Imagine you’re a low-wage worker in India who is offered a day’s employment as an extra in a Bollywood film. Your role? To go to a cash point and withdraw some money.

In 2018, several men in Maharashtra state thought they were accepting a bit-part in a movie – but in fact they were being tricked into being money mules, collecting cash in an ambitious bank heist.

The raid took place over a weekend in August 2018, and centred on Cosmos Co-operative bank, which has its headquarters in Pune.

On a quiet Saturday afternoon, staff in the bank’s head office suddenly received a string of alarming messages.

They were from the card payment company Visa in the United States, warning it could see thousands of demands flooding in for large cash withdrawals from ATMs – by people apparently using Cosmos Bank cards.

But when the Cosmos team checked their own systems, they saw no abnormal transactions.

About half-an-hour later, just to be safe, they authorised Visa to stop all transactions from Cosmos bank cards. This delay would turn out to be extremely costly.

The next day, Visa shared the full list of suspect transactions with the Cosmos head office: about 12,000 separate withdrawals from different ATMs around the world.

The bank had lost nearly $14m (£11.5m).

Warning: This article contains spoilers for the Lazarus Heist podcast

It was an audacious crime characterised by its grand scale and meticulous synchronisation. Criminals had plundered ATMs in 28 different countries, including the United States, the UK, the United Arab Emirates and Russia. It all happened in the space of just two hours and 13 minutes – an extraordinary global flash mob of crime.

Eventually, investigators would trace its origins back to a shadowy group of hackers who had pulled off a succession of previous stings seemingly at the behest of the North Korean state.

But before they knew the wider picture, investigators at the Maharashtra cyber-crime unit were amazed to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and stuffing the notes into bags.

“We were not aware of a money mule network like this,” says Insp Gen Brijesh Singh, who led the investigation.

One gang had a handler who was monitoring the ATM transactions in real time on a laptop, Singh says. CCTV footage showed that whenever a money mule had tried to keep some of the cash for himself, the handler would spot it and gave him a hard slap.

Using the CCTV footage as well as mobile phone data from the areas near the ATMs, the Indian investigators were able to arrest 18 suspects in the weeks after the raid. Most are now in prison, awaiting trial.

Singh says these men weren’t hardened crooks. Among those arrested were a waiter, a driver and a shoe-maker. Another had a pharmacy degree.

“They were gentle people,” he says.

Despite this, he thinks that by the time the raid happened, even the men recruited as “extras” knew what they were really doing.

But did they know who they were working for?

Investigators believe that the secretive and isolated state of North Korea was behind the heist.

Lazarus Heist branding

Hackers, North Korea and billions of dollars.

Listen to The Lazarus Heist from the BBC World Service with Jean Lee and Geoff White

line

North Korea is one of the poorest nations in the world, yet a significant portion of its limited resources goes toward the building of nuclear weapons and ballistic missiles, activity that is banned by the UN Security Council. As a result, the UN has placed the country under onerous sanctions, making trade highly restrictive.

Since coming to power 11 years ago, North Korean leader Kim Jong Un has overseen an unprecedented campaign of weapons testing, including four nuclear tests and several provocative bids to test-launch intercontinental missiles.

North Korean leader Kim Jong-un inspects nuclear warheads.

 

US authorities believe North Korea’s government is using a group of elite hackers to break into banks and financial institutions around the world to steal the money it needs to keep the economy afloat and finance the weapons programme.

The hackers, nicknamed the Lazarus Group, are believed to belong to a unit directed by North Korea’s powerful military intelligence agency, the Reconnaissance General Bureau.

Cyber-security experts named the hackers after the biblical figure Lazarus, who comes back from the dead – because once their viruses get inside computer networks, they are almost impossible to kill off.

The group first sprang to international prominence when then-US President Barack Obama accused North Korea of hacking into Sony Pictures Entertainment’s computer network in 2014. The FBI accused hackers of waging the damaging cyber-attack in retaliation for “The Interview”, a comedy that depicted the assassination of Kim Jong Un.

Workers remove a poster for “The Interview” from a billboard in Hollywood, California, December 18, 2014 a day after Sony announced was cancelling the movie’s Christmas release due to a terrorist threat

 

Workers remove a billboard poster for “The Interview” after Sony announced was cancelling the movie’s Christmas releas

The Lazarus Group has since been accused of trying to steal $1bn (£815m) from Bangladesh’s central bank in 2016, and for launching the WannaCry cyber-attack which attempted to extract ransoms from victims around the world, including the NHS in Britain.