The first phase of the attack started to take place in weekdays, members of the group scouted ATMs, which specifically targeted the 24-hr cash machines with possibilities of manipulation. After locating an ATM, tamperings were made accordingly to the machines in order to gain access to its CD-ROMs, which is then used as the site of planting the malware. The group used to deactivate all the existing alarm systems with duct tape. The malware planted on weekdays, started its function on weekend. Once it was planted on an ATM, the group sent commands to the malware, instructing the machine to dispense cash automatically.

The group set a characteristic method of dispensing cash in small transactions of $1000 rather than sweeping the machines in one go. Once the machine dispenses all the cash, the malware would automatically be removed from the machine. Since these attacks cause serious harm to the ATMs, European ATM Security Team (EAST) and Europol had published certain guidelines last year to help the members of law enforcement and the industry to counter the threat and in September, the security firms started reporting two new malware families. One of these, known as GreenDispense, is found similar to Tyupkin as it uses the machine’s PIN pad to empty the vault. The other, called Suceful, acts as a captor for cards inserted by cardholders into ATMs.