Over the past few years, scammers have increasingly siphoned cash off of digital payment networks, stealing hundreds of millions of dollars so far. Not only is the problem hard to contain; new findings show that it’s evolving and maturing, with new types of ATM malware on the rise.

Researchers at the Kaspersky Security Analyst Summit in Singapore are presenting findings on Wednesday about a new wave of payment system scams. Beyond so-called jackpotting attacks, which cause individual ATMs to spit out money, hackers are manipulating ATM networks and the digital authentication checks in the machines to cash out fraudulent transfers they initiate around the globe.

Hackers have hit a variety of financial platforms—including Mexico’s domestic money transfer system SPEI—in payment systems frauds in recent years. But the majority of the scams target the international payment network SWIFT, which transfers trillions of dollars per day. Numerous notorious digital bank heists, like a whopping $81 million stolen in Bangladesh in 2016 and $10 million stolen in Chile last year, have shown how vulnerable digital payment networks can be.

But attackers are now using the same types of transaction manipulations in unexpected places, like ATM networks, to get around new defenses while still using the same types of strategies that have already raked in a steady stream of cash.

SWIFT services are essentially massive messaging systems that automatically check and process transactions between individuals or entities and their financial institutions. SWIFT has long maintained that attackers didn’t compromise its core infrastructure in these high-profile attacks, and that the problems stem instead from weaknesses in local bank networks. Still, the organization has invested heavily in developing security mechanisms and required controls for third-party financial networks that interoperate with SWIFT.

These system architecture improvements, combined with tailored monitoring to flag and block more fraudulent fund transfers, have inspired scammers to innovate in kind. In an attack on India’s Cosmos bank last August, hackers stole $13.5 million by infecting the bank’s ATM server with malware that retrieved customer information and their assigned SWIFT codes. Then they used this data to initiate thousands of transfers, both within India and in multiple other countries, where money mules cashed out the malicious transactions.

“We’ve seen diversification into targeting ATMs and the authorization mechanisms within ATMs,” says Saher Naumaan, a threat intelligence analyst at BAE Systems and one of the SAS presenters. “It shows that the attackers have been pretty invested in developing more implants, more malware, more types of SWIFT targeting and intrusions. And they’ve done a lot of research into the applications and the protocols, so they have very good and in-depth knowledge of those internal systems. They’re able to manipulate a lot of parts of the banking system.”

These new ATM attacks differ from jackpotting in that hackers are fabricating transactions and authorizing withdrawals, or impersonating account holders to drain their funds. Specifically, Naumaan notes that the attackers essentially take over the “approved list” of which card numbers in a bank’s network are authorized to take out cash.

For years one of the most prolific perpetrators of digital bank heists has appeared to be the North Korea-backed hacking group known as Lazarus. Numerous threat intelligence firms that have been tracking digital bank fraud and the malware used to perpetrate it have found links to the notorious gang. Naumaan says that similar potential ties exist in the new generation of ATM network attacks as well.

In their incident response work with banks, BAE Systems analysts repeatedly noticed that the victim networks they were studying were infected with both a malware dubbed GraceWire and known Lazarus malware tools. The researchers also found possible links between GraceWire and a well-known financially motivated criminal hacking gang called TA505. Though Naumaan says it is too early to draw definitive conclusions about these overlaps, it’s possible that Lazarus has been contracting with TA505 or other groups to gain access to financial networks.

“There is kind of a central theory that’s being considered that TA505 may be the one to compromise the network and get the initial access and then sell that access to Lazarus,” Naumaan says. “This would be interesting because in most of these fraud incidents we didn’t know the intrusion vector—that was one of the biggest unknowns.”

Naumaan notes that as the global banking industry tightens its network defenses, attackers will develop new techniques to execute their attacks. In one 2017 incident tied to Lazarus, for example, the group targeted a Taiwanese bank to steal cash at the same time that they planted a ransomware infection in the bank’s networks. Researchers speculate that attackers may increasingly rely on distraction and other methods of hiding their intent to execute attacks. And scammers will continue to find new types of local and interbank connections that may be under-secured to target.

Attackers are evolving quickly to chase the trillions of dollars in digital cash that fly around the internet every day, but higher network security standards and more extensive fraud monitoring have at least made it harder to catch transaction systems by surprise.

More Great WIRED Stories