Programmer finds ridiculous ATM flaw that let him withdraw $1 million in cash

It sounds like something straight out of a movie: an unsatisfied bank programmer discovers the perfect scheme for making an ATM spit out free money.

But apparently, this story is true: The South China Morning Post and China’s Daily Economic News report that 43-year-old Qin Qisheng managed to withdraw over 7 million yuan (upwards of $1 million USD) from ATMs operated by his employer, Huaxia Bank — all by exploiting a crazy flaw.

According to the reports, the bank’s system didn’t properly record withdrawals made around midnight — effectively spitting out cash without removing the total from a user’s account. Normally, that might send up a red flag that a transaction had failed, but Qisheng allegedly inserted scripts into the system that suppressed those alerts.

Qisheng started pulling out money in November 2016, but it wasn’t until January 2018, some 1,358 withdrawals later, that the bank discovered the bad code in its system and brought him to the authorities.

Perhaps the most surprising part of this story: the bank didn’t want to keep pressing charges once he’d returned the money. Maybe fearing the bad publicity (apparently the flaw has already been fixed), Huaxia Bank reportedly asked police to drop the case — reportedly accepting Qisheng’s explanation that he was merely testing the bank’s security and was holding onto the money for the bank to reclaim. As one does.

The courts refused, though, and Qisheng is now looking at 10 and a half years in prison after losing his appeal. They didn’t buy the argument, considering that he’d moved the money to his personal bank account, instead of the bank’s dummy account, and had apparently been investing some in the stock market, too.

We’ve seen some big, coordinated ATM heists in recent years, and the FBI has warned of more, but it’s a little more fun to imagine this one guy saving up his ill-gotten gains for a retirement like none other.


Normally, that might send up a red flag that a transaction had failed, but Qisheng allegedly inserted scripts into the system that suppressed those alerts.


The bank accepted his explanation that he had simply been trying to test its internal security and the cash was just resting in his own account before he returned it to his employers.

And da bank wanna drop the charges?

They most definitely wanted to hush it up to avoid a PR disaster

Since the guy had moved the money to his personal account and was investing with it, how would tossing him into the clink be a PR disaster? (It wouldn’t be in the U.S.)

It would be a PR disaster for the bank’s customers as they lose faith in any bank stupid enough to let this happen and withdraw all their accounts. I’m sure this could cost them a lot more than $1 million. That’s chump change as PR disasters go. Would YOU want to entrust your money to that bank? I wouldn’t.

If he really wanted to steal it, he would have fled the country. Investing in stocks would help him make up the bank’s forgone interest on the money. We need more security researchers, not less, certainly not vilify them like we do.

If he had gone to the media before performing the exploit, he may have been prosecuted with nothing to show for it. The spoils gave him leverage. We need civil rights laws protecting security researchers with guidelines on how to operate all the laws we have on cybersecurity are designed to punish.

I tend to think he didn’t scram due to him being really stupid which is a lot more plausible explanation than that he was trying to do the bank a favor (cue hysterical laughter).

If he were really stupid he would have bought a ferrari…

Wow!!! Are you really naive enough to believe he wasn’t doing this for personal gain? It’s not like he did it once and reported it. He did it again and again and continued to do it until he got busted.

He lost $0 of the money he got… the damage/harm here is speculative. Do you know how hard it is to have a ton of money and not spend any of it?

and had apparently been investing some in the stock market, too

Amateur. Just short the bank’s stock, then publicly disclose the security flaw.

Then he’d probably just be assassinated…

Too late. That’s why they didn’t press charges. They are going to take care of it themselves. Harder to get him if he is in jail.

This almost seems like on of the ads I usually see on The Verge

"The banks hate him"

"How to make 1 million with this one simple trick!"

They should’ve actually used those clickbait titles, and amazingly the article would actually justify the use of said title.

I hate to be pedantic, but is there some reason this would be referred to as a loophole rather than a vulnerability?

TBH, I’ve used them interchangeably, and preferred loophole here because it used fewer characters in an already fairly lengthy headline. Is there a good reason to prefer vulnerability?

I wasn’t sure was just curious. I guess I’m just used to the term in use when it comes to things like contracts. Whereas this appears to be a software flaw. However, admittedly the words as you say do appear pretty interchangeable.

Loophole feels more like finding some kind of exploit in a written contract or rule. Vulnerability seems to be the preferred verbiage when it comes to software, and exploit also works similarly.

Don’t think there’s anything strictly wrong with your use though.

How about "exploit"? It has one less letter than "loophole" and is generally understood to refer to security vulnerabilities.

i would say it’s not a loophole nor a vulnerability: it’s a known issue that had remediation in place, the programmer altered the software to disable the checks the bank had to avoid this from happening.

if there’s a vulnerability it’s in the fact that he was able to push malicious code to a banking production environment without anyone noticing (especially if the code was placed on the ATMs themselves, updating ATM software is not a simple process and often involves manual updates on the machines).

I feel like "loophole" was chosen because it’s sounds more like something your average reader can do.

Using an "atm loophole" to get free cash sounds like a pretty easy repeatable process. Maybe I can do it too. CLICK lol

"Loophole" implies that what he was doing was legal and while not in the spirit of the rules/law, not technically breaking them. It’s very misleading to use it in this case.

Interesting. I will check on this later, would not want to send that message even if I find this story fun.

I’ve come around to this perspective entirely, and so I changed the word to "flaw."

Appreciate the feedback, all!

View All Comments
Back to top ↑