The morning of July 8, 2016, began like any other in Thiruvananthapuram. The city had not waken up completely, the yellow streetlights still illuminated the Athara stretch as the cold monsoon winds caressed the leaves.
Three young men—tourists, it seemed, exploring God's Own Country—walked in casually into an ATM kiosk in Althara Junction. Nothing about them drew suspicion, as they blended into the rhythm of the city.
But behind their calm faces was precision.
This was their third visit to the same ATM in ten days. They had come earlier on June 30 and July 6.
No one noticed the small, round object they stuck to the ceiling—a camera disguised as a smoke detector. No one questioned, after all nothing about them screamed danger.
A few weeks later, the calls began.
Customers reported "mysterious withdrawals". At first, it looked like a banking glitch. But soon, over two dozen people complained of unauthorised transactions. All the complainants had a common factor uniting them: they had used the Althara ATM.
When investigators finally pieced together the puzzle, they realised Kerala had just witnessed its first international cyber heist.
The three men were Romanian nationals in their late twenties, part of a sophisticated global network involved in ATM skimming across Asia and Europe.
After arriving in the city in late June, they checked into separate hotels, hired scooters, and began scouting ATMs that had weak security.
They installed a hidden skimming device inside the ATM and a pinhole camera to record keystrokes. Over the next several days, hundreds of customers unknowingly fed data from their cards into the gang's system.
Once they had enough information, the trio left Kerala, cloned the stolen cards, and began withdrawing money from ATMs in Mumbai's Worli area.
In total, over Rs 3.5 lakh vanished before anyone realised what had happened.
In what is called as "one of the best-probed cybercrime cases" in Kerala's history the state police's Cyberdome wing, working with technical experts from Technopark, tracked the gang's movements and gathered crucial digital evidence.
It paid off. Within days, police arrested Ilie Gabriel Marian from Mumbai, one of the men seen in CCTV footage attaching a router to the ATM. He was brought back to Thiruvananthapuram, charged under multiple sections of the Information Technology Act, and later convicted.
"This was a first-of-its-kind case in Kerala. We had to adapt quickly, coordinate with global agencies, and depend heavily on digital forensics. The Interpol alert helped us track down one of the accused in Nicaragua, who was later handed over to us. The case even received an award from Nasscom as the best investigated cybercrime case," then state police chief Loknath Behera told TNIE.
But Marian's capture was just one piece of a much larger puzzle.
The alleged kingpin, Ianut Alexander Marino, was later tracked to Nicaragua through an Interpol alert and briefly detained in 2018 only to escape after securing bail. Several others remain absconding.
In August 2025, nearly nine years after the heist, a legal officer attached to the case received a notice from the UK Red Warrant Division.
One of the accused, Constantine Christian Victor, had reportedly been traced in the UK. Extradition proceedings are now underway.
On his extradition to India, the legal official says, "Once procedures are completed and the accused is brought back to the state, the pending charges will be reopened and will be produced before the court."
"Since he was absconding during the initial proceedings, a separate trial process will follow, which may include custodial interrogation and framing of charges," he adds.
The case was split into seven FIRs, each covering specific instances of unauthorised transactions and data theft. Marian was convicted under the IT Act but acquitted of forgery charges under the IPC. The trial stretched nearly four years, with frequent adjournments, difficulties in bringing expert witnesses, and complex coordination with central agencies.
The special public prosecutor Dileep Sathyan, who appeared for the case, described it as one of the toughest trials of his career.
"It went on for 44 months, including the Covid period. It was hard to bring witnesses. Seven cases were being heard together. But we proved the charges under Sections 66 and 43 of the IT Act," he says.
Though the sentence was relatively short, Marian had already spent enough time in custody to walk free once the verdict was delivered.
On Victor’s extradition to India, the legal official says, “Once procedures are completed and the accused is brought back to the state, the pending charges will be reopened and will be produced before the court.”
“Since he was absconding during the initial proceedings, a separate trial process will follow, which may include custodial interrogation and framing of charges,” he adds.
Even today, the Althara ATM heist remains a turning point in Kerala’s digital security landscape. It exposed glaring vulnerabilities in ATM infrastructure and forced financial institutions to take cyber threats seriously.Nearly a decade later, the Althara heist continues to cast a long shadow over Kerala’s digital landscape. It changed how not just the state but the nation viewed cybercrime.
