Cyber Crime Prevention

司法聯盟鏈與四大重要案件 Judicial Blockchain Alliance and Four Major Cases

---

1. 一銀ATM 跨國駭客盜領案 (First Bank ATM Hacking and Cash Theft Case)

事件背景

105.7.10 PM 08:00 古亭分行。有民眾發現前面民眾並無提領動作，ATM卻不斷冒出鈔票。

July 10, 2016, 8:00 p.m., Guting Branch. A member of the public noticed that the person in front of the ATM had not made a withdrawal, yet the ATM continued to dispense cash.

105.7.11 第一銀行。陸續接獲分行回報ATM現金短少情形。統計受駭金額高達新臺幣8,327萬7,600元。

July 11, 2016, First Bank. Branches began reporting ATM cash shortages. The total amount stolen reached NT$83,277,600.

犯罪手法與入侵路徑

經調閱監視器發現，有不明人士戴帽子、口罩在不同地點的一銀ATM機台前徘徊。ATM在完全無人為操作下持續吐鈔5~10分鐘不等，由該等人將現金裝入背包後離去。

After reviewing CCTV footage, investigators found unidentified individuals wearing hats and masks loitering near First Bank ATMs at different locations. The ATMs dispensed cash for 5 to 10 minutes without any manual operation, and the individuals placed the cash in backpacks and left.

倫敦分行是駭客入侵的端點之一。盜領惡意程式指定在7月發作，逾期失效。

The London branch was one of the endpoints used by the hackers to gain access. The malware used in the theft was programmed to activate in July and expire thereafter.

資安鑑識人員透過數位鑑識發現，用來盜領一銀ATM現鈔的惡意程式，具有以往惡意程式少見的指定日期發作的功能，都只在105年7月份執行才有效。此外，為了隱匿自己的行蹤，這些惡意程式也會利用微軟內建的「sdelete.exe」刪除功能，刪除足跡。

Through digital forensics, Cyber forensics personnel discovered that the malware used to steal cash from First Bank ATMs had a rarely seen date-specific activation function and would only work when executed in July 2016. To hide their tracks, the malware also used Microsoft's built-in "sdelete.exe" deletion function to erase evidence of its activity.

鑑識發現與技術重建

ATM內係由以 Windows XP 作業系統運行的主機。鑑識主機留存的跡證，尋得可疑的執行紀錄。

The ATMs were internally controlled by hosts running the Windows XP operating system. Forensic examination of evidence preserved on the hosts identified suspicious execution records.

鑑識41台ATM之數位軌跡，重建跨國駭客集團「COBALT」犯罪手法：

1. STEP 1: 駭進一銀內網。
2. STEP 2: 內網橫向移動至倫敦分行電話錄音主機。
3. STEP 3: 開啟 ATM 的 FTP 連線服務。
4. STEP 4: ATM 連線 FTP SERVER。
5. STEP 5: 下載吐鈔程式及刪除程式。
6. STEP 6: 執行吐鈔。
7. STEP 7: 刪除下載程式。

Digital traces from 41 ATMs allowed investigators to reconstruct the criminal methods used by the multinational hacker group "COBALT":

1. STEP 1: Hack into the First Bank intranet.
2. STEP 2: Move laterally through the intranet to the London branch's telephone recording host.
3. STEP 3: Open the ATM's FTP connection service.
4. STEP 4: Connect the ATM to the FTP server.
5. STEP 5: Download the cash -dispensing program and deletion program.
6. STEP 6: Execute cash dispensing.
7. STEP 7: Delete the downloaded files.

遠端操作與車手調度

遠端操作ATM輸入吐鈔指令，駭客集團幕後策劃，僱用車手代為取款。僱用車手於指定ATM前待命，駭客於約定時間自遠端輸入「卡匣開關」指令，並以手機確認車手所在位置正確（即車手看得到ATM卡匣開關）後，再輸入「吐鈔」指令，由車手取回ATM自動吐出之鈔票後離開。

The hackers remotely operated the ATMs by entering cash-dispensing commands. The group planned the operation behind the scenes and hired money mules to collect the cash. The mules stood by at designated ATMs. At the agreed time, the hackers remotely entered the "cassette open/close" command and used mobile phones to confirm that the mules were in the correct location, meaning they could see the ATM cassette open and close. The hackers then entered the "cash dispense" command, and the mules collected the cash automatically dispensed by the ATMs and left.

國際合作與破案

調查局進行跨國合作，將調查結果交給 EUROPOL。在 FBI、羅馬尼亞、臺灣、白俄羅斯等多國協助下，於 2018 年在西班牙逮捕到犯罪集團首腦。調查局情資奏功，一銀ATM詐領案主嫌之一已經在西班牙落網。

The MJIB carried out a cross-border investigation and submitted its findings to EUROPOL. With assistance from the FBI, Romania, Taiwan, Belarus and other countries, the head of the criminal group was arrested in Spain in 2018. MJIB intelligence proved effective: one of the main suspects in the First Bank ATM fraud case was arrested in Spain.

---

 

2. 潤寅詐貸案 (New Site Group Loan Fraud Case)

案件規模

潤寅集團是擁有25年歷史的進出口貿易商，資本額3.29億元。潤寅集團負責人楊文虎、王音之夫妻涉嫌指示員工偽造不實文件，向12家銀行騙走高達472億元。創下史上銀行詐貸最高金額。

New Site Group is an import-export trading company with a 25-year history and capital of NT$329 million. Yang Wen-hu and Wang Yin-chih, the heads of New Site Group, were suspected of instructing employees to falsify documents and defraud 12 banks of as much as NT$47.2 billion, setting a record for the largest bank loan fraud case in Taiwan's history.

鑑識突破：教戰手冊

手機鑑識還原中，發現了林奕如對話紀錄內有一張重要的照片。照片是一張白板，白板上寫了各種與司法調查人員應對的教戰手冊。鑑識人員從照片的 metadata 取得拍攝這張照片的經緯度位置，進而定位出相片拍攝地點為辯護律師事務所，進而確認律師指導串證滅證。

During mobile phone forensic recovery, investigators discovered an important photo in Lin Yi-ru's chat records. The photo showed a whiteboard containing instructions on how to respond to judicial investigators. forensic investigators obtained the photo's latitude and longitude coordinates from its metadata and identified the place where it was taken as a defense lawyer's office, confirming that the lawyer had instructed the parties to coordinate testimony and destroy evidence.

數位還原：光華商場查扣電腦

調查局從光華商場查扣2台已遭重置、無法開機的電腦，送交資安鑑識實驗室進行刪除資料還原。成功還原電腦資料檔案列表，發現潤寅公司的員工名稱、公司信用狀、公司借款收據等文件，確定潤寅公司人員確實有故意滅證的事實。

The MJIB seized two reset, non-bootable computers from Guanghua Digital Plaza and sent them to the Cyber Forensics Laboratory to recover deleted data. investigators successfully restored the computer file lists and found documents such as New Site employee names, company letters of credit and company loan receipts, confirming that New Site personnel had deliberately destroyed evidence.

金流追蹤：保險箱照片

潤寅千金手機一張保險箱照片，男友助藏600萬犯行曝光。依照照片經緯度查到合作金庫中山分行。

A photo of a safe found on the mobile phone of a New Site executive's daughter exposed her boyfriend's role in concealing NT$6 million. based on the latitude and longitude coordinates in the photo metadata, investigators traced the location to the Zhongshan Branch of Taiwan Cooperative Bank.

判決結果

潤寅詐貸案最高法院駁回上訴，全案定讞。楊文虎判刑25年、王音之判刑27年。

New Site loan fraud case: The Supreme Court rejected the appeal , and the sentences were handed out. Yang Wen-hu was sentenced to 25 years, and Wang Yin-zhi was sentenced to 27 years.

---

3. 泰達幣盜領千萬案 (USDT Coin Theft Case)

事件起因

國內虛擬貨幣商於109年11月間例行查核交易系統時，發現特定人透過系統設計漏洞，反覆溢領泰達幣（USDT）及乙太幣（ETH）等虛擬貨幣，總計致生平台一千餘萬元損失。

In November 2020, domestic cryptocurrency businesses discovered during routine checks of their trading systems that certain individuals had repeatedly over-withdrawn virtual currencies such as USDT and ETH by exploiting system vulnerabilities, causing the platform to lose more than NT$10 million.

偵查與搜索

資安工作站與幣商合作蒐證後，於110年1月兵分9路執行搜索，查獲犯罪工具及數位證物一批。專案小組清查上千筆 IP 位址及相關金流。

After the Cyber Security Investigation Office worked with the cryptocurrency dealer to collect evidence, the MJIB conducted searches at nine locations in January 2021 and seized a batch of criminal tools and digital evidence. The investigation team reviewed thousands of IP addresses and related financial flows.

鑑識發現：關鍵動作

鑑識行動裝置的跡證，發現盜領手法：在相近時間區間內各自按下「確認」交易及「取消」交易按鈕。

Forensic examination of mobile device artifacts revealed the theft method: the perpetrators pressed the "Confirm" and "Cancel" transaction buttons within close time intervals.

記事本中的關鍵證據

鑑識主嫌手機發現記事本內存有各大虛擬貨幣交易平台的帳號與密碼（如 ACE、MAX、幣託、幣安等）。與幣商提供之異常操作錢包地址交叉比對，證實異常錢包地址確為主嫌所有。

Forensic investigators found notes on the main suspect's mobile phone containing accounts and passwords for major virtual currency trading platforms, including ACE, MAX, BitoPro and Binance. Cross-checking these records against the suspicious wallet addresses provided by the cryptocurrency dealer confirmed that the addresses belonged to the main suspect.

---

4. 簡訊詐欺案 (SMS Scam and Online Banking Theft Case)

詐騙手法：偽冒簡訊

民眾經常接到來路不明、冒稱商店發貨並附「查詢進度」網路連結的簡訊。歹徒利用「口罩實名制」等名義製作詐騙簡訊，以騙取帳號、密碼，開通手機小額付款。

People often receive text messages from unknown sources that falsely claim to be store shipping notifications and include a link to "check progress." Criminals created fraudulent messages under pretexts such as the "real-name mask registration system" to obtain account numbers and passwords and activate mobile micropayments.

植入惡意程式 (Trojan)

若民眾點擊連結，手機便會被植入「chrome.apk」惡意程式，該程式會偷偷將被害人的網路銀行帳號密碼、信用卡等資訊上傳至雲端。

If recipients click the link, a malicious program named "chrome.apk" is installed on their mobile devices. The program secretly uploads victims' online banking account credentials, credit card information and other data to the cloud.

盜轉與盜刷

歹徒再利用 VPN 以被害人帳號密碼登入網銀，執行非約定帳戶轉帳，或攔截信用卡交易密碼以盜刷。經鑑識分析，警示等級為「嚴重」。

The fraudsters then used VPNs to log in to victims' online banking accounts with the victims' usernames and passwords, make transfers to non-preauthorized accounts or intercept credit card transaction passwords to make unauthorized card transactions. Forensic analysis rated the threat level as "Severe."

受害規模

該集團於109年7、8月間透過不特定 IP 登入14位網銀客戶帳戶，轉出94萬3,768元，用以購買簡訊點數再發送詐騙簡訊，藉此盜取更多受害者資料。

In July and August 2020, The group logged in to 14 online banking customer accounts through unspecified IP addresses and transferred NT$943,768 to purchase SMS credits, which were then used to send more scam messages and steal additional victims' bank account information.

結語： 「千萬、千萬不要好奇隨意點擊簡訊連結。」 ("Don't let curiosity get the better of you; don't click on random links")

---

 

Cyber Crime Prevention

• Preventing cyber & computer crimes, initiatively discovering clues and assisting all the units of MJIB in detecting computer crimes, providing related investigation skills, and analyzing digital evidence.
• Establishing information system environment to support investigation and enhance effectiveness.
  Promotion and educational training for the prevention of computer crimes.
• Elaborating strategies for preventing computer crimes, emphasizing both crime prevention & investigation; creating both domestic and international cooperation channels for jointly combating cyber & computer crimes.
• Collecting information on threats to computer & cyber security and timely notifying those hacked government agencies, private companies, important organizations, etc.; investigating sources, paths, and modus operandi of the threats and then prosecuting the criminals; going to the locations of “command and control servers” to make a large-scale search for other hacked government agencies and private companies.
• Enhancing cybercrime investigation capabilities, not only through training special agents to advance their collecting skills, but also providing state-of-the-art tools and equipment, innovative methods for them; combating cross-border cybercrimes, comprehensively contacting law enforcement agencies around the world for mutual legal assistance, criminal intelligence exchange, and assistance in criminal investigations.

MJIB Cyber Forensics Laboratory

• The MJIB Cyber Forensics Laboratory was established in December 2006. It earned ISO/IEC 17025 accreditation issued by the Taiwan Accreditation Foundation (TAF) on November 28, 2013, and was the first accredited digital forensics lab in the field of“data recovery”in Taiwan. The Lab will try to maintain the validity and expand the scope of accreditation.
• Digital evidence forensics: All examiners are professionally trained and certified. They are well experienced and have specialties individually. After receiving requests from courts, prosecutor’s offices, and field units of MJIB, they examine the digital evidences and then submit reports. The Lab’s forensics examination cases increase by 20% annually.
• Organizational learning: To enhance the digital evidence preservation & initial examination capabilities and to build up the standard procedures for MJIB’s field units, we held more than 50 sessions of organization learning since 2013 to 2015. We also plan to establish forensic laboratories in our 6 field divisions of Taiwan’s 6 special municipalities.

The Cyber Forensics Laboratory of MJIB was established in December 2006 to build up the digital forensics capability in our country. It devotes itself to retrieving, collecting and analyzing digital evidences. Developing so far, our Lab not only supports to collecting the digital evidences in crime scenes, but also provides forensic reports to Judges and Prosecutors. Further, the lab was the first “Digital Forensic Laboratory” accredited in respect of ISO/IEC 17025 by Taiwan Accreditation Foundation (TAF) in 2013.

 

The Projects of CFL：

1. Well experienced and with individual special skills. Upon requests from the courts, prosecutor’s offices, and the Bureau’s field’s units, examining the digital evidences and give reports. The forensics cases increase by 20% yearly.
2. Take the internal education and training, and Organizational Learning for Information Security Team in Field Units.
3. Apply the science and technology research plans.
4. Maintain the Lab’s accreditation and enlarge the scope.

The Objectives of CFL:

1. Assist Courts, Public Prosecutor's Offices and the Field Offices of MJIB to fight against crime and to improve the detection rate effectively, in order to protecting national security and ensure the interests of the people.
2. Promote and enhance the forensics skills of information security to improve the ability of digital evidence seized and ensure the credibility of digital evidences..
3. Maintain laboratory quality certification, stimulate domestic energy and improve forensic related digital forensics industry key technology research and development.
4. Participation in domestic and foreign seminars, promote exchanges and cooperation to build and enhance the image of the MJIB.