there was a lack of one central command during the initial stage of investigation. Different police branches provided inconsistent lists of suspects for investigating the same case. While everyone worked on the same case, they were holding different levels of information and resources. I believe we [the police] wasted a lot of time on not sharing and integrating intelligence internally.” (Detective “T1”, CID)

In terms of cybercrime fighting, the present study confirmed that there are strong incentives for national-local collaborations when an individual or a group of criminals operates across jurisdictions or state/national borders and caused substantial damages (e.g., Kevin Mitnick, Cobalt group). The complexity of the FCB case involving both traditional crime investigation strategies and advanced technologies to combat ATM hacking further highlights the need for local police (NPA) to team up with the national agency (MJIB). This emerged collaborative relationship between NPA and MJIB is accord with Mitchell et al. (2015) observation whereby law enforcement collaboration between agencies would develop because of the need for innovative and creative approaches to break the deadlock, improve operations, and achieve the desired outcomes. The TCPD officers explained:

“I don’t think we compete with them [MJIB] in digital forensics, despite concerns in the current [FCB] case they are in charge of the computer forensic investigation. . .and we agree with their [crime investigation] perspectives presented in the indictment. . . I still believe the most important thing is to arrest money mules and seize the stolen cash. . .” (Commander “C3”, CID)

“I believe this [FCB] case should be considered as two parts. First, someone needs to get the money back because this is a heist case, and later on, we need to establish where the bagmen go and how the money would be laundered. These all rely on our [local police] investigation in the physical environment . . .” (Supervisor “C4”, CID)

“Even though we might have miscommunication and disagreement with MJIB on dealing with this [FCB] case, we still built a good collaborative channel with them. . .we all are very busy. . .they [MJIB] present digital forensic evidence and sort out the modus operandi, but we figure out how to get the money back and search and apprehend the bagmen. . .one thing is undeniable, the MJIB has professional expertise in computer forensics and we receive training from them, the NPA needs to learn more in this area.” (Supervisor “C1”, CID)

“MJIB primarily communicate through Taipei District Prosecutors Office because of their leading role in investigation. . .we could have more meetings [to facilitate resource sharing]” (Special Agent “L”)

These statements underlined that collaboration allows authorities to take full advantage of the additional investigative skills and prosecutorial tools necessary to deal with criminals that exist both in physical and virtual environments. Indeed, partnership is an essential toolkit to establish efficient channels for information exchange across agencies (Mitchell et al., 2015).

With that said, the reason that Taiwanese authorities could solve the FCB case within a few days is because of cohesive collaboration of national-local law enforcement, which are indicated by clearly separated and focused tasks for each side. In this case, the MJIB effectively processed computer forensics, and the NPA broadcasted suspects’ information to the general public, tracked and seized the stolen cash, and arrested suspects. Officers acknowledged that effective leadership is important within the police, especially to frontline responders. Moreover, with positive community-oriented policing and a good relationship between citizens and the police in local communities, citizens were eager to contact the police and to provide information that led to the arrest of three bagmen.

“Initially, citizens reported to the police that some foreigners suspiciously withdrew money without touching ATMs. Another citizen reported that a pile of NT $60,000 dollars was left on the floor next to an ATM. I personally think these citizens’ reports are important because we [law enforcement] might not even notice the incident even after all suspects left Taiwan.” (Detective “T1”, CID)

“I was impressed by enthusiasm of three citizens who made [initial] reports to the police. . .when the news of suspects was broadcasted on mass media, an Airbnb owner who happened to host a suspect contacted us right away” (Chief “C2”, Third Precinct, Keelung City Police Bureau)

“Taiwanese citizens are indeed enthusiastic and alerted [about crime]. . .I think that coordinated collaboration [of law enforcement] in many aspects leads to a good outcome of the case.” (Special Agent “L”)

“Specifically, leadership, clear and separated responsibility, information and resource sharing, and cross-agency collaboration. . .are attributable factors to this successfully solved case” (Chief “C2”, Third Precinct, Keelung City Police Bureau)

This case later attracted international attention, especially law enforcement field, not only because the Taiwanese authorities recovered more than 90 percent of the stolen cash (approximately $2.4 out of $2.6 million US dollars) but also because Taiwan is the first state to arrest, prosecute, convict, sentence, and imprison three members of the Cobalt group who has allegedly committed more than a hundred of ATM heists globally (Devereux et al., 2018; Finkle & Wu, 2017). As a TCPD officer highlighted:

“Two months after the Taiwanese FCB incident, the same criminal group [Cobalt] used the same technique and committed another ATM attack in Romania. Several bagmen recognized from the FCB case were also involved in that case. There were quite a few similar criminal incidents that have occurred across Europe. . . they [Europol] are familiar with this type of crime, even have identified a few suspects, but Europol has not arrested anyone [at the time of interview] because of insufficient evidence. . .we shared the investigation process, computer forensic results and other case related reports with Europol, our experience intrigued them on case follow up. . .” (Supervisor “C4”, CID)

Ultimately, the FCB case led to the arrest of a hacker in Spain in March 2018. Even though Taiwan is a state that has not been officially recognized by many countries, political institutions, and international forums, the positive outcome of FCB case highlights the competency and professionalism of Taiwanese law enforcement in dealing with transnational crime and cyber investigations. The FCB case demonstrates Taiwanese authorities’ capacity to working with international allies in fighting economic-driven cybercrime. As a TCPD officer explained:

“. . .We report the [FCB] case to the Interpol because such type of crimes usually occurred in Europe, however, we have insightful details. Interpol are very eager to cooperate, although Taiwan is not a member. . .I do not perceive the constraints of non-Interpol membership regarding information sharing that we used to have. . .because of FCB case, Europol invited us to meet with them three times to exchange anti-cybercrime experience in Taiwan, and they also share the European experience. . .” (Commander “C3”, CID)

Cybercrime is borderless; this form of crime can occur beyond the physical constraints and human-made barriers that relate to traditionally defined jurisdictions. Such feature also implies that the challenges of patrolling cyberspace would demand more non-traditional thinking and investigation strategies, resources, collaboration across agencies and states. Law enforcement agencies in Taiwan agreed on this phenomenon but expressed it in different ways:

“The positive outcome for this [FCB case] was a result of collaboration across law enforcement agencies and legal authorities. . .it [solving cybercrime] might be impossible, if not to mobilize large scale resources” (Special Agent “L”)

“. . .we [police] presented the current case [FCB case] and investigation information along with digital forensics evidence to law enforcement agencies in the United States, Thailand, South Korea, Europe etc. . . afterwards, we received requests for international investigative cooperation from China. . .and the Netherlands….” (Supervisor “C1”, CID)

“International corporations, indeed, may face political pressure on the ‘one China policy’ from many states. . .but for cybercrime this might be a different issue. . .[for example] Mainland China, a communist society, and America have not yet found a good way to discuss criminal cases. . . when they [U.S.] conducted cybercrime investigations, they found many [Chinese] hackers use the proxy servers in Taiwan as a path of attack and want us [Taiwan] to help figure out what happened. We are on a very unique position.” (Commander “C3”, CID)

“Despite the fact that Taiwanese authorities successfully solved the FCB case, technically, we have no clue as to who the real hacker behind this incident was. . . still, we are closer to identifying and apprehending more members of the Cobalt group than any other country. . . more importantly, we should jump out of the box of traditional crime investigation because cybercrime happened in a virtual space with anonymity and no boundaries.” (Special Agent “S”)

The experience of the Taiwanese FCB case offers practical lessons for similar foreseeable cybercrimes (see Volz, 2018), as well as demonstrates the nature of relations between law enforcement agencies. Details of the modus operandi and investigation provided by the investigating agents highlight the risks of cyber victimization, particularly how contemporary criminals take advantage of the Internet to “rob” financial institutions in the international community (Sancho et al., 2017). Moreover, given its geopolitical position in the world, Taiwan is at the forefront between democratic and communist regimes and may be targeted by more cyberattacks. With the largest number of Internet users, Chinese government maintain tight control over telecommunication infrastructure and enforce Internet censorship system through policing citizens’ speech in the cyberspace, both behind the “Great Firewall of China” and overseas (Liang & Lu, 2010). As one of officers suggests:

“Taiwan cannot join Interpol because of China, especially the chair [at the time of interview] is from China. . .we never stop exchanging information with the police in China though. . .International community is very interested in Taiwan’s ability of investigating cybercrime. . .Western countries recognize our cyber forensics and Taiwan’s international status. Because we are democracy and China is a communist country, it is difficult for U.S. to communicate with and understand China. Quite some investigations of cybercrime routing through Taiwan. . .China’s cyber investigation is mysterious [to Western countries] because they have a lot of Internet military, and the scale is huge. . .North Korea also has a lot of Internet military. There are many usages of Internet military. . .” (Commander “C3, CID)

Discussion and Conclusion

With rich and insightful qualitative data collected from a rarely disclosed high-profile cybercrime incident of ATM hacking, this case study identified essential role of national-local law enforcement collaboration in high-tech crimes investigation and contributed pragmatic implications for combating cybercrimes. First of all, the very technology of the Internet has changed many “rules of the game” in the information era and also in physical environments. Significantly, from both policy and conceptual perspectives, cybercrime prevention requires more than just local law enforcement, as online perpetrators may not be present on crime scene physically but appear in the virtual environment. The FCB case indicated that while the general public became increasingly comfortable with a wide range of online services, criminals have creatively “weaponized” the Internet—essentially, an information and communication technology—to take illegally financial advantage and cause considerable damage in contrast to traditional bank robberies that take place with guns and explosives. Thus, if using information technology has become a routine for ordinary people, public policy should aim to increase the awareness of online safety issues among general population.

Next, given the borderless nature of cyberspace, fighting against cybercrimes such as ATM hackings appears to be an issue that is inseparable from the agenda of homeland security, suggesting local police usually require additional tools and resources to mitigate technology-driven offenses. Practically, local police encountering residents daily and have a lot they must take care of with little monetary resource, and national law enforcement usually has little they must do with a large resource base to work with. These two groups of law enforcement are distinguished primarily on jurisdictions, and secondarily by specialization and resources, and in opposite directions. The present study suggests that without effective collaboration with the MJIB (with its expertise in computer and digital forensics investigation), the NPA (with its expertise in community oriented policing), the FCB case involving more than a thousand ATMs in Taiwan might not have been solved (Reuters, 2016). The FCB case evidenced that MJIB and NPA collaboratively process, share, and evaluate important intelligence, coordinate investigations, and present a “united” image projected by the Executive branch. Law enforcement agencies should pragmatically develop transparent communication and intelligence sharing channels and restructure the hierarchical responsibility within police organizations to respond to an upward-trending cybercrime and hacktivism. Also, given Taiwan’s unique combination of geopolitical position, western-style democracy, and preserved Chinese culture, its experience of fighting against transnational cybercrime can be well communicated between two sides of the Pacific Ocean. Amidst a backdrop of 21st century information warfare and U.S.-China trade war, Taiwan can expect to be the forefront of conflicts, including those emanating from the cyberspace, and perhaps taking on the role of a moderator facilitating cybercrime investigation.

Finally, the current FCB case also indicated that human Internet users seem to be one of the weaker spots (Mitnick & Simon, 2001), even in an industry that maintains stringent network and computer security policies (Williams, 2016). Given the increasing trend of using the Internet in workplace and more Internet-enabled electronic devices, cybercrime-related victimizations are likely to occur with increasing frequency. The COVID-19 pandemic may serve to accelerate this trend, as many employees have to work from home because of quarantine or stay-at-home/shelf-in-place orders. Thus, a meaningful portion of the organizational efforts towards cybercrime prevention should be allocated to provide cybersecurity training to employees, with an emphasis on phishing and online risky behaviors. By being more aware of the modus operandi of ATM hacking, as well as the significance of law enforcement collaboration, policymakers and researchers might have improved the strategies of cybercrime prevention.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

ORCID iD

Shun-Yung Kevin Wang

References

Britz

(2013). Computer forensics and cyber crimes: An introduction (3rd ed.). Pearson Education Inc.

Cao

Huang

Sun

I. Y.

(2014). Policing in Taiwan: From authoritarianism to democracy. Routledge.

Cao

Huang

Sun

(2016). From authoritarian policing to democratic policing: A case study of Taiwan. Policing & Society, 26(6), 642–658.

Castells

(2002). The Internet galaxy: Reflections on the Internet, business, and society. Oxford University Press.

Chaiken

Karchmer

(1990). Multijurisdictional drug law enforcement strategies: Reducing supply and demand. Issues and Practices series. U.S. Department of Justice, National Institute of Justice.

Chu

D. C.

(2013). Crime and criminal justice issues in Taiwan. International Journal of Comparative and Applied Criminal Justice, 37(2), 75–78.

Cohen

(2017). Cultural fragmentation as a barrier to interagency collaboration: A qualitative examination of Texas law enforcement officers’ perceptions. American Review of Public Administration, 48(8), 886–901.

Cybersecurity Ventures. (2019). 2019 cybercrime report. Cybersecurity Ventures.

Dambazau

A.-R. B.

(2010). Cross-border crimes and policing: Challenges and lessons for Nigeria. In Eterno

J. A.

Das

D. K.

(Eds.), Police practices in global perspective (pp. 207–224). Rowman and Littlefield Publishers, Inc.

10.

Decker

S. H.

Lewis

P. G.

Provine

D. M.

Varsanyi

M. W.

(2009). Law enforcement: Local police and federal immigration law. Sociology of Crime, Law and Deviance, 13, 261–276.

11.

Devereux

(2018, March 26). Cops nab ATM hacker behind $1.2 billion swindle. Bloomberg. https://www.bloomberg.com/news/articles/2018-03-26/malware-mastermind-who-rigged-atms-to-spew-cash-caught-in-spain

12.

Devereux

Wild

Robinson

(2018, June 25). The biggest digital heist in history isn’t over yet. https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet

13.

Farrell

McDevitt

Fahy

(2008). Understanding and improving law enforcement responses to human trafficking (Grant No. 2005-IJ-CX-0045). National Institute of Justice.

14.

Federal Bureau of Investigation. (2018). A brief history. https://www.fbi.gov/history/brief-history.

15.

Finkle

J. R.

(2017, January 4). Taiwan ATM heist linked to European hacking spree: Security firm. Reuters. https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX

16.

Geller

W. A.

Morris

(1992). Relations between federal and local police. In Tonry

Morris

(Eds.), Modern policing (pp. 231–348). University of Chicago Press.

17.

Hsieh

M.-L.

Boateng

F. D.

(2015). Perceptions of democracy and trust in the criminal justice system: A comparison between mainland China and Taiwan. International Criminal Justice Review, 25(2), 153–173.

18.

Hsieh

M.-L.

Wang

S.-Y. K.

(2018). Routine activities in a virtual space: A Taiwanese case of an ATM hacking spree. International Journal of Cyber Criminology, 12(1), 333–352.

19.

Huang

Wang

S.-Y. K.

(2009). Emerging cybercrime variants in the socio technical space. In Whitworth

de Moor

(Eds.), Handbook of research on socio-technical design and social networking systems (pp. 209–220). IGI Global.

20.

Jaishankar

(2008). Space Transition Theory of cyber crimes. In Schmalleger

Pittaro

(Eds.), Crimes of the internet (pp. 283–301). Prentice Hall.

21.

James

Warren

(2010). Australian police responses to transnational crime and terrorism. In Eterno

J. A.

Das

D. K.

(Eds.), Police practices in global perspective (pp. 207–224). Rowman & Littlefield Publishers, Inc.

22.

Jiang

P.-S.

(2018). The study of national police organization in investigation management and risk communication: Case study on the heist of First Commercial Bank. Master Thesis, Central Police University, Taiwan.

23.

Kean

T. H.

Hamilton

L. H.

(2004). The 9-11 Commission Report. U.S. Government Printing Office.

24.

Kuo

S.-Y.

Shih

Y.-C.

(2018). An evaluation of a community-oriented policing program in Taiwan. International Journal of Offender Therapy and Comparative Criminology, 62(7), 2016–2044.

25.

Lai

Y.-L.

(2016). College students’ satisfaction with police services in Taiwan. Asian Journal of Criminology, 11(3), 207–229.

26.

Levi

(2017). Assessing the trends, scale and nature of economic cybercrimes: Overview and issues. Crime, Law and Social Change, 67, 3–20.

27.

Liang

(2010). Internet development, censorship, and cyber crimes in China. Journal of Contemporary Criminal Justice, 26(1), 103–120.

28.

Ministry of Justice Investigation Bureau. (2018). Anti-money laundering annual report, 2017. Ministry of Justice Investigation Bureau.

29.

Mitchell

G. E.

O’Leary

Gerard

(2015). Collaboration and performance: Perspectives from public managers and NGO leaders. Public Performance and Management Review, 38, 684–716.

30.

Mitnick

K. D.

Simon

W. L.

(2001). The art of deception: Controlling the human element of security. John Wiley & Sons.

31.

Mosher

C. J.

Miethe

T. D.

Hart

T. C.

(2010). The mismeasure of crime. Sage.

32.

Pelfrey

W. V.

(2007). Local law enforcement terrorism prevention efforts: A state level case study. Journal of Criminal Justice, 35(3), 313–321.

33.

Pew Research Center. (2019). Internet/broadband fact sheet. http://www.pewinternet.org/fact-sheet/internet-broadband/

34.

Phillips

(2003). Between assimilation and independence: The Taiwanese encounter nationalist China, 1945-1950. Stanford University Press.

35.

Poushter

Bishop

Chwe

(2018). Social media use continues to rise in developing countries but plateaus across developed ones. Pew Research Center.

36.

Provine

D. M.

Doty

R. L.

(2011). The criminalization of immigrants as a racial project. Journal of Contemporary Criminal Justice, 27(3), 261-277.

37.

PWC. (2016). Adjusting the lens on economic crime: Preparation brings opportunity back into focus. PricewaterhouseCoopers LLP.

38.

Quah

J. S. T.

(2015). Enhancing the effectiveness of Taiwan’s anti-corruption agencies in combating corruption. American Journal of Chinese Studies, 22(2), 291–307.

39.

Reuters. (2016, July 17). Taiwan says foreign suspects arrested over $2 million ATM cyber robbery. https://www.reuters.com/article/us-taiwan-banks-theft/taiwan-says-foreign-suspects-arrested-over-2-million-atm-cyber-robbery-idUSKCN0ZX0N7

40.

Riley

Wilson

J. M.

Treverton

G. F.

Raymond

(2006). Think locally, act nationally: Police efforts in fighting terrorism need greater federal leadership. RAND Review, 30(1), 24–29.

41.

Sancho

Huq

Michenzi

(2017). Cashing in on ATM malware: A comprehensive look at various attack types. https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf

42.

Singer

P. W.

Friedman

(2014). Cybersecurity and cyberwar: What everyone needs to know. Oxford University Press.

43.

Skogan

(2018). The commission and the police. Criminology and Public Policy, 17(2), 379–396.

44.

Stambaugh

Beaupre

D. S.

Icove

D. J.

Baker

Cassady

Williams

W. P.

(2001). Electronic crime needs assessment for state and local law enforcement. National Institute of Justice.

45.

Steffensmeier

Zhong

(2017). Age and its relation to crime in Taiwan and the United States: Invariant, or does cultural context matter? Criminology, 55(2), 377–404.

46.

Stewart

D. M.

(2011). Collaboration between federal and local law enforcement: An examination of Texas police chiefs’ perceptions. Police Quarterly, 14(4), 407–430.

47.

Stuntz

W. J.

(2002). Terrorism, federalism, and police misconduct. Harvard Journal of Law and Public Policy, 25(2), 665–679.

48.

Sun

I. Y.

Chu

D. C.

(2006). Attitudinal differences between Taiwanese and American police officers. Policing: An International Journal of Police Strategies and Management, 29(2), 190–210.

49.

Sun

I. Y.

Chu

D. C.

(2009). Rural v. urban policing: A study of Taiwanese officers’ occupational attitudes. The Police Journal, 82, 222–246.

50.

Sun

Tripelet

Wang

S.-Y. K.

(2016). The impact of media exposure and political party orientation on public perceptions of police in Taiwan. Policing: An International Journal of Police Strategies and Management, 39(4), 694–709.

51.

Taipei District Prosecutors Office. (2016). Press release. Taipei District Prosecutors Office.

52.

Taylor

R. W.

Fritsch

E. J.

Liederbach

Holt

T. J.

(2011). Digital crime and digital terrorism. Pearson Prentice Hall.

53.

van Wilsem

. (2013). Bought it, but never got it: Assessing risk factors for online consumer fraud victimization. European Sociological Review, 29(2), 168–178.

54.

Volz

(2018, January 29). “Jackpotting” hackers steal over $1 million from ATMs acorss U.S.: Secret Service. Reuters. https://www.reuters.com/article/us-usa-cyber-atm/jackpotting-hackers-steal-over-1-million-from-atms-across-u-s-secret-service-idUSKBN1FI2QF

55.

Wang

S.-Y. K.

Sun

I. Y.

(2020). A comparative study of rural and urban residents’ trust in police in Taiwan. International Criminal Justice Review, 30(2), 197–218.

56.

Wang

S.-Y. K.

Sun

Van Craen

Hsu

K. K.-L.

(2020). Does trusting in supervisors translate to compliance and cooperation? A test of internal procedural justice among Taiwanese police officers. Australian and New Zealand Journal of Criminology, 53(3), 433–453.

57.

Wang

S.-Y. K.

Huang

(2011). The evolutional view of the types of identity thefts and online frauds in the era of the Internet. Internet Journal of Criminology. https://958be75a-da42-4a45-aafa-549955018b18.filesusr.com/ugd/b93dd4_83ceccb58ea64dcd8bd7a6aa67f082fe.pdf.

58.

Waugh

W. L.

Streib

(2006). Collaboration and leadership for effective emergency management. Public Administration Review, 66(s1), 131–140.

59.

Williams

M. L.

(2016). Guardians upon high: An application of routine activities theory to online identity theft in Europe at the country and individual level. British Journal of Criminology, 56, 21–48.

60.

Worrall

J. L.

(2008). The effects of local law enforcement block grants on serious crime. Criminology and Public Policy, 7(3), 325–350.

61.

Zolbe

(1980). The Uniform Crime Reporting program: 50 years of progress. FBI Law Enforcement Bulletin, 49(9), 2–7.