The Pune police on Friday said hackers who targeted the Cosmos Bank earlier this month used some people to “physically withdraw” Rs 78 crore from 28 countries using cloned ATM cards, reported PTI. On August 14, a server of the bank was reportedly hacked and more than Rs 94 crore allegedly transferred to bank accounts outside the country. The bank has its headquarters in the city of Pune in Maharashtra.

“The United Kingdom, United States, Russia, United Arab Emirates, and Canada are among the 28 countries from where Rs 78 crore was withdrawn physically, using cloned cards,” said Jyotipriya Singh, Deputy Commissioner of Police (Cyber and Economic Offences Wing). She added that the cyber cell would get in touch with the law enforcement agencies of these countries for further action. The cyber cell’s aim would be to identify the “money mules” used to withdraw the money in the 28 countries, she said.

Singh said the unidentified hackers must have conducted a study of the bank’s system. “We suspect that the bank must have received some sort of alerts before the attack and we are waiting for the security audit report from the bank,” she said.

After the incident, the police in Pune filed a First Information Report against an unidentified person and a Hong Kong-based company. Bank officials suspected a malware attack on a server located at the bank’s headquarters on Ganeshkhind Road in Pune. An unidentified official said Rs 80.5 crore was first transferred to a foreign bank through 14,849 debit card transactions on August 11, and another Rs 13.9 crore was transferred through a SWIFT transaction two days later.

The second transaction was allegedly made to the account of ALM Trading Limited at Hang Seng Bank in Hong Kong, News 18 reported. According to the FIR, information of thousands of debit cards were stolen during the malware attack.

A part of the sum withdrawn fraudulently, Rs 13.5 crore, was transferred to Macau, reported The Indian Express. “On tracking the second transfer, it came to light that the money was then transferred to the account of an investment banking company from where it made its way to Macau,” said an unnamed senior police officer.

Large withdrawals in Macau are common as it is a popular gambling destination with no foreign exchange controls, said the officer. “This makes it ideal for fraudsters who want to make withdrawals of large sums without raising eyebrows,” said the officer. “In this case, too, we suspect the withdrawals will be made there.”

So far, the police have recovered around Rs 4 lakh from actual customers of the bank who happened to be withdrawing cash at the same time when the hackers were active. They ended up withdrawing more money than their account balance, said Singh. “These people are original cardholders, who withdrew money from the ATMs during the time the malware or proxy switch server was active,” she said.