Programmer Hacks ATM Withdrawing Over $1 Million
Chinese senior programmer for Huaxia Bank in China, Qin Qisheng, exploited a flaw in the bank’s system and withdrew more than 7 million yuan, or the equivalent of over 1 million USD throughout nearly 2 years.
In 2016, Qisheng says that he caught a loophole in the banking script that allowed him to trick the ATM into thinking that no money had been withdrawn. The bug left no record of transactions made on or around 12 a.m. from the bank’s ATMs. While this was usually flagged in the system and manually changed, the programmer inserted a few scripts of code that would disable this flag on accounts entirely.
Starting in November of 2016, Qisheng made withdrawals from the ATM ranging from 5000 to more than 20,000 yuan from a dummy account that Huaxia used to test its systems. The system never registered the transactions and Qisheng would either deposit the money into his personal account or invest it into the stock market. By the end of January 2018, he had stolen more than 7 million yuan.
When Huaxia Bank discovered the thefts, they escorted Qisheng to the police. After speaking with the authorities for a short amount of time, Huaxia, despite missing such a large sum of money from their accounts, they decided not to press charges against the 47-year-old senior programmer. It’s believed that this might have been because the company wanted to save face and to keep word from getting out of their shortcomings after Qisheng volunteered to pay the money back. He claimed that it was only to prove that the current system has flaws and to demonstrate it’s weaknesses and that he never meant to steal the money.
The authorities, however, decided that there was enough evidence to take to court, where it was agreed that the withdrawals were deemed malicious. Qisheng was sentenced to 10 years in jail and to pay 11,000 yuan in fines. The authorities considered that if the act were indeed only to cast light on the situation and prove that there were weaknesses in the system, Qisheng wouldn’t have placed the money directly into his personal account or invested it.