HARRIS COUNTY, Texas – In a groundbreaking case that has sent shockwaves through the financial crime investigation community, nearly a quarter of a million dollars disappeared from ATMs across Texas in just four days. Authorities in Harris County have now connected this audacious theft—dubbed “jackpotting”—to an organized criminal group with ties to Russia, marking it as a first-of-its-kind incident in the region.
The theft, which targeted over 70 ATMs in cities including Houston, Dallas, Austin, and San Antonio, represents a new frontier in financial crime. “There are other types of theft from ATMs that happen, but nothing like this,” said Detective Roger Collins of the Houston Police Department, who is assigned to the U.S. Secret Service Cyber Fraud Task Force. “It was never something that could be done remotely—until now.”
The spree began last September when the Houston area saw its first wave of jackpotting attacks. In a matter of hours, 51 ATMs were hit, resulting in over $150,000 stolen. By the end of the four-day rampage, the group is believed to have amassed more than $236,000, according to exclusive data shared with KPRC 2. Unlike traditional ATM thefts, this method leaves no trace in bank accounts, placing the financial burden squarely on the owners of the machines—often small businesses like gas stations and hotels.
Surveillance footage, also shared exclusively with KPRC 2, reveals suspects using rented cars and focusing intently on their cell phones while at the cash machines. Detective Collins explained the process: “All they need is a receipt, which they can find in nearby trash or by pulling a balance. They then take a picture of the receipt and send it to someone else—someone we believe is overseas—initiating the hack.”
This remote manipulation tricks the ATM into dispensing cash without recording a withdrawal. “The hack makes the ATM think a normal transaction was canceled, but the money is gone, and no bank account is ever affected,” Collins said. “They just keep doing it over and over until it can’t spit money out anymore.”
Seven individuals have been charged in connection with the heist, with arrests spanning multiple states. Two were apprehended in Harris County, one was arrested in Las Vegas and extradited, two are in custody in Miami, and two remain at large. The alleged U.S. leader, Vitalii Moravel, a 32-year-old Ukrainian war refugee on a humanitarian visa, faces similar charges in Georgia and Florida. According to Detective Collins, Moravel receives instructions from a “big boss” in Russia, underscoring the international scope of the operation.
The charged suspects include:
– Vitalii Moravel, 32: A Ukrainian national in the U.S. on a humanitarian visa, arrested and currently jailed in Miami on similar charges.
– Roman Leskiv, 28: Wanted on Harris County charges, arrested and jailed in Miami on related offenses.
– Andriy Ivano, 32: A non-U.S. citizen from Ukraine and truck driver from Illinois, arrested in Las Vegas, extradited to Harris County, pled guilty to a third-degree money services act violation, and received two years of community supervision.
– Alexey Kharitonov, 50: A non-U.S. citizen from Russia, arrested on similar charges in Gwinnett County, Georgia; currently on bond in both states and proclaimed “innocent” by his attorney.
– Mirsaftar Asgarov, 34: A non-U.S. citizen from Azerbaijan and Houston-area locksmith; his case was dismissed on March 13 due to insufficient evidence.
– Aibek Karabalayev, 38: Wanted on Harris County charges filed in February, last known address in Illinois.
– Alexey Zubov, 38: Wanted on Harris County charges filed in late February, last known address in Illinois.
At least five additional suspects remain unidentified, and flight records suggest potential links to similar crimes in New York, Boston, and Ohio.
The operation’s financial structure is as intricate as its execution. Individuals at the ATMs reportedly receive 30% of the stolen cash, while Moravel takes 70%, much of which is believed to be converted into cryptocurrency. “Some have stated that it’s sent back to ‘The Big Boss’ via courier,” Collins said. “We’ve even received one report that he actually has flown into the United States to pick up cash. They work together just like anybody in any other business.”
This conversion to digital currency complicates efforts to trace and recover the funds, adding another layer of difficulty for investigators.
The exact mechanics of the hacking attacks remain elusive. “Someone has taken a lot of time to learn how to compromise and overtake these systems from a long way away,” Collins noted. While the technical details are unclear, the sophistication of the scheme suggests a high level of expertise and coordination.
No definitive solution to prevent such attacks has been identified, leaving ATM owners and operators vulnerable. Collins advised heightened vigilance: “Ensure machines are under surveillance and report any suspicious activity—like lingering individuals or multiple transactions—to law enforcement.”
While jackpotting has not yet spread west of Texas, Dallas recently experienced another wave of attacks. “They’re getting better every day,” Collins warned. “This is not going to be an isolated incident. It’s not the last place it’s going to happen. It’s going to continue.”
For now, the investigation presses on, with authorities racing to identify the remaining suspects and dismantle the network. As Harris County grapples with this unprecedented crime wave, the case serves as a stark reminder of the evolving challenges in combating cyber-enabled financial crime—and the global reach of those willing to exploit it.